A massive cyber-attack using software stolen from the US National Security Agency (NSA) has targeted major institutions across the world.
As of 13 May 2017, security experts Avast recorded 75,000 cases across 99 countries. The malware, known as “WannaCry” or “Wanna Decryptor 2.0”, was detected on Friday 12 May and caused dismay by locking computer systems and only unlocking them in exchange for ransom money.
Among the institutions most affected by WannaCry was the UK’s National Health Service (NHS). Around 40 NHS trusts and numerous medical practices were targeted (roughly 1 in 5 NHS organisations), which led to operations being cancelled, as well as X-rays, medical records and test results being inaccessible. According to several reports, Conservative Health Secretary Jeremy Hunt was warned about the threats of cyber attacks last summer yet NHS computer security systems were not updated accordingly.
According to Graeme Newman, chief innovation officer at CFC Underwriting, the cost of the attack could cost UK businesses as much as £100 million. The attack also infected other large institutions across multiple countries.
How does WannaCry work and who’s responsible?
The attack itself took place on Friday, 12th May, when the malware-worm called WannaCry or Wanna Decryptor 2.0 was sent to institutions in various countries across the world via email.
The malware first appeared as a dump of files on 14 April put together by a group of hackers who call themselves Shadow Brokers, who last year, according to their own admission, stole tools for cyber hacking from the NSA.
The malware works by exploiting a vulnerability in Windows systems and then encrypting user data, which essentially freezes a computer system. The hackers promise to unfreeze a system only upon receipt of ransom money, in this case transferred in the Bitcoin cryptocurrency.
In the case of the NHS, some staff took screenshots of WannaCry once it had its hold on a computer. In return for unlocking infected computers, the hackers demanded a payment of $300 (£230). In some cases, it has been reported that if users failed to transfer ransom money in the allotted time, there would be an incremental increase in the requested amount.
Microsoft released a patch to fix the vulnerability back in March, which was available as a security update. Computers that had not applied the update were at risk, however, including many Windows XP devices used by NHS staff. According to several reports, UK government officials were aware that systems were vulnerable, updates would have been part of a £5.5 million cyber-security package, yet the government turned it down.
WannaCry around the world
For users affected in other countries, the details of WannaCry’s ransom were translated into 28 languages. Reports have come in from across the world with some suggesting that Russia has seen the most attacks, including on several corporate and state institutions, such as banks, the interior and health ministries, a railway firm and a large mobile network provider. Initial reports said that 1,000 computers had been infected yet no sensitive data was breached.
In Spain, several large companies were targeted, including the telecoms group Telefónica, utility provider Gas Natural and power company Iberdrola. There were also reports of the car manufacturer Renault being hit in France, also FedEx in the US, railway ticket machines in Germany, a telecoms company in Portugal, a local authority in Sweden, as well as university computer labs in Italy and China.
Expert accidentally stops malware spread
A security expert ‘accidentally’ applied the brakes to the spread of the malware on Friday by registering a garbled domain name within the software.
A UK-based online security researcher working with LA-based company Kryptos Logic, who identified himself as MalwareTech, along with the help of Darien Huss from the security firm Proofpoint, stumbled on a killswitch embedded in the software. The researcher later tweeted that they had not been aware that registering the domain name would bring WannaCry to a halt.
“I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time,” he said.
Adding, “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”