Skip to content

Malware, described in leaked NSA documents, cripples computers worldwide

Author
PUBLISHED: | UPDATED:

Hackers unleashed an attack that disabled computers in dozens of nations Friday using a software flaw that once was part of the National Security Agency’s surveillance tool kit.

The resulting wave of online chaos affected tens of thousands of machines worldwide, snarling operations at the Russian Interior Ministry, Spanish telecommunications giant Telefónica and Britain’s National Health Services (NHS), where hospitals were hobbled and medical procedures interrupted.

Europe, Latin America and parts of Asia were hit particularly hard, although in the United States, FedEx also reported falling prey to the malware. The attack was the latest in a growing menace of “ransomware,” in which hackers deliver files to computers that automatically encrypt their data, making it unusable – until a ransom is paid.

“This is not targeted at the NHS,” British Prime Minister Theresa May told reporters. “It’s an international attack, and a number of countries and organizations have been affected.”

The hack renewed a long-running debate about the dangers of intelligence agencies such as the NSA collecting and using software flaws for espionage, rather than quickly alerting companies to vulnerabilities so they can fix them.

In this case, the NSA found a flaw in Microsoft software that made the hack possible. The agency reported the flaw to company after a security breach was discovered in August, according to former U.S. officials speaking on the condition of anonymity due to the sensitivity of the topic.

Microsoft fixed the problem in a patch it released in March, before a group calling itself the “Shadow Brokers” publicly released it online in April.

But system administrators appear to have applied the patch inconsistently, leaving some computers vulnerable. The vulnerability gave the hackers what amounted a lock pick to the Microsoft software on computers that did not receive the update from the company or that used outdated operating systems.

It was not clear who was behind the campaign, which, experts said, was the first known time a hacker group used the NSA tools released by the Shadow Brokers to conduct a large-scale hack.

“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies but by hackers and criminals around the world,” the American Civil Liberties Union, a frequent NSA critic, said in a statement.

The NSA did not respond to requests for comment, but some experts expressed sympathy for the agency because it had warned Microsoft about the problem.

Peter Eckersley, technology projects director for the Electronic Frontier Foundation, a San Francisco-based civil liberties group that has sharply criticized the NSA for its aggressive surveillance, said: “In this instance, it’s a little unfair to blame the NSA. They could have been following the best possible defensive practices, and this probably would have gone down the same way.”

Powerful NSA hacking tools have been revealed online

But the speed and scale of the malware spread startled experts. “It’s one of the first times we’ve seen a large international global campaign,” said Chris Camacho, chief strategy officer for Flashpoint, a cyber-intelligence company. “It’s pretty shocking. This morning people woke up thinking it was only in Europe. Now it’s hitting countries around the world. It’s global.”

Cybersecurity experts said that the malware arrived through “phishing” attacks in which recipients of emails were tricked into opening phony links. Once one computer in a system was infected, the malware spread to other machines on the same network. In some cases, the malware was delivered in spam emails.

The ransomware spread so quickly because it was delivered by a special digital code developed by the NSA to move from one unpatched computer to another, security experts said. They warned that the malware now could move from large networks to individual users.

“This could be the very first instance of the use of a ‘ransom worm,’ ” Camacho said, coining a term that refers to a ransomware file that spreads across networks.

The program is called “Wanna Decrypt0r 2.0” and appears to support 28 languages, underscoring the global ambitions of its creators, said cybersecurity experts.

In a statement Friday, Microsoft said it had taken further steps to protect systems against the malware. “In March, we provided a security update which provides additional protections against this potential attack,” the company said. “Those who are running our free anti-virus software and have Windows Update enabled, are protected. We are working with customers to provide additional assistance.”

The Moscow-based Internet security company Kaspersky Lab said Friday that its security software – one of several major packages available to users worldwide – had detected “more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia,” using another name for the program. Kaspersky noted that the actual number of attacks may be far higher.

The program locks computers and then launches a ransom note in a text file, according to researchers at the Avast security software company in the Czech Republic. The note says that “you need to pay service fees for the decryption” and asks for $300 worth of bitcoin, a digital currency that is difficult to track, to be sent electronically to an address. It was not clear who would receive the funds.

A sum of $300 is a fairly low ransom when compared to some previous attacks, such as the one that took place in June at the University of Calgary, which agreed to pay nearly $16,000 in bitcoin to an unknown group of hackers.

The WannaCry ransom note also states, dryly: “Don’t worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users.”

The attack in Britain had immediate impacts in hospitals across the country. Operations were canceled, emergency room services were scaled down, and medical personnel went back to using handwritten notes.

Richard Harvey, 50, was just about to undergo surgery Friday afternoon on his leg following a motorcycle accident when a nurse told him that the procedure had been canceled due to a cyberattack.

“I’m a bit of a nervous person and had to get settled about the operation, which I was. Now I had to go through that again,” said Harvey, a former hospital porter who had been fasting since the previous evening in preparation for the operation at Royal London Hospital in east London. “A cyberattack? That doesn’t happen every day.”

Stephen Hirst, a doctor in the northern English town of Preston, told the BBC that the first sign of the infiltration was an error message warning that “we’d have to pay money to unlock the computer, because it’s been encrypted.”

“It’s compromising having to open files and complete prescriptions. It’s interfering with day-to-day functioning,” Hirst said.

Doctors were using pen and paper as the National Health Service struggled to get computers back online. Routine appointments were being canceled.

The BBC reported that a list of affected locations included London, Blackburn, Nottingham, Cumbria and Hertfordshire.

Health officials offered no indication of when services might return to normal or whether patient records could be permanently lost to the attack.

“The most exploitable industry in the world is the health-care sector,” said Tom Kellermann, chief executive of Strategic Cyber Ventures. He said the industry is chronically hobbled by regulation and insufficient investment in computer security.

Cybersecurity has been high on the agenda of many high-level gatherings of Western military and political leaders.

A report issued Wednesday by the European Commission called for greater attention to cyberthreats as the world becomes “more vulnerable to cyberattacks, with security breaches causing significant damage.” It said the commission plans a full review of European Union cybersecurity measures by September.

In August, the Shadow Brokers group began to release virtually the NSA’s entire library of powerful hacking tools. The releases continued throughout the fall and into the spring.

Witte reported from London. Todd Frankel in Washington, Karla Adam in London, Andrew Roth in Moscow and Marina Lopes in Rio de Janeiro contributed to this report.