Worldwide Cyberattack Spreads Further
in Second Day
May 15, 2017
A cyberattack against tens of thousands of data networks in scores of
countries, all infected by malware that locks computer files unless a
ransom is paid, spread further in its second day Saturday, with no
progress reported in efforts to determine who launched the plot.
Computer security experts assured individual computer users who have
kept their PC operating systems updated that they are relatively safe.
They advised those whose networks have been effectively shut down by the
ransomware attack not to make the payment demanded — the equivalent of
$300, paid in the digital currency bitcoin, delivered to a likely
untraceable destination that consists merely of a lengthy string of
letters and numbers.
However, the authors of the "WannaCry" ransomware attack told their
victims the amount they must pay would double if they did not comply
within three days of the original infection — by Monday, in most cases.
And the hackers warned that they would delete all files on infected
systems if no payment was received within seven days.
Avast, an international security software firm that claims it has 400
million users worldwide, said the ransomware attacks rose rapidly
Saturday to a peak of 57,000 detected intrusions. Avast, which was
founded in 1988 by two Czech researchers, said the largest number of
attacks appeared to be aimed at Russia, Ukraine and Taiwan, but that
major institutions in many other countries were affected.
'Kill switch' found
Computer security experts said the current attack could have been much
worse but for the quick action of a young researcher in Britain who
discovered a vulnerability in the ransomware itself, known as
The researcher, identified only as "MalwareTech," found a "kill switch"
within the ransomware as he studied its structure.
The "kill" function halted WanaCryptor's ability to copy itself rapidly
to all terminals in an infected system — hastening its crippling effect
on a large network — once it was in contact with a secret internet
address, or URL, consisting of a lengthy alphanumeric string.
The "kill" function had not been activated by whoever unleashed the
ransomware, and the researcher found that the secret URL had not been
registered to anyone by international internet administrators. He
immediately claimed the URL for himself, spending about $11 to secure
his access, and that greatly slowed the pace of infections in Britain.
Expects cautioned, however, that the criminals who pushed the ransomware
to the world might be able to disable the "kill" switch in future
versions of their malware.
Hackers' key tool
WanaCryptor 2.0 is only part of the problem. It spread to so many
computers so rapidly by using an exploit — software capable of burrowing
unseen into Windows computer operating systems.
The exploit, known as "EternalBlue" or "MS17-010," took advantage of a
vulnerability in the Microsoft software that reportedly had been
discovered and developed by the U.S. National Security Agency, which
used it for surveillance activities.
NSA does not discuss its capabilities, and some computer experts say the
MS17-010 exploit was developed by unknown parties using the name
Equation Group (which may also be linked to NSA). Whatever its source,
it was published on the internet last month by a hacker group called
Microsoft distributed a "fix" for the software vulnerability two months
ago, but not all computer users and networks worldwide had yet made that
update and thus were highly vulnerable. And many computer networks,
particularly those in less developed parts of the world, still use an
older version of Microsoft software, Windows XP, that the company no
The Finnish computer security firm F-Secure called the problem spreading
around the world "the biggest ransomware outbreak in history." The firm
said it had warned about the exponential growth of ransomware, or
crimeware, as well as the dangers of sophisticated surveillance tools
used by governments.
Lesson: Update programs
With WanaCryptor and MS17-010 both "unleashed into the wild," F-Secure
said the current problem seems to have combined and magnified the worst
of the dangers those programs represent.
security firm Kaspersky Lab, based in Russia, noted that Microsoft had
repaired the software problem that allows backdoor entry into its
operating systems weeks before hackers published the exploit linked to
the NSA, but also said: "Unfortunately it appears that many users have
not yet installed the patch."
Britain's National Health Services first sounded the ransomware alarm
The government held an emergency meeting Saturday of its crisis response
committee, known as COBRA, to assess the damage. Late in the day, Home
Secretary Amber Rudd said the NHS was again "working as normal," with 97
percent of the system's components now fully restored.
Spanish firm Telefonica, French automaker Renault, the U.S.-based
delivery service FedEx and the German railway Deutsche Bahn were among
None of the firms targeted indicated whether they had paid or would pay
the hackers ransom.