Extortionists Mount Global Hacking Attack Seeking Ransom

Updated on
  • ‘Major cyber attack’ against U.K’s National Health Service
  • Ransomware breach also targets Spanish, Russian companies

Extortionists Mount Global Cyber Attack With 'Ransomware'

Extortionist hackers who may be using leaked computer exploits from the U.S. National Security Agency infiltrated computers in dozens of countries in a fast-spreading attack that forced British hospitals to turn away patients and breached systems at Spain’s Telefonica SA and organizations from Russia to Taiwan.

The ransomware used in Friday’s cyber-attacks encrypts files and demands that victims pay $300 in bitcoin for them to be decrypted, the latest in a vexing style of security breaches that, at the very least, forces organizations to revert to backup systems to keep critical systems running. The malicious software has infected more than 75,000 computers in 99 countries worldwide on Friday, most of them concentrated in Russia, Ukraine and Taiwan, according to Dutch cybersecurity company Avast Software BV.

The attackers were exploiting a vulnerability in Microsoft Corp. software that was patched in March, according to cybersecurity researchers. Attack code targeting that vulnerability was released publicly by Shadow Brokers, a group that has been leaking stolen hacking tools purportedly from the NSA. That connection has given critics of U.S. hacking ammunition for their argument that governments finding flaws in commercial technologies and keeping them secret for the purpose of exploiting them can carry a public risk.

‘Past Time’

“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world,” said Patrick Toomey, a staff attorney at the American Civil Liberties Union’s National Security Project. “It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner. Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”

While the victim tally is likely to grow, the ransomware, called WanaCrypt0r, only affects computers that haven’t applied Microsoft’s two-month-old fix, a reminder that individuals and organizations that don’t routinely update their machines are vulnerable. Hospitals are notoriously slow in applying security fixes, in part because of how disruptive it is to take patient-facing equipment and databases offline. That has made them a reliable target of ransomware and identity-theft attacks, and why they routinely fall victim even to random mass attacks.

Hospital Warnings

In the U.K. on Friday, hospitals urged people with non-emergency conditions to stay away after the cyber-attack affected large parts of the country’s National Health Service. Forty-five NHS organizations were hit, while a large number of Spanish companies were also attacked using ransomware.

“We’re not able to tell who’s behind the attack,” Home Secretary Amber Rudd told the BBC on Saturday. “It’s not targeted at the NHS -- it feels random in terms of where it’s happened.” She said she’d been told there was no evidence of patient data being stolen, and said the hack was partly the result of people using outdated operating systems. “Windows XP is not a good platform for keeping your data secure,” she said.

Hospitals in London, North West England and Central England have all been affected, according to the BBC. Mid-Essex Clinical Commissioning Group, which runs hospitals and ambulances in an area east of London, said on Twitter that it had “an IT issue affecting some NHS computer systems,” adding “Please do not attend Accident And Emergency unless it’s an emergency!”

The impact on services is not due to the ransomware itself, but due to NHS Trusts shutting systems to prevent it from spreading, said Brian Lord, a former deputy director of Government Communications Headquarters (GCHQ), the U.K.’s signals intelligence agency, who is now managing director of cybersecurity firm PGI Cyber. Lord, who described an attack of this type as "inevitable," said the impact was exacerbated because most NHS Trusts had "a poor understanding of network configuration meaning everything has to shut down."

Ransom Message

A screen-shot of an apparent ransom message, sent to a hospital, showed a demand for $300 in bitcoin for files that had been encrypted to be decrypted.

Workers across the NHS have since been sent emails from the health service’s IT teams warning not to open or click on suspicious attachments or links.

Spain’s National Cryptologic Center, which is part of the country’s intelligence agency, said on its website that there had been a “massive ransomware attack” against a big number of Spanish organizations affecting Microsoft’s Windows operating system. El Mundo reported that the attackers sought a ransom in bitcoin.

“Today many of our customers around the world and the critical systems they depend on were victims of malicious ‘WannaCrypt’ software,” Phillip Misner, principal security group manager at Microsoft’s Security Response Center, said in a statement on the company’s website. “Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful.”

Misner said the company took the “highly unusual step” of releasing free security patches for unsupported out-of-date operating systems, including Windows XP and Windows Server 2003.

While Friday’s attack could damage the reputation of Microsoft’s security, it’s likely to be limited, said Sid Parakh, a fund manager at Becker Capital Management, which owns Microsoft stock. There have been so many high-profile hacks that if a fix is available, it’s the user’s responsibility to download it, he said.

“Every time this happens it hurts the underlying product’s reputation,” Parakh said. But Microsoft has “been in a worse state in the past.”

Unsuspecting Victims

Ransomware typically gets onto a computer when a person unsuspectingly downloads a file that looks like a normal attachment or web link. A hacker can then trigger the malware to freeze the computer, prompting a person to pay a ransom or lose all their files.

Hospitals have been a common target because the culprits know how critical digital records are for treating patients. There have been several incidents in the U.S., including one in Indiana where a hospital’s IT system was taken down and patients had to be diverted to other facilities, according to a local news report. 

Ransomware attacks have also been soaring. The number of such attacks increased 50 percent in 2016, according to an April report from Verizon Communications Inc. These types of attacks account for 72 percent of all the malware incidents involving the health-care industry in 2016, according to Verizon.

For more on cybersecurity, check out the Decrypted podcast:

“The large-scale cyber-attack on our NHS today is a huge wake-up call,” said Jamie Graves, chief executive officer of cybersecurity company ZoneFox.

Andrew Barratt, managing principal of Coalfire, a company which provides cybersecurity risk assessments to the health-care sector, said that many NHS hospitals used personal computers with outdated Windows-based operating systems, which have makes them easy to attack. He said many of these systems were too old to patch and that many NHS Trusts did not spend enough time on technical best practices and audits, leaving them vulnerable to a variety of potential cyber-attacks, including ransomware.

— With assistance by Thomas Penny, Adam Satariano, and Dina Bass

    Before it's here, it's on the Bloomberg Terminal.