Huge cyber-attack spreads worldwide

A ransomware attack of unprecedented scale has swept the globe, crippling businesses, health services and a range of vital infrastructure

The attack primarily targeted corporations and large public sector bodies, but individual users were also affected

On May 12, a huge cyber-attack spread rapidly across the globe, crippling over 200,000 computers in 150 countries. The so-called WannaCry ransomware virus caused an error message to appear on users’ computer monitors, encrypting their files and locking them out of their machines. The virus threatened to destroy saved data unless a ransom of $300 was paid to the attackers in bitcoins.

The virus brought 47 trusts in the UK’s National Health Service to a standstill by making digitised patient records inaccessible. Meanwhile, over 2,000 computers were affected in Japan, along with 30,000 in China and 1,000 in Russia’s Interior Ministry. By May 15, other major victims included Deutsche Bahn in Germany, Renault in France, FedEx in the US and Telefonica in Spain. Symantec, a security company, urged computer users to update both their security software and operating systems, particularly on Windows, in anticipation of a second, stronger attack this week.

An anonymous security analyst blogging under the name MalwareTech was hailed as a hero when they managed to halt the spread of the virus

“The global reach is unprecedented. The latest count is over 200,000 victims in at least 150 countries, and those victims, many of those will be businesses, including large corporations”, said Europol Director Rob Wainwright on May 14. “At the moment, we are in the face of an escalating threat. The numbers are going up; I am worried about how the numbers will continue to grow when people go to work and turn on their machines on Monday morning.”

The virus was spread through a self-replicating worm. It affected Windows operating systems, prompting Microsoft to release a patch to defend against the threat. Just hours after the attack began, an anonymous security analyst blogging under the name MalwareTech was hailed as a hero when they managed to halt the spread of the virus ”completely by accident” after finding a kill switch. Even so, a new version of the virus, without the kill switch, emerged the next day.

“I’ve never seen anything like this with ransomware”, said MalwareTech. “The last worm of this degree that I can remember is Conficker.” Conficker was a Windows virus that became prolific in 2008, infecting nine million machines in 200 countries.

A group called the Shadow Brokers is believed to have played a role in the current attack, since it stole a cache of cyber weapons from the US Government and leaked it online last year. The WannaCry attack reportedly used a piece of NSA software called Eternal Blue that was stolen in that hack. On May 14, Brad Smith, Microsoft’s President and Chief Legal Officer, said: “The governments of the world should treat this attack as a wake-up call. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.”

Ransomware is usually very difficult to get rid of once it has taken control of a computer

The virus stipulates the $300 ransom to unlock the machine will double if it goes unpaid for three days after infection, and that files will be permanently deleted if seven days pass without payment. However, ransomware is usually very difficult to get rid of once it has taken control of a computer, and security experts are urging people not to pay the ransom as it may both waste their money and encourage similar ransomware attacks in future.

“A manual human operator must activate decryption”, said Matthew Hickey, a researcher at UK cybersecurity firm Hacker House. “I very much doubt anyone would return your contact request, bearing in mind the attention that is now on this.”

As such, if the claims made by the WannaCry bug are to be trusted, millions of user files around the world could be at risk of permanent deletion by next weekend. Users who have backed up their files may be able to restore them once their machines have been cleaned, but there is no way to guarantee any result given the uncertainty that accompanies these kinds of attacks.