Security scramble as ransomware spreads

Russia worst hit, followed by Ukraine, India and Taiwan, say experts

Governments, companies and security experts from China to the United Kingdom on Saturday raced to contain the fallout from an audacious cyberattack that spread quickly across the globe, raising fears that people would not be able to meet ransom demands before their data are destroyed.
 
The global efforts come less than a day after malicious software, transmitted via email and stolen from the National Security Agency, exposed vulnerabilities in computer systems in almost 100 countries in one of the largest “ransomware” attacks on record.
 
The cyberattack, in which harmful software took over computers, encrypted the information and then demanded payment of $300 or more from users before releasing the devices, affected some of the world’s largest institutions and government agencies, including the Russian interior ministry, FedEx in the United States and Britain’s National Health Service. As people fretted over whether to pay the digital ransom or lose data from their computers, experts said the attackers may pocket more than $1 billion from individuals worldwide before the deadline ran out to unlock the machines. The coordinated attack was first reported in the United Kingdom and spread globally. It has sparked fears that the effects of the continuing threat will be felt for months, if not years. It also raised questions about the intentions of the hackers: Did they carry out the attack for mere financial gain or for other unknown reasons?

 

“Ransomware attacks happen every day — but what makes this different is the size and boldness of the attack,” said Robert Pritchard, a cyber security expert at the Royal United Services Institute, a think-tank, in London. “Despite people’s best efforts, this vulnerability still exists, and people will look to exploit it.”
 
While most cyberattacks are inherently global, this current threat, experts say, is more virulent than most. Security firms said the attacks had spread to all corners of the globe, with Russia hit the worst, followed by Ukraine, India and Taiwan said Kaspersky Lab, a Russian cyber security firm.

 
The attack is believed to be the first time that such a cyber weapon developed by the NSA has been used by cybercriminals against computer users around the globe.
 
Across Asia, several universities and organisations said they had been affected. In China, the virus hit the computer networks of both companies and universities, according to the state-run news media.
 
News about the attack began trending on Chinese social media on Saturday, though most attention was focused on university networks, where there were concerns about students losing access to their academic work. The attack also spread like wildfire in Europe.

 
Companies like Deutsche Bahn, the German transport giant; Telefónica, a Spanish telecommunications firm; and Renault, the French automaker, said that some of their systems had been affected, though
 
no major outages had yet been reported across the region’s transports or telecom networks. Britain’s NHS said that at least 36 of its hospitals, doctors’ offices and ambulance companies had been crippled — making it arguably one of the largest institutions affected worldwide. That lead to the cancellation of patients’ major surgeries and the shutdown of some hospital operations as government officials struggled to respond to the attack.
 
“We are not able to tell you who is behind that attack,” Amber Rudd, Britain’s home secretary, told the British Broadcasting Corporation on Saturday. “That work is still ongoing.”

 
While American companies like FedEx said they had also been hit, experts said that computer users in the United States had so far been less affected than others after a British cybersecurity researcher accidentally stopped the ransomware attack from spreading more widely.
 
The attackers, who have yet to be identified, had included a so-called kill switch in their ransomware; it stops the malware from spreading if the virus makes an online request to a specific website. If the site is online, then the immediate attack stops, experts said.
 
When the 22-year-old researcher, who confirmed his involvement but insisted on anonymity because he did not want the public scrutiny, saw that the kill switch’s domain name — a long and complicated set of letters — had yet to be registered, he bought it himself, thereby shutting down the hacking attack before it could fully spread to the United States.

 
“The kill switch is why the US hasn’t been touched so far,” said Matthieu Suiche, founder of Comae Technologies, a cybersecurity company in the United Arab Emirates. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”
 
The ability of the cyberattack to spread so quickly was partly because of its high level of sophistication. The malware, experts said, was based on a method that the NSA is believed to have developed as part of its arsenal of cyberweapons. Last summer, a group calling itself the “Shadow Brokers” posted online digital tools that it had stolen from the United States government’s stockpile of hacking weapons.

 
“It was well thought-out, well timed and well coordinated,” said Brian Lord, a former deputy director for intelligence and cyber operations at Government Communications Headquarters, Britain’s equivalent to the NSA. “But, fundamentally, there is nothing unusual about its delivery. It is still fundamentally robbery and extortion.”
 
As part of the efforts to combat the attack, Microsoft, whose Windows software lies at the heart of the potential hacking vulnerability, released a software update available to those affected by the attack and others who could be potential targets.
 
Yet, security experts said the software upgrade, while laudable, came too late for many of the tens of thousands of machines that were locked out and whose data could be erased if people did not pay the ransom. Government officials and industry watchers also warned on Saturday that other hackers might now try to use the global ransomware attack for their own means, potentially tweaking the code and developing their own targets for new cyberattacks.

 
“As with everything in cyber, we’re now waiting for the next type of attack,” said Paul Bantick, a cyber security expert at Beazley, a global insurance underwriter, who has handled similar ransomware attacks for clients around the world.
 
“Ransomware like this has been on the rise over the last 18 months,” he added. “This represents the next step that people were expecting.”

Keith Bradsher contributed reporting from Beijing, Paul Mozur and Gerry Mullany from Hong Kong, and Alison Smale from BerlinKeith Bradsher contributed reporting from Beijing, Paul Mozur and Gerry Mullany from Hong Kong, and Alison Smale from Berlin