Security Expert Weighs In On Worldwide Ransomware Hack NPR'S Scott Simon speaks with Matt Tait, of Capital Alpha Security in the United Kingdom, about the ransomware hacks in dozens of countries on Friday.
NPR logo

Security Expert Weighs In On Worldwide Ransomware Hack

  • Download
  • <iframe src="https://www.npr.org/player/embed/528259272/528350342" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Security Expert Weighs In On Worldwide Ransomware Hack

Security Expert Weighs In On Worldwide Ransomware Hack

Security Expert Weighs In On Worldwide Ransomware Hack

  • Download
  • <iframe src="https://www.npr.org/player/embed/528259272/528350342" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

NPR'S Scott Simon speaks with Matt Tait, of Capital Alpha Security in the United Kingdom, about the ransomware hacks in dozens of countries on Friday.

SCOTT SIMON, HOST:

The cyberattack that crippled computer systems across the world yesterday has exposed vulnerabilities that security experts have warned about. And one of those experts joins us now, Matt Tait, the CEO and founder of Capital Alpha Security in the United Kingdom. Mr. Tate, thanks for being with us.

MATT TAIT: Thanks so much for having me.

SIMON: Were you surprised?

TAIT: Yes. So this particular vulnerability was a vulnerability that's actually been known for a while. It was attacked back in March. It was previously potentially used by the National Security Agency for espionage purposes, but ever since March it's been completely patched.

So people who've been using their modern operating system - so Windows 7 and so on or who've been keeping up to date with their Windows patches - should have been completely secure against this vulnerability. So the fact that so many organizations were vulnerable to this is quite a surprise.

SIMON: And is it over?

TAIT: So at the moment, we're it's still in the eye of the storm. Lots of computers have been infected. Lots of organizations are having to scramble to recover their files through backups and, of course, making sure that they patch their systems so that future waves of ransomware using this particular vulnerability won't further compromise these organizations.

SIMON: I have read that a 22-year-old researcher is the person who inadvertently perhaps stopped the attack, and I'm not sure that that reassures me if that's the case.

TAIT: So that's why - malware research actually based in the U.K. was reverse engineering the malware and discovered that by registering a particular domain that they were able to disable the malware very briefly. Unfortunately, this is a very temporary solution.

We're already starting to see that modified versions of this ransomware that don't query that particular domain are already in the wild. And this means that people can't, you know, just wait around. They do need to patch their systems. And they do need to do it today.

SIMON: Mr. Tait, as you see the world, what else is vulnerable out there, and what can we do about it?

TAIT: Well, at the moment, the real problem is whether or not people have been upgrading their systems and making sure that they've got their patches installed. They're really quite big organizations which have not been doing this, and they do need to be taking a step back and asking how they've allowed this to get to this state' cause this patch came out three months ago. And really, there's no excuse for these systems to still be online if they're not patching against these known vulnerabilities.

SIMON: And do you think as we get through the weekend that there's something that regular ordinary citizens ought to be aware of?

TAIT: At the moment, this is really going to be affecting businesses because businesses are the organizations that have all of these computers online. For people at home, this is going to be a little bit less of a hassle. Of course, it will be affecting businesses like FedEx. It will be affecting businesses like the National Health Service in the U.K. And people that rely on those services, of course, will be affected.

But for people at home, really the advice is to make sure that you've installed your Windows updates and to keep your anti-virus up to date. And really, that is the best way of keeping this type of malware off people's systems at home.

SIMON: Matt Tait is the CEO and founder of Capital Alpha Security. Thanks so much.

TAIT: Thank you very much.

SIMON: You're listening to NPR News.

Copyright © 2017 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Ransomware Attacks Ravage Computer Networks In Dozens Of Countries

Each orange dot is a unique infection by WannaCrypt ransomware as recorded by MalwareTech.com Courtesy of malwaretech.com hide caption

toggle caption
Courtesy of malwaretech.com

Each orange dot is a unique infection by WannaCrypt ransomware as recorded by MalwareTech.com

Courtesy of malwaretech.com

Updated Sat. May 13 at 10:10 a.m. ET

Cyber security experts are still scrambling to contain a global ransomware attack that has infected tens of thousands of computers in nearly 100 countries, including the U.S., U.K., Russia, China, Ukraine, and India.

First, there were reports of Spain's largest telecom being hit with pop-up windows demanding a $300 ransom, paid in the cryptocurrency bitcoin, to access files. Then, at least 16 hospitals in England's National Health Service were affected, locking doctors and nurses out of patients' records unless they paid up. Then came word that networks around the world were under attack Friday.

The attacks are being blamed on a piece of malware called WCry, WannaCry or Wana Decryptor, alleged to have been stolen from the National Security Agency, as the Bleeping Computer site reports. It was reportedly distributed by the Shadow Brokers, which claimed to have hacked an NSA-linked team of hackers last August. The Shadow Brokers group, which is suspected of having ties to Russia, posted Windows hacking tools last month.

"The problem is, once you break in, you make digital keys, you can't really control who gets them," tech reporter Aarti Shahani told Weekend Edition Saturday. "So this attack is raising one of these fundamental issues that we talk about in the security world, about whether NSA surveillance protects people or creates unexpected damage that does more harm than good."

Edward Snowden, the former NSA contractor who leaked evidence of the agency's data collection program in 2013, has spoken out on Twitter to criticize the NSA for building this "dangerous attack tool." Yesterday he posted a New York Times article detailing the attack on the NHS in the UK, writing, "Today we see the cost."

Victims of the attack are confronted with a pop-up window that tells them their files are now encrypted and that they need to send $300 in bitcoin to unlock them.

"You can decrypt some of your files for free," reads the message, which we're seeing in a variety of languages. "But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled."

The window includes a countdown clock that threatens the files will be lost permanently in seven days.

Wana Decryptor exploits a Windows flaw that was patched in Microsoft's Security Bulletin MS17-010 in March. But on machines that haven't been updated or patched, the malicious code encrypts all of an infected machine's files — and then spreads itself.

"The fact that so many organizations were vulnerable to this was quite a surprise," cyber expert and CEO of Capital Alpha Security in the U.K. Matt Tait told NPR. "This patch came out three months ago," he adds.

"Infection of a single computer can end up compromising the entire corporate network," Spain's National Cryptologic Center says.

The malware is both powerful and insidious, computer security expert Craig Williams of CISCO Talos tells Aarti: "You could just walk up to your computer and it's infected, even if you didn't even touch it. You don't have to be there. All that has to happen is your computer is on and on the network."

"Activity from this ransomware family was almost inexistent prior to today's sudden explosion when the number of victims skyrocketed in a few hours," Bleeping Computer's Catalin Cimpanu writes.

Worldwide reaction

In the U.S., the Computer Emergency Readiness Team, or CERT, says it has "received multiple reports of ransomware infections in several countries around the world." The agency did not identify those countries.

The Department of Homeland Security says it's coordinating with "international cyber partners" in the wake of the widespread attacks. When asked to confirm that Wana Decryptor has struck in the U.S., and at what scale, Acting Deputy Press Secretary Scott McConnell did not provide specifics.

"We routinely provide cybersecurity assistance upon request, including technical analysis and support," McConnell says. "Information shared with DHS as part of these efforts, including whether a request has been made, is confidential."

Commenting on Friday's attack, Sen. Ben Sasse, a member of the Senate Armed Services Committee, says:

"This is big: around the world, doctors and nurses are scrambling to treat patients without their digital records or prescription dosages, ambulances are being rerouted, and millions of people's data is potentially exposed. Cybersecurity isn't a hypothetical problem – today shows it can be life or death. We'll likely look back at this as a watershed moment."

England's NHS says at least 16 of its organizations were hit by the ransomware. In a statement released around 11:30 a.m. ET, Friday, the system's digital office said, "This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors."

The attack also hit facilities in Scotland, where Health Secretary Shona Robison says officials are "taking immediate steps to minimize the impact of the attack across NHS Scotland and restrict any disruption."

"The investigation is at an early stage, but we believe the malware variant is Wanna Decryptor," the NHS says, referring to software that is being blamed for a number of ransom attacks in Europe Friday.

"At this stage we do not have any evidence that patient data has been accessed," the system says.

An IT worker at the public health care system tells The Guardian newspaper that it's the biggest problem they've seen in their six years working for the service.

The problem erupted around 12:30 p.m. local time, the IT worker says, with a number of email servers crashing. Other services soon went down, and then, the unidentified NHS worker says, a "bitcoin virus pop-up message" started taking over computer screens.

The U.K.'s National Cyber Security Center says it's working with both the digital office of the NHS and law enforcement.

Images that were posted online of the NHS pop-up look nearly identical to pop-up ransomware windows that hit Spain's Telefonica, a powerful attack that forced the large telecom to order employees to disconnect their computers from its network and to resort to an intercom system to relay messages, according to Bleeping Computer.

In an update after midnight local time, Russia's Interior Ministry acknowledged to state-run Tass media that its computers had also been hit.

"As of now the virus has been localized," ministry spokeswoman Irina Volk told TASS. "There have been no inside information leaks from the Russian Interior Ministry's information resources."