Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. Ransomware is a particularly nasty type of malware that blocks access to a computer or its data and demands money to release it.
This attack was caused by a bug called WanaCrypt0r 2.0 or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.
The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the “payment will be raised” after a certain amount of time. Translations of the ransom message in 28 languages are included.
When a computer is infected, the ransomware typically contacts a central server for the information it needs to activate, and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – and threatens to destroy the information if it doesn’t get paid, often with a timer attached to ramp up the pressure. Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.
On May 12 (Friday evening), a cyber-attack ransomware affectedattacks almost 99 countries that may have originated from the theft of “cyber weapons” linked to the US government has hobbled hospitals in England and spread to countries across the world. Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 99 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected. It had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.
Markus Jakobsson, chief scientist with security firm Agari, said that the attack was ‘scattershot’ rather than targeted. “Attacks with language support show a progressive increase of the threat level,” Jakobsson said. Jakobsson said that the concentration of the attack in Russia suggested that the attack originated in Russia. Since the malware spreads by email, the level of penetration in Russia could be a sign that the criminals had access to a large database of Russian email addresses. However, Jakobsson warned that the origin of the attack remains unconfirmed.
Ransomware attacks are on the rise. Security company SonicWall, which studies cyber threats, saw ransomware attacks rise 167 times in 2016 compared to 2015. “Ransomware attacks everyone, but industry verticals that rely on legacy systems are especially vulnerable,” said Dmitriy Ayrapetov, executive director at SonicWall.
A Los Angeles hospital paid $17,000 in bitcoin to ransomware hackers last year, after a cyber-attack locked doctors and nurses out of their computer system for days.
The latest attack hit England’s National Health Service (NHS) locking staff out of their computers and forcing some hospitals to divert patients. Hospitals across Britain were paralyzed after cyber hackers held the NHS to ransom in an unprecedented global attack. Countless operations were cancelled and patients were turned away as 45 NHS organizations and trusts and hundreds of GP surgeries were locked out of their computer systems. NHS staff pleaded with patients to stay away from A&E except in an emergency, and ambulances were diverted away from hospitals struggling to cope, with medics facing a weekend of chaos.
The attacks, which slowed are among the fastest-spreading extortion campaigns on record. Damage in Asia, however, has been limited.
The Russian interior ministry says about 1,000 computers have been affected. Russia worst affected country with government and phone network hit.
Shipping company FedEx also confirmed it was hit by the attack. Nissan’s Sunderland car factory has been hit by a cyber-attack. French carmaker Renault has also been affected.
German railway services and Spanish utility companies also targeted. Ticketing machines and computers at German railway stations have also been affected alongside Spanish companies including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural.
Measures are being put in place to stop the spread of the virus. Though the problem is infamous in the UK for the damage it has done to NHS systems, the effects have focused most specifically on Spain and Russia, according to experts.
“This cyber attack is much larger than just the NHS,” said Travis Farral, director of security strategy for cyber security firm Anomali Labs. “It appears to be a giant campaign that has hit Spain and Russia the hardest.”
Experts say the cyber attack used code developed by the US National Security Agency which was leaked online last month by a mysterious group called the Shadow Brokers.
Data released under the Freedom of Information Act in December suggested 90 percent of NHS trusts are using outdated software Windows XP, which is 15 years old and has been branded ‘obsolete’, leaving systems more vulnerable to attacks.
Malware was made available online on April 14, through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of ‘cyber weapons’ from the National Security Agency (NSA).
BEHIND THE ATTACK
Cybersecurity researchers have found evidence they say could link North Korea with the WannaCry cyber attack that has infected more than 300,000 computers worldwide as global authorities scrambled to prevent hackers from spreading new versions of the virus.
A researcher from South Korea’s Hauri Labs said their own findings matched those of Symantec and Kaspersky Lab, who said that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.
“It is similar to North Korea’s backdoor malicious codes,” said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service.
Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks.
Latest evidence also suggests ‘phishing’ emails are unlikely to have caused the global cyber attack that wreaked havoc at dozens of NHS trusts and hit hundreds of thousands of computers in 150 countries.
Security experts have disputed claims that the virus was spread through suspicious emails, saying that computers were vulnerable to the bug regardless of how vigilant users were. They even said that unless IT departments patched the virus and backed up their files they could be hit by the attacks.
Affected NHS trusts were criticized for not adding the patch despite warnings from NHS Digital a month ago that they were vulnerable to a possible attack.
Two-thirds of those caught up in the past week’s global ransomware attack were running Microsoft’s Windows 7 operating system without the latest security updates, a survey for Reuters by security ratings firm BitSight found.
Researchers are struggling to try to find early traces of WannaCry, which remains an active threat in hardest-hit China and Russia, believing that identifying “patient zero” could help catch its criminal authors.
They are having more luck dissecting flaws that limited its spread.
Security experts warn that while computers at more than 300,000 internet addresses were hit by the ransomware strain, further attacks that fix weaknesses in WannaCry will follow that hit larger numbers of users, with more devastating consequences.
“Some organizations just aren’t aware of the risks; some don’t want to risk interrupting important business processes; sometimes they are short-staffed,” said Ziv Mador, vice president of security research at Trustwave’s Israeli SpiderLabs unit.
“There are plenty of reasons people wait to patch and none of them are good,” said Mador, a former long-time security researcher for Microsoft.
WannaCry’s worm-like capacity to infect other computers on the same network with no human intervention appear tailored to Windows 7, said Paul Pratley, head of investigations & incident response at UK consulting firm MWR InfoSecurity.
Data from BitSight covering 160,000 internet-connected computers hit by WannaCry, shows that Windows 7 accounts for 67 percent of infections, although it represents less than half of the global distribution of Windows PC users.
Computers running older versions, such as Windows XP used in Britain’s NHS health system, while individually vulnerable to attack, appear incapable of spreading infections and played a far smaller role in the global attack than initially reported.
In laboratory testing, researchers at MWR and Kyptos say they have found Windows XP crashes before the virus can spread.
Windows 10, the latest version of Microsoft’s flagship operating system franchise, accounts for another 15 percent, while older versions of Windows including 8.1, 8, XP and Vista, account for the remainder, BitSight estimated.
Any organization which heeded strongly worded warnings from Microsoft to urgently install a security patch it labeled “critical” when it was released on March 14 on all computers on their networks are immune, experts agree.
Those hit by WannaCry also failed to heed warnings last year from Microsoft to disable a file sharing feature in Windows known as SMB, which a covert hacker group calling itself Shadow Brokers had claimed was used by NSA intelligence operatives to sneak into Windows PCs.