Skip to main content

The Journal Gazette

Sunday, May 14, 2017 1:00 am

100 countries taking stock day after ransomware hit

Washington Post

Officials in nearly 100 countries raced Saturday to contain one of the biggest cybersecurity attacks in recent history, as British doctors were forced to cancel operations, Chinese students were blocked from accessing their graduation theses, and passengers at train stations in Germany were greeted by hacked arrival and departure screens.

Companies and organizations around the world potentially faced substantial costs after hackers threatened to keep computers disabled unless victims paid $300 or more in ransom, the latest and most brazen in a type of cyberattack known as “ransomware.”

The malware hit Britain's beloved but creaky National Health Service particularly hard, causing widespread disruptions and interrupting medical procedures across hospitals in England and Scotland. The government said that 48 of the NHS' 248 organizations were affected, but by Saturday evening all but six were back to normal.

When asked if the British government paid any ransom in this situation, a Downing Street spokesman said that it had not. Amber Rudd, Britain's home secretary, also advised against others paying ransom.

In Germany, people posted pictures on social media of scheduling screens at train stations displaying the ransomware message. Deutsche Bahn, Germany's national railway service, tweeted that its train service had not been compromised and that it was working full speed to solve the problems. According to DPA news agency.

Other targets in Europe included Telefónica, the Spanish telecom giant; the French carmaker Renault; and a local authority in Sweden, which said about 70 computers were infected.

“We're not able to tell you who is behind that attack. That work is still ongoing,” Rudd told the BBC. She said that it has affected “up to 100 countries” and that it wasn't specifically targeted at Britain's NHS.

The attack was notable because it took advantage of a security flaw in Microsoft software found by the National Security Agency for its surveillance tool kit. Files detailing the capability were leaked online last month, though after Microsoft, alerted by the NSA to the vulnerability, had sent updates to computers to patch the hole.

Still, countless systems were left vulnerable, either because system administrators failed to apply the patch or because they used outdated software.

It was a jarring reminder of a stubborn reality facing security experts: Companies and other organizations collectively spent $73 billion on cybersecurity measures in 2016, according to the research firm IDC. Yet systems around the world were crippled by human error – failure to do software updates and employees clicking on email attachments that contained the malware.

“This was a completely preventable attack – to the extent that organizations have comprehensive patching systems in place,” said Paul Lipman, chief executive of the cybersecurity firm BullGuard.

On Friday, Microsoft released security updates to Windows and guidelines for consumers and businesses to protect themselves.

It's possible that the malware didn't spread further because of the enterprising work of a 22-year-old British cybersecurity researcher.

The researcher, whose Twitter handle is @MalwareTechBlog, realized the hackers had designed a “kill switch,” which involved a domain name that enabled them to stop the attack from spreading if the victims paid the ransoms. The researcher bought the domain name of the kill switch, and when the site went live, the attack stopped spreading.

The move didn't help organizations that were already impacted by the attack, but experts said that it limited the spread of the virus. The researcher, however, warned in a blog post that the hackers could alter the code and try again.