SAN FRANCISCO — A new strain of ransomware raced across 70 countries Friday, wreaking havoc at the National Health Service in the UK, hobbling one of Spain’s largest telecom companies, and shutting down Russia’s Internal Affairs Ministry in an attack that cybersecurity experts say is only gaining in momentum.
Ransomware is a type of malware that installs itself on a device, such as a computer or smartphone, and then holds the device hostage until a ransom is paid. This particular strain, WannaCry, exploits a vulnerability in Windows that many systems have not yet patched.
WannaCry has so far infected tens of thousands of computers in at least 74 countries, according to cybersecurity companies who are observing its spread across the globe. Among the countries infected are the US, China, Russia, Spain, and the UK.
Cybersecurity expert Ralph Echemendia called WannaCry, “the biggest Ransomware attack of all time.”
Experts like him have long been warning anyone who would listen about “the big one”: a ransomware attack so effective it would hobble industries across the world. Friday’s attack look to be just that, as it leverages a vulnerability in Microsoft’s Windows operating system previously discovered by the US’s National Security Agency (NSA). In this case, the attackers leveraged the vulnerability to infect systems and demand a ransom of between $300- $600 in order to secure their release. Cybersecurity experts say they are still trying to determine who is behind the WannaCry ransomware.
The Windows vulnerability was made public last month, when a group known as the Shadow Brokers released a trove of alleged NSA hacking tools into the public, included those used to hack into systems.
A spokesman for Microsoft did not return an email asking for comment, but Microsoft released a patch for the exploit in March. Many organizations, however, appear to have not patched their systems or not known about the issue.
“This kind of attack is indiscriminate in its nature, it will attack any machine that is not patched for the particular vulnerability,” said Owen Connelly, VP Services at the IOActive cybersecurity firm. ”This appears to be financially motivated, however that doesn’t mean that there aren’t other potential scenarios.”
“This particular vulnerability is part of a group that were leaked/stolen from the NSA,” Connelly said. “If nothing else, this is a salutary lesson in why organizations shouldn’t retain these kind of vulnerabilities with the intention of weaponizing them.”
Other cybersecurity experts were also quick to question whether the NSA did not hold some responsibility in its developing, and hoarding, of vulnerabilities in systems. Like many other government agencies, the NSA develops and researches vulnerabilities, which it can use to launch attacks or conduct cyberespionage campaigns. John Bambanek, threat research manager at the Fidelis Cybersecurity firm, said that “the fact that a vulnerability developed by the NSA was used in this attack shows the dangers that can happen when this knowledge gets out into the wild even after a patch has been developed.”
“Unlike traditional weapons, these tools can be repurposed quickly from devastating criminal attacks. The intelligence community should develop strong procedures that when such tools leak, the immediately give relevant information to software developers and security vendors so protections can be developed before attacks are seen in the wild,” said Bambanek.
Ransomware is one of the fastest-growing types of cyberattacks. Last year, cybersecurity companies estimated that ransomware attacks brought in over a billion dollars for cybercriminal networks globally, and they are on target to make even more in 2017.
While hospitals were not the target of the WannaCry ransomware strain Friday, they were among the most infected as they often lack budgets to defend their online systems, and once their networks are down, thousands of patients lives may be put at risk. Across the UK Friday, doctors reported chaotic situations, with one tweeting that patients would die as a result of the attack.
“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors,” the NHS said in a statement. “Our focus is on supporting organisations to manage the incident swiftly and decisively.”
Cybersecurity experts said Friday that the Wannacry ransomware shows no signs of slowing down. Preliminary research on the strain shows that it is able to run in 27 languages, and likely includes other vulnerabilities that can take advantage of systems. For now, cybersecurity experts are urging people to download the Microsoft update which patches the vulnerability as soon as possible to make sure their systems are protected.