An infected NHS computer in the U.K.
Cybersecurity experts are warning that the devastating global ransomware attack, which has disabled some 200,000 computers in more than 150 countries since Friday, may resume and get worse when workers return to their computers on Monday. Though that attack, which caused the worst ransomware infection in history, has been halted, the remaining concern is that there are many computer systems, particularly in Asia, that were already infected by the “WannaCry” malware but won’t be discovered until workers return to their jobs. In addition, copycat variants of the original ransomware used in the attack are being released, raising the likelihood that a second wave of crippling attacks may yet be in store over the coming week. Europol, the European Union’s crime-fighting agency, says it expects the number of victims to grow.
Here in the U.S., the New York Times reports that the White House’s top security officials held a meeting over the weekend to assess the possible threat to American institutions and agencies. The U.S. was mostly spared by the ransomware plague on Friday, but that could change this week if new attacks are launched.
Though an international criminal investigation is underway, it is still not clear who perpetrated Friday’s attack, which seems to have started with people being sent encrypted email attachments containing malware that, when opened, exploited a flaw in older versions of the Microsoft Windows operating system. WannaCry would then infect the computer and other vulnerable computers connected to the same network, encrypting their files before demanding a ransom of $300 in bitcoin in exchange for the decryption key. Once a computer was infected, users had essentially no recourse but to pay to decrypt them. All told, it’s possible the ransomware netted cybercriminals tens of millions of dollars before it was shut down. It even supported 28 languages to ensure computer users around the globe would be able to read and obey its ransom note, and researchers are still trying to determine how it was able to spread so quickly.
WannaCry incorporated a cyberweapon developed by the NSA to take advantage of the Windows exploit. The surveillance toolkit containing information about the exploit was stolen from the NSA by hackers who then leaked it, along with many other exploits, in a data dump last month. The identities and motives of the hacker group behind the leak, the Shadow Brokers, are not clear — nor is it known if its members had a role in developing WannaCry.
Microsoft patched the targeted exploit in a security update released in March, but any un-updated Windows computers with operating systems older than version ten were still vulnerable. In addition, Microsoft issued an unprecedented emergency patch on Friday night for three versions of its operating system that it no longer supports, including Windows XP, the once-ubiquitous OS that is still running on many computers around the world, including some that aren’t so easy to update:
Europe and Asia took the brunt of Friday’s ransomware attack. Particularly hard hit was the U.K.’s National Health Service, where disabled computers at nearly 50 hospitals and other medical facilities meant that doctors could not access patient files, forcing some hospitals to divert incoming emergency-room patients. Some aftereffects of the infection are expected to continue on Monday as the country’s health-care system works to recover. A political firestorm is likely to brew in response to the attack there as well, with conservative infrastructure spending cuts already being blamed for the NHS’s outdated, or at least un-updated, computer systems.
Elsewhere, Russia may have suffered the most overall attacks — including 1,000 computers at the country’s Interior Ministry, as well as banks, mobile-phone companies, and railroads. India, Ukraine, and Taiwan were also hard hit, as were institutions and companies in numerous countries, including FedEx, the German Deutsche Bahn rail system, the Spanish telecom Telefónica, the French carmaker Renault, and many others.
Ultimately, Friday’s ransomware attack would have undoubtedly been worse had it not been for the efforts of a 22-year-old cybersecurity researcher in the U.K. who goes by the moniker MalwareTech. On Friday, while going through WannaCry’s code, he discovered and inadvertently triggered what seems to have been a kill-switch built into WannaCry by its developers. That shut the malware down and stopped its spread, but the fix is only a temporary one. The flipped kill-switch doesn’t help already infected and encrypted computers, and WannaCry’s developers — or anyone other ransomware developer — can start a new attack by sending out a new version of the malware with the kill-switch removed. Thus, un-updated Windows computers remain highly vulnerable, and with the risk still great, cybersecurity professionals like MalwareTech are busy warning the masses.