Skip to main content

The Journal Gazette

  • Associated Press This image provided by the Twitter page of @fendifille shows a computer at Greater Preston CCG as Britain's National Health Service is investigating “an issue with IT” on Friday after hackers locked out computers worldwide.

Saturday, May 13, 2017 1:00 am

Hackers hit computers across globe

Software flaw disables thousands of machines for ransom

Washington Post

Hackers unleashed an attack that disabled computers in dozens of nations Friday using a software flaw that once was part of the National Security Agency's surveillance tool kit.

The resulting wave of online chaos affected tens of thousands of machines worldwide, snarling operations at the Russian Interior Ministry, Spanish telecommunications giant Telefónica and Britain's National Health Services, where hospitals were hobbled and medical procedures interrupted.

Europe, Latin America and parts of Asia were hit hard, although in the United States, FedEx also reported falling prey to the malware. The attack was the latest in a growing menace of “ransomware,” in which hackers deliver files to computers that automatically encrypt their data, making it unusable – until a ransom is paid.

“This is not targeted at the NHS,” British Prime Minister Theresa May told reporters. “It's an international attack, and a number of countries and organizations have been affected.”

The hack renewed a long-running debate about the dangers of intelligence agencies such as the NSA collecting and using software flaws for espionage, rather than quickly alerting companies to vulnerabilities so they can fix them.

In this case, the NSA found a flaw in Microsoft software that made the hack possible. The agency reported the flaw to the company after a security breach was discovered in August, according to former U.S. officials speaking on the condition of anonymity due to the sensitivity of the topic.

Microsoft fixed the problem in a patch it released in March, before a group calling itself the “Shadow Brokers” released it online in April.

But system administrators appear to have applied the patch inconsistently, leaving some computers vulnerable. The vulnerability gave the hackers what amounted a lock pick to the Microsoft software on computers that did not receive the update from the company or that used outdated operating systems.

It was not clear who was behind the campaign, which, experts said, was the first known time a hacker group used the NSA tools released by the Shadow Brokers to conduct a large-scale hack.

“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies but by hackers and criminals around the world,” the American Civil Liberties Union, an NSA critic, said in a statement.

The NSA did not respond to requests for comment, but some experts expressed sympathy for the agency because it had warned Microsoft about the problem.

Peter Eckersley, technology projects director for the Electronic Frontier Foundation, a San Francisco-based civil liberties group that has sharply criticized the NSA for its aggressive surveillance, said: “In this instance, it's a little unfair to blame the NSA. They could have been following the best possible defensive practices, and this probably would have gone down the same way.”

The speed and scale of the malware spread startled experts.

“It's one of the first times we've seen a large international global campaign,” said Chris Camacho, chief strategy officer for Flashpoint, a cyber-intelligence company. “It's pretty shocking. This morning people woke up thinking it was only in Europe. Now it's hitting countries around the world. It's global.”

Cybersecurity experts said that the malware arrived through “phishing” attacks in which recipients of emails were tricked into opening phony links. Once one computer in a system was infected, the malware spread to other machines on the same network. In some cases, the malware was delivered in spam emails.

The ransomware spread so quickly because it was delivered by a special digital code developed by the NSA to move from one unpatched computer to another, security experts said. They warned that the malware now could move from large networks to individual users.

“This could be the very first instance of the use of a 'ransom worm,' ” Camacho said, coining a term that refers to a ransomware file that spreads across networks.

The program, called “Wanna Decrypt0r 2.0,” appears to support 28 languages, underscoring the global ambitions of its creators, cybersecurity experts said.

In a statement Friday, Microsoft said it had taken further steps to protect systems against the malware.

The program locks computers and then launches a ransom note in a text file, according to researchers at the Avast security software company in the Czech Republic. The note says that “you need to pay service fees for the decryption” and asks for $300 worth of bitcoin, a digital currency that is difficult to track, to be sent electronically to an address. It was not clear who would receive the funds.