LONDON — As many as 74 countries have been hit by a huge, fast-moving and global ransomware attack that locks computers and demands the digital equivalent of $300 per computer, Kaspersky Lab, a Russian-based cybersecurity company, said Friday.
The infections have disabled more than a dozen hospitals in the United Kingdom, Spain's largest telecom company and universities in Italy as well as some FedEx computers. Ransomware encrypts the files on a computer or network demanding that payment be made in Bitcoin or another untraceable digital currency before the criminals will unlock the files.
Infected computers showed a screen giving the user three days to pay the ransom. After that, the price would be doubled. After seven days the files would be deleted, it threatened.
In Spain, the largest telecommunications company reportedly would have had to pay close to $550,000 to unlock all the encrypted computers hit on its network.
The ransomware code is named WanaCrypt and has been in use by criminals since at least February. It is available in at least 28 languages, including Bulgarian and Vietnamese, according to Avast, a Czech security company that is following the fast-moving attack.
However, a new variant dubbed WannaCry was created that makes use of a vulnerability in the Windows operating system that was patched by Microsoft on March 14. Computers that have not installed the patch are potentially vulnerable to the malicious code, according to a Kaspersky Lab blog post on Friday.
First appearance early Friday, dormant for weeks?
The attack seems to have first appeared around 2 am ET on Friday in Europe, said Kurt Baumgartner, a principal security researcher with Kaspersky Lab in Moscow.
"It's very well-written code and there is no easy way to crack the encrypted files once they're infected," he said.
The breadth of the attack seems to indicate that the software had been spreading around the globe possibly for weeks but lay dormant when first introduced into a network, said Sean Dillon, a senior security analyst with RiskSense Inc.
“Then the kill switch was pulled and everything went live. You can’t just infect that many computers in a single day,” he said.
The ransomware is believed to be linked to an exploit, which is computer code that takes advantage of a computer vulnerability, known to have been used by the Equation Group, which many in the security world believe is connected to the National Security Agency (NSA).
That exploit was one of many hacking tools stolen from the NSA and published online by a group that called itself the Shadow Brokers on April 14, according to Avast. That group has been leaking pieces of more than a gigabyte worth of older NSA software weapons since August.
Avast has recorded over 50,000 attacks globally as of Friday afternoon. They span the globe with hits in multiple other countries. Russia’s Interior Ministry said Friday it had come under cyberattack.
Exactly who is behind the attack is unknown.
Kasperksy's Baumgartner did note that although the ransomware was able to offer "how to pay" documents in dozens of languages, the only language whose writing was perfect was Russian, with the others showing distinct signs that a non-native speaker had written them. "The English is very good, but there are a couple of quirks that would lead me to believe it wasn't written by a native English speaker," he said.
Also unknown is whether there are multiple coordinated attacks underway. It's also possible that the code was released once and is now working its way around the globe.
It's moving so quickly in part because the exploit it's based on may allow it to because of a so-called "spreader" element it contains that allows it to spread quickly.
While the full code hasn't yet been studied it's possible that each computer network would only need to be infected once via a phishing attack, when a user unwittingly opened an email or clicked a link containing the ransomware malicious code.
As Dillon noted above, it's very likely the code was introduced into networks but didn't do anything until instructed to by whoever was behind it.
That code might then be able to exploit vulnerabilities in the computer’s code to spread across any network it was a part of, said Philip Reitinger, president of the non-profit Global Cyber Alliance.
Sometimes called a “wormable” vulnerability, it is considered very serious because of the speed at which worms can infect and jump from system to system, he said.
Any network with a web server online that was running an unpatched Windows 10 machine would be vulnerable, and Dillon estimates there may be as many as 2 million such machines out there.
“Once they’re on those machines, they’re past the firewalls, and from there they can just spread the infection,” he said.
Services in London, the central city of Nottingham, and the counties of Hertfordshire and Cumbria were affected, according to the BBC. The National Health Service (NHS) said 16 of its organizations reported they were victims.
The hackers behind the ransomware attack were demanding $300 worth of the online currency Bitcoin to release files from encryption, the Mirror and Telegraph reported.
No evidence 'patient data has been accessed'
In a statement, the NHS said: "A number of NHS organizations have reported to NHS Digital that they have been affected by a ransomware attack which is affecting a number of different organizations. The investigation is at an early stage but we believe the malware variant is Wanna Decryptor."
"At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organizations to confirm this."
The NHS said the attack was not specifically targeted at the NHS and was affecting other organizations. It said it was working to resolve the problem.
Hackers behind the Wanna Decryptor virus, a type of malware, often ask users for money to retrieve access to files they have encrypted.
NHS Merseyside, which operates a number of hospitals in northwestern England, tweeted, “we are taking all precautionary measures possible to protect our local NHS systems and services.” The NHS Merseyside website was down Friday afternoon local time.
East and North Hertfordshire NHS Trust, which runs four hospitals north of London, said in a statement: "Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls.”
It said it was postponing all non-urgent work and asked people not to come to the accident and emergency unit.
Doctors at some surgeries were forced to use pen and paper to record patient details following the attack.
John Caldwell, a doctor in Liverpool, told the Guardian he had “no access to record systems or results."
Chris Mimnagh, another doctor in Liverpool, told the Guardian: “Unable to access our clinical system – as a precaution our area has severed links to the wider NHS, which means no access to our national systems, no computers means no records, no prescriptions, no results. We are dealing with urgent problems only. Our patients are being very understanding so far.”
NHS Million, a campaign which supports NHS staff and is separate from the NHS, tweeted: "We just don't understand the mentality of some people. The only people suffering are people that need emergency care. #nhscyberattack"