Europol: Global Cyberattack Affects 150 Countries
May 15, 2017
A cyberattack that has already taken over computers in 150
countries could spread further Monday, as people return for the
start of a new work week and use computers that may not have
been updated with a security patch.
Europe's police agency Europol said Sunday the attack had
already affected at least 100,000 organizations in 150
countries, with data networks infected by malware that locks
computer files unless a ransom is paid.
"I'm worried about how the numbers will continue to grow when
people go to work and turn on their machines on Monday," Europol
director Rob Wainwright told Britain's ITV television.
So far there has been no progress reported in efforts to
determine who launched the plot.
Computer security experts have assured individual computer users
who have kept their operating systems updated that they are
relatively safe, but urged companies and governments to make
sure they apply security patches or upgrade to newer systems.
They advised those whose networks have been effectively shut
down by the ransomware attack not to make the payment demanded —
the equivalent of $300, paid in the digital currency bitcoin,
delivered to a likely untraceable destination that consists
merely of a lengthy string of letters and numbers.
However, the authors of the "WannaCry" ransomware attack told
their victims the amount they must pay would double if they did
not comply within three days of the original infection — by
Monday, in most cases. And the hackers warned that they would
delete all files on infected systems if no payment was received
within seven days.
Avast, an international security software firm that claims it
has 400 million users worldwide, said the ransomware attacks
rose rapidly Saturday to a peak of 57,000 detected intrusions.
Avast, which was founded in 1988 by two Czech researchers, said
the largest number of attacks appeared to be aimed at Russia,
Ukraine and Taiwan, but that major institutions in many other
countries were affected.
'Kill switch' found
Computer security experts said the current attack could have
been much worse but for the quick action of a young researcher
in Britain who discovered a vulnerability in the ransomware
itself, known as WanaCryptor 2.0.
The researcher, identified only as "MalwareTech," found a "kill
switch" within the ransomware as he studied its structure.
The "kill" function halted WanaCryptor's ability to copy itself
rapidly to all terminals in an infected system — hastening its
crippling effect on a large network — once it was in contact
with a secret internet address, or URL, consisting of a lengthy
The "kill" function had not been activated by whoever unleashed
the ransomware, and the researcher found that the secret URL had
not been registered to anyone by international internet
administrators. He immediately claimed the URL for himself,
spending about $11 to secure his access, and that greatly slowed
the pace of infections in Britain.
Experts cautioned, however, that the criminals who pushed the
ransomware to the world might be able to disable the "kill"
switch in future versions of their malware, and that new
versions were already emerging.
Hackers' key tool
WanaCryptor 2.0 is only part of the problem. It spread to so
many computers so rapidly by using an exploit — software capable
of burrowing unseen into Windows computer operating systems.
The exploit, known as "EternalBlue" or "MS17-010," took
advantage of a vulnerability in the Microsoft software that
reportedly had been discovered and developed by the U.S.
National Security Agency, which used it for surveillance
NSA does not discuss its capabilities, and some computer experts
say the MS17-010 exploit was developed by unknown parties using
the name Equation Group (which may also be linked to NSA).
Whatever its source, it was published on the internet last month
by a hacker group called ShadowBrokers.
Microsoft distributed a patch for the software vulnerability two
months ago, but not all computer users and networks worldwide
had yet made that update, and thus were highly vulnerable. And
many computer networks, particularly those in less-developed
parts of the world, still use an older version of Microsoft
software, Windows XP. The company did issue a patch for Windows
XP, but has otherwise largely stopped issuing updates for the
The Finnish computer security firm F-Secure called the problem
spreading around the world "the biggest ransomware outbreak in
history." The firm said it had warned about the exponential
growth of ransomware, or crimeware, as well as the dangers of
sophisticated surveillance tools used by governments.
Lesson: Update programs
With WanaCryptor and MS17-010 both "unleashed into the wild,"
F-Secure said the current problem seems to have combined and
magnified the worst of the dangers those programs represent.
The security firm Kaspersky Lab, based in Russia, noted that
Microsoft had repaired the software problem that allows backdoor
entry into its operating systems weeks before hackers published
the exploit linked to the NSA, but also said: "Unfortunately it
appears that many users have not yet installed the patch."
Britain's National Health Services first sounded the ransomware
The government held an emergency meeting Saturday of its crisis
response committee, known as COBRA, to assess the damage. Late
in the day, Home Secretary Amber Rudd said the NHS was again
"working as normal," with 97 percent of the system's components
now fully restored.
Spanish firm Telefonica, French automaker Renault, the
U.S.-based delivery service FedEx and the German railway
Deutsche Bahn were among those affected.
None of the firms targeted indicated whether they had paid or
would pay the hackers ransom.