Cybersecurity expert warns the problem could spiral when people go to work Monday
UK government calls a crisis response committee meeting after attack hit hospitals
A massive global ransomware attack has struck hospitals, companies and government offices around the world, seizing control of affected computers until the victims pay a ransom.
The majority of the attacks targeted Russia, Ukraine and Taiwan. But the National Health Service in the United Kingdom and global firms such as FedEx also reported they had come under assault Friday. Experts suggested Saturday that the ransomware’s progress had been halted, but new attacks could soon follow.
Here are five things to know:
It may not be over yet
Cybersecurity experts have been working around the clock to try to halt the malware attack that is unprecedented in scale.
The ransomware’s progress has been halted by the accidental discovery late Friday of a “kill switch” hidden within the code by a security researcher, said cybersecurity consultant David Kennedy, formerly of the US National Security Agency.
“The software has actually stopped spreading across the world,” he told CNN.
“He actually probably saved lives by accident,” Kennedy said, referring to the security researcher who discovered the kill switch.
The ransomware was designed to repeatedly contact an unregistered domain listed in its code. The security researcher – who uses the Twitter handle @MalwareTechBlog – registered that domain to collect the ransomware traffic for analysis and to track infections.
“Later we found out that the domain was supposed to be unregistered and the malware was counting on this, thus by registering it we inadvertently stopped any subsequent infections,” @MalwareTechBlog told CNNTech. The security researcher has posted an online account of finding the kill switch, which was also posted to the UK government’s National Cyber Security Centre website.
However, a hacker could change the code to remove the domain and try the ransomware attack again.
Also, the kill switch won’t help anyone whose computer was already infected. Individuals and companies still have to decide if they want to pay the ransom or part with their data.
Michael Gazeley, managing director of cybersecurity firm Network Box, told CNN that the danger is far from over and that a company’s security patch on Saturday might not still work by Monday.
“A lot of people are going to go to work on Monday and click on a link in their mail – completely oblivious that all of this is going on or have heard about it and think that it’s over – and suddenly wipe out their whole company,” Gazeley said from Hong Kong.
“IT managers need to be extremely aware that new variants of this ransomware attack are being launched almost hourly, so they can’t just check that their computer systems are protected, then relax, assuming everything will stay that way,” he said.
Cybersecurity firm Avast said it tracked more than 75,000 ransomware attacks in 99 countries Friday.
European police agency Europol said it was working to support countries, saying the malware attack was at an “unprecedented level and requires international investigation.”
How it works
The ransomware, called WannaCrypt or WannaCry, locks down all the files on an infected computer and asks the computer’s administrator to pay to regain control of them. The exploit was leaked last month as part of a trove of US National Security Agency spy tools.
The malware is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that didn’t update their systems remained at risk.
Those affected see a message on their computer screens demanding payment in the digital currency bitcoin to restore access. The initial demand was for $300 in bitcoins, but it now has gone up to $600 worth of the currency, Gazeley said. Fortune reported Thursday that the price of bitcoin was at an all-time high.
Mikko Hypponen, chief research officer at cybersecurity company F-Secure in Helsinki, Finland, called it “the biggest ransomware outbreak in history,” according to an online post.
It’s having a real-life impact
The cyberattack affected 16 organizations that are part of the National Health Service on Friday, causing some surgical procedures to be canceled and ambulances diverted. But the NHS said Saturday it does not have any evidence that patient data was breached.
A senior nurse with NHS Lanarkshire in Scotland posted a video on Twitter appealing to members of the public “to stay away from acute hospitals unless it’s an absolute emergency situation” while its IT systems remain affected.
Grant Gowers, 50, from Clacton-on-Sea in southern England, told CNN how the ransomware attack had directly affected him. Doctors told him two weeks ago they needed to schedule a prostate biopsy to determine if he has cancer.
But around 5 p.m. Friday he got a call to say his biopsy had been canceled as a result of the ransomware attack.
“I have built myself up for the last two weeks,” he told CNN. “If I know I have cancer, I could deal with it.”
His procedure is being rescheduled within the next two weeks. But that’s not good enough for Gowers. “I really want to grab the person who done this today and give him a picture of how this is affecting my life,” he said.
The UK government has called a meeting of its crisis response committee, known as Cobra, on Saturday to discuss the situation.
Here’s what you should do
In the wake of the attack, Microsoft said it had taken the “highly unusual step” of releasing a patch for computers running older operating systems, including Windows XP, Windows 8 and Windows Server 2003. Users should download the patch before clicking on any link in email.
Consumers who have up-to-date software are protected from this ransomware. Here’s how to turn automatic updates on.
If your computer has been affected, there’s no guarantee that paying the ransom will restore it, Gazeley said. In past ransomware attacks, some victims have paid, only to find the key they are given doesn’t work, while others have found their files are corrupted and can’t be properly restored, he said.
Managers at many companies and other organizations have not taken steps to put proper cybersecurity systems in place despite talking about their importance, Gazeley said. “Most organizations just keep their heads in the sand,” he said.
Who’s behind the cyberattack?
No one has yet identified the culprit.
“We see all the finger-pointing at the usual suspects, saying it’s probably people in Russia or China, but, to quote Sherlock Holmes, it’s not really a good idea to guess without the evidence,” Gazeley said. Bitcoin is set up to be untraceable, so investigators will struggle to follow a money trail, he said.
Nonetheless, authorities around the world will be seeking to track down those responsible.
“I think these hackers have to recognize that these authorities will come after them with a vengeance,” Gazeley said.
It also may never be known how much the hackers have netted from the ransomware attack. Many firms are unlikely to want to reveal they fell victim to it and whether they paid up.
CNN’s Paul Murphy, Samuel Burke, Selena Larson, Mariano Castillo and Jessica King contributed to this report.