Everything you need to know about ‘biggest ransomware’ offensive in history
May 21, 2017
A global cyberattack using hacking tools widely believed by researchers to have been developed by the US National Security Agency crippled the NHS, hit international shipper FedEx and infected computers in 150 countries.
More than 300,000 computers were infected while the countries most affected by WannaCry were Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.
What was the attack and how does it work?
Hackers have been spreading “ransomware” called WannaCry, also known as WanaCrypt0r 2.0, WannaCry and WCry. It is often delivered via emails which trick the recipient into opening attachments and releasing malware onto their system in a technique known as phishing.
Once your computer has been affected, it locks up the files and encrypts them in a way that you cannot access them anymore. It then demands payment in bitcoin in order to regain access.
Security experts warn there is no guarantee that access will be granted after payment. Some ransomware that encrypts files ups the stakes after a few days, demanding more money and threatening to delete files altogether.
WannaCry exploits a vulnerability in Microsoft, which released a patch to fix it in March. However, people don’t always install updates and patches on their computers and so this means vulnerabilities can remain open a lot longer and make things easier for hackers to get in.
With advanced anti-virus software, it is possible to remove the virus from a computer. It can also be done manually by putting a computer into safe mode” and manually removing the infected files.
However, prevention remains the best form of defence.
Who was affected?
In Britain, the NHS was the worst hit.
Hospitals and GP surgeries in England and Scotland were among at least 16 health service organisations hit by a “ransomware” attack on Friday, using malware called Wanna Decryptor – with reports potentially dozens more were affected.
Staff were forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones.
Hospitals and doctors’ surgeries in parts of England were forced to turn away patients and cancel appointments after they were infected with the ransomware, which scrambled data on computers and demanded payments of $300 to $600 to restore access. People in affected areas were being advised to seek medical care only in emergencies.
The countries most affected by WannaCry to date were Russia, where the Interior Ministry was hit, Taiwan, Ukraine and India, according to Czech security firm Avast.
Leading international shipper FedEx Corp was another high-profile victim, while in Spain telecommunications company Telefonica was among many targets in the country. Portugal Telecom and Telefonica Argentina both said they were also targeted.
In Germany, railway operator Deutsche Bahn was a high-profile target, with screens at stations showing the ransonware message.
A second wave then struck Asia as the working week began on Monday. Chinese state media say more than 29,000 institutions across the country have been infected, while in Japan, 2,000 computers at 600 locations were reported to have been affected.
In Indonesia, the malware locked patient files on computers in two hospitals in the capital, Jakarta, causing delays.
Who was behind the attack?
A cyber gang – called Shadow Brokers – is being blamed for the hack. The mysterious organisation said in April it had stolen a ‘cyber weapon’ from the National Security Agency (NSA), America’s powerful military intelligence unit.
The hacking tool, called ‘Eternal Blue’, gives unprecedented access to all computers using Microsoft Windows, the world’s most popular computer operating system. It had been developed by the NSA to gain access to computers used by terrorists and enemy states.
The gang in turn ‘dumped’ the computer bug on an obscure website on April 14 and it is believed to have been picked up by a separate crime gang which has used it to gain remote access to computers around the world.
The gang, having gained access to computers, then deployedWannaCry, the ransomware, to hijack the computing system and encrypt all the files contained on it. The only way to unlock the files is to pay a ransom. One computer security expert said ‘Eternal Blue’ was used as the ‘crowbar’ that effectively opened the doors to computers, making them vulnerable to attack.
Experts examining the code have found technical clues they said could link North Korea with the attack.
Symantec and Kaspersky Lab said on Monday some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which researchers from many companies have identified as a North Korea-run hacking operation.
What has Microsoft done to tackle it?
Microsoft issued a patch on March 14 to protect users from Eternal Blue. On Friday, a spokesman said its engineers had provided additional detection and protection services against the WannaCry malware and that it was working with customers to provide additional assistance.
The spokesman reiterated that customers who have Windows Updates enabled and use the company’s free antivirus software are protected.
Two day later, Microsoft attacked the US government for developing the computer vulnerability that was used in a cyber attack.
“The governments of the world should treat this attack as a wake up call,” Microsoft’s president and chief legal officer, Brad Smith, wrote in a blog post.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”
How to stop it spreading
A cybersecurity researcher appears to have discovered a “kill switch” that can prevent the spread of the WannaCry ransomware – for now.
The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.
“Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading,” @MalwareTechBlog told Agence France-Presse in a private message on Twitter.
The researcher warned, however, that people “need to update their systems ASAP” to avoid attack.
“The crisis isn’t over, they can always change the code and try again,” @MalwareTechBlog said.
Can the criminals be caught?
Yes, but it’s difficult. Security experts say the amount of ransom collected so far appears small relative to the extent of the outbreak. Tom Bossert, President Donald Trump’s adviser for homeland security and counterterrorism, said it appeared less than $70,000 had been paid in ransoms.
It’s possible, though, that there are unknown accounts beyond the three identified.
In order to find the perpetrators, investigators can track the money and see where the bitcoin ends up.
“Despite what people tend to think, it’s highly traceable,” Clifford Neuman, who directs the University of Southern California’s Centre for Computer Systems Security. told the Washington Post.
“You can see the flow of funds through the bitcoin system.”
How can you protect yourself?
Security experts say users should ensure their computer software is always up to date. Often important security updates are contained within these downloads and can prevent known viruses from infecting a device.
Users should also be vigilant in relation to email and not open any links or downloading attachments in emails from unfamiliar or possibly suspicious sources.
Experts also warn that software, apps and other programs should never be downloaded from unofficial sources as this is another common method for hackers to secretly install malware onto computers.
Pete Turner, from cyber security firm Avast, said: “It’s critical that organisations and employees, particularly those in our most critical sectors like healthcare, start to think pro-actively about how to protect themselves from ransomware.”