Ninety-nine countries are hit by 75,000 attacks using NSA superweapon dubbed the ‘atom bomb of malware’ stolen by mysterious hacking collective called ‘The Shadow Brokers’
A global cyber attack using hacking tools widely believed to have been developed by the US National Security Agency and leaked online by a group called the Shadow Brokers has caused chaos around the world.
British hospitals, the Russian government, German railways and big companies like FedEx were among those affected when they were crippled by the ‘ransomware’ that rapidly spread across the globe and infected 75,000 computers in 99 countries.
Meanwhile hundreds of private users in Taiwan were also struck by the malware, while IT systems at schools and universities in China were infected.
Security experts say the malicious software behind the onslaught appeared to exploit a vulnerability in Microsoft Windows that was identified by the US National Security Agency for its own intelligence-gathering purposes.
The NSA documents were stolen and then released to the world last month by a mysterious group known as the Shadow Brokers.
The hackers, who have not come forward to claim responsibility, likely made it a ‘worm’, or self spread malware, by exploiting a piece of NSA code known as Eternal Blue, according to several security experts.
This map released by cybersecurity experts, shows the impact of the ransomware around the world – with blue dots representing incidents across the globe. Russia is thought to be worst affected
The NHS has been hit by a major cyber attack hitting computers, phones and emergency bleepers in hospitals and GP surgeries – and pop-ups like this one have appeared demanding a ransom
The Shadow Brokers released Eternal Blue last month as part of a trove of hacking tools that they said belonged to the US spy agency. It has stoked fears that the spy agency’s powerful cyber weapons had been stolen and repurposed by hackers with nefarious goals.
The malicious software was blocking access to computers and demanding payments of as much as $600 to restore access and scrambling data. It is thought to have impacted at least 75,000 computers, including machines in the Russian government.
The technological meltdown began earlier on Friday afternoon in Britain when more than 40 NHS organisations including hospitals and GP surgeries were hit by the virus.
But with the virus spreading at a rate of five million emails per hour, tens of thousands of victims have now been reported in 99 countries including the US, Australia, Belgium, France,Germany, Italy and Mexico.
Russia is thought to have been among the worst hit by the ransomware amid reports that 1,000 computers in the country’s Interior Ministry were affected, but sources say no information was leaked.
Ministry spokeswoman Irina Volk told Russian news agencies it had ‘recorded a virus attack on the ministry’s personal computers controlled by a Windows operating system.’
Leading international shipper FedEx Corp was among the companies whose Microsoft Corp Windows systems were affected. They said they were ‘implementing remediation steps’.
The German rail system was also experiencing issues due to the ransomware. Photos surfaced on social media appeared to show ticketing computers at train stations having been affected by the cyber attack.
In Spain, the Telefonica mobile phone network, power firm Iberdrola and utility provider Gas Natural all suffered from the virus.
Some big firms in Spain took pre-emptive steps to thwart ransomware attacks following a warning from the National Cryptology Centre of ‘a massive ransomware attack’.
Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised.
Security teams at large financial services firms and businesses were reviewing plans for defending against cyber attacks, according to executives with private cyber security firms.
Chris Wysopal, chief technology officer with cyber security firm Veracode, said: ‘Seeing a large telco like Telefonica get hit is going to get everybody worried.
‘Now ransomware is affecting larger companies with more sophisticated security operations.’
A cybersecurity researcher told AFP they appeared to have discovered a ‘kill switch’ that could prevent the spread of the ransomware for now.
The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.
‘Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading,’ @MalwareTechBlog told AFP in a private message on Twitter.
The researcher warned however that people ‘need to update their systems ASAP’ to avoid attack: ‘The crisis isn’t over, they can always change the code and try again.’
The German rail system was also experiencing issues due to the ransomware. Photos surfaced on social media showing ticket machines at train stations having been affected
Computer expert Lauri Love, who is facing extradition to the US over the alleged theft of data from government computers, said the attack is being powered by a ‘top of the range cyber weapon’ used by spies in the US.
‘It appears the cyber attack affected so many computers in the UK in the NHS and in Spain by taking advantage of a very nasty vulnerability in Microsoft Windows, which was dumped by hacking group Shadow Brokers who obtained it from the NSA in America.’
In December last year it was revealed about 90 per cent of NHS Trusts were still running Windows XP, two and a half years after Microsoft stopped supporting the system.
Citrix, an American software company, sent a Freedom of Information request to 63 NHS Trusts, 42 of which responded. It revealed that 24 Trusts were unsure when they would even upgrade, The Inquirer reported.
Windows XP was released more than 15 years ago and is now particularly vulnerable to viruses. Microsoft stopped providing virus warnings for the ageing Windows XP in 2015.
A number of UK hospitals continue to run the outdated software, including East Sussex, Sheffield’s Children’s hospital and Guy’s and St Thomas’ NHS Trust.
Hours after news of the cyber attacks broke, a Microsoft spokesman revealed that customers who were running the company’s free antivirus software and who had enabled Windows updates were ‘protected’ from the attack.
It raises questions about why NHS computers using the operating system were not shielded from the ransomware.
The spokesman said: ‘Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.
‘In March, we provided a security update which provides additional protections against this potential attack.
‘Those who are running our free antivirus software and have Windows updates enabled, are protected.
‘We are working with customers to provide additional assistance.’
One message circulated online claims the hackers demand 300 US dollars (£230) in the virtual currency bitcoins to relinquish control of their IT systems.
The pop-up contains a countdown clock with a deadline of next Friday. At least 10 payments of around USD$ 300 have been made to Bitcoin accounts that the hackers have asked to be paid on Friday.
But, although all Bitcoin transactions are public, we cannot see who made the payments so cannot know if they have been made by anyone in the NHS.
‘Non urgent’ appointments and operations were postponed across the UK and some hospitals diverted ambulances to neighbouring ones to ensure patient safety.
Computer systems were switched off or immobilised and key services including the bleeper system for doctors were also believed to be down.
In the minutes after the attack one doctor in the UK tweeted: ‘Massive NHS hack cyber attack today. Hospital in shut down. Thanks for delaying emergency patient care & endangering lives. A******s’.
NHS Digital, which is responsible for the health service’s cyber security, says computer systems are believed to have been hit by a ransomware cyber attack using malware called ‘Wanna Decryptor’. Three hospitals in America were hit in the same way last year.
The National Cyber Security Centre is investigating and is working with Britain’s FBI – the National Crime Agency.
GP surgeries hit in the attack say their phones went down and patients should avoid calling unless ‘absolutely necessary’ and doctors were back to using pen and paper in some areas.
Explaining the fallout, one doctor said in a message shared on Twitter: ‘So our hospital is down. We got a message saying your computers are now under their control and pay a certain amount of money. And now everything is gone.’
A screenshot obtained by the Health Service Journal (HSJ) purported to show the pop-up that appeared on at least one of the computers affected