Ransomware Attacks Computer Networks Around The Globe Massive cyberattacks spread throughout the world, affecting computer systems in nearly 100 countries. The hackers reportedly used a flaw in Microsoft software identified by the NSA.

Ransomware Attacks Computer Networks Around The Globe

Ransomware Attacks Computer Networks Around The Globe

  • Download
  • <iframe src="https://www.npr.org/player/embed/528236680/528236681" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

Massive cyberattacks spread throughout the world, affecting computer systems in nearly 100 countries. The hackers reportedly used a flaw in Microsoft software identified by the NSA.

SCOTT SIMON, HOST:

A cyberattack spread across the world yesterday. The British National Health Service, universities in China and FedEx were among the many places that were hit. The attackers wanted money ransom in exchange for data. NPR's tech reporter Aarti Shahani joins us. Aarti, thanks so much for being with us.

AARTI SHAHANI, BYLINE: My pleasure.

SIMON: Do we know how it started?

SHAHANI: We don't know the exact timeline for each and every attack yet or if they were separate or coordinated attacks. But we do know it's all over the place now. There's a sort of heat map of the attacks that shows orange glowing dots across Europe, the U.S., India, Brazil, Russia, China. All areas affected by this malware are called Wanna Cry or Wanna Decrypter. It was - starting yesterday morning, we got reports out of Spain and Britain. Over there in the National Health Service, hospitals were crippled, brought to a standstill. Doctors and nurses were literally, you know, locked out of their patients' files. And what I mean by that, by locked out, is this was a ransomware attack. Ransomware is a technique that hackers use in which they find a way to get into your system, say, by sending you an email that's literally a Trojan horse. It has malicious software inside.

And then the hackers, you know, they take your files. They swoop through, and they encrypt them so you can't read them anymore. They're locked, and to unlock them, you need a decryption key. So the hackers will blurt out on your computer screen, hey, if you want to see your files again, pay us X amount in Bitcoin, the cryptocurrency. In this case, it seems to be small amounts in this series of attacks, say, a few hundred dollars.

SIMON: Yeah. What damage in the United States near as you can tell?

SHAHANI: Well, we're not really aware of what the damage is precisely. I mean, that's still being accounted for. One thing interestingly for people that are dissecting what happened is that many systems are now trying to clean up the damage. So it's hard to know exactly what happened. It's kind of like cleaning up a crime scene before doing the forensics on it. One thing that is being discussed - this is possibly malware coming from the NSA. Some security experts who've been collecting samples of the malware and dissecting them have been saying that these criminal attacks are based on attacks designed by the National Security Agency and then released into the public by a hacking group called The Shadow Brokers.

You know, now, the NSA, they would have wanted to use the malware for spying purposes, right? The agency has a huge shop - we're very well aware of this - one of the world's best shops, dedicated to finding weaknesses in software and taking advantage of those weaknesses to break in and steal information for spying purposes. The problem is once you break in, you make digital keys, you can't really control who gets them. So this attack is raising one of these fundamental issues that we talk about in the security world about whether NSA surveillance protects people or creates unexpected damage that does more harm than good.

SIMON: So I - so it's possible that there - it's possible that the NSA program to try and limit damage and trace people who would do harm to the country wound up doing harm across the world.

SHAHANI: Yes, exactly, and that's the sort of - that could be the irony of this.

SIMON: Mercy. It could have been - could it have been prevented? Aside from maybe not inventing it, could it have been prevented somehow?

SHAHANI: Great question, and yeah, here's the thing - the software flaw is something in the Microsoft operating system, in Windows. Microsoft released a patch for it way back in March. So in an ideal world, you would have installed the patch and been protected from this onslaught, this ransomware campaign. But obviously, we don't live in an ideal world, and it's not reasonable to expect every local IT guy to update immediately.

SIMON: So 15 seconds we have left - we know a lot of people listening to us are online. What do they do or not do?

SHAHANI: Well, absolutely backup your data. Have a way to have your data backed up in a trusted cloud provider or an external drive because the fact is if you backup your data, this kind of attack loses its fangs.

SIMON: NPR's Aarti Shahani, thanks so much for being with us.

SHAHANI: Thank you.

Copyright © 2017 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Ransomware Attacks Ravage Computer Networks In Dozens Of Countries

Each orange dot is a unique infection by WannaCrypt ransomware as recorded by MalwareTech.com Courtesy of malwaretech.com hide caption

toggle caption
Courtesy of malwaretech.com

Each orange dot is a unique infection by WannaCrypt ransomware as recorded by MalwareTech.com

Courtesy of malwaretech.com

Updated Sat. May 13 at 10:10 a.m. ET

Cyber security experts are still scrambling to contain a global ransomware attack that has infected tens of thousands of computers in nearly 100 countries, including the U.S., U.K., Russia, China, Ukraine, and India.

First, there were reports of Spain's largest telecom being hit with pop-up windows demanding a $300 ransom, paid in the cryptocurrency bitcoin, to access files. Then, at least 16 hospitals in England's National Health Service were affected, locking doctors and nurses out of patients' records unless they paid up. Then came word that networks around the world were under attack Friday.

The attacks are being blamed on a piece of malware called WCry, WannaCry or Wana Decryptor, alleged to have been stolen from the National Security Agency, as the Bleeping Computer site reports. It was reportedly distributed by the Shadow Brokers, which claimed to have hacked an NSA-linked team of hackers last August. The Shadow Brokers group, which is suspected of having ties to Russia, posted Windows hacking tools last month.

"The problem is, once you break in, you make digital keys, you can't really control who gets them," tech reporter Aarti Shahani told Weekend Edition Saturday. "So this attack is raising one of these fundamental issues that we talk about in the security world, about whether NSA surveillance protects people or creates unexpected damage that does more harm than good."

Edward Snowden, the former NSA contractor who leaked evidence of the agency's data collection program in 2013, has spoken out on Twitter to criticize the NSA for building this "dangerous attack tool." Yesterday he posted a New York Times article detailing the attack on the NHS in the UK, writing, "Today we see the cost."

Victims of the attack are confronted with a pop-up window that tells them their files are now encrypted and that they need to send $300 in bitcoin to unlock them.

"You can decrypt some of your files for free," reads the message, which we're seeing in a variety of languages. "But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled."

The window includes a countdown clock that threatens the files will be lost permanently in seven days.

Wana Decryptor exploits a Windows flaw that was patched in Microsoft's Security Bulletin MS17-010 in March. But on machines that haven't been updated or patched, the malicious code encrypts all of an infected machine's files — and then spreads itself.

"The fact that so many organizations were vulnerable to this was quite a surprise," cyber expert and CEO of Capital Alpha Security in the U.K. Matt Tait told NPR. "This patch came out three months ago," he adds.

"Infection of a single computer can end up compromising the entire corporate network," Spain's National Cryptologic Center says.

The malware is both powerful and insidious, computer security expert Craig Williams of CISCO Talos tells Aarti: "You could just walk up to your computer and it's infected, even if you didn't even touch it. You don't have to be there. All that has to happen is your computer is on and on the network."

"Activity from this ransomware family was almost inexistent prior to today's sudden explosion when the number of victims skyrocketed in a few hours," Bleeping Computer's Catalin Cimpanu writes.

Worldwide reaction

In the U.S., the Computer Emergency Readiness Team, or CERT, says it has "received multiple reports of ransomware infections in several countries around the world." The agency did not identify those countries.

The Department of Homeland Security says it's coordinating with "international cyber partners" in the wake of the widespread attacks. When asked to confirm that Wana Decryptor has struck in the U.S., and at what scale, Acting Deputy Press Secretary Scott McConnell did not provide specifics.

"We routinely provide cybersecurity assistance upon request, including technical analysis and support," McConnell says. "Information shared with DHS as part of these efforts, including whether a request has been made, is confidential."

Commenting on Friday's attack, Sen. Ben Sasse, a member of the Senate Armed Services Committee, says:

"This is big: around the world, doctors and nurses are scrambling to treat patients without their digital records or prescription dosages, ambulances are being rerouted, and millions of people's data is potentially exposed. Cybersecurity isn't a hypothetical problem – today shows it can be life or death. We'll likely look back at this as a watershed moment."

England's NHS says at least 16 of its organizations were hit by the ransomware. In a statement released around 11:30 a.m. ET, Friday, the system's digital office said, "This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors."

The attack also hit facilities in Scotland, where Health Secretary Shona Robison says officials are "taking immediate steps to minimize the impact of the attack across NHS Scotland and restrict any disruption."

"The investigation is at an early stage, but we believe the malware variant is Wanna Decryptor," the NHS says, referring to software that is being blamed for a number of ransom attacks in Europe Friday.

"At this stage we do not have any evidence that patient data has been accessed," the system says.

An IT worker at the public health care system tells The Guardian newspaper that it's the biggest problem they've seen in their six years working for the service.

The problem erupted around 12:30 p.m. local time, the IT worker says, with a number of email servers crashing. Other services soon went down, and then, the unidentified NHS worker says, a "bitcoin virus pop-up message" started taking over computer screens.

The U.K.'s National Cyber Security Center says it's working with both the digital office of the NHS and law enforcement.

Images that were posted online of the NHS pop-up look nearly identical to pop-up ransomware windows that hit Spain's Telefonica, a powerful attack that forced the large telecom to order employees to disconnect their computers from its network and to resort to an intercom system to relay messages, according to Bleeping Computer.

In an update after midnight local time, Russia's Interior Ministry acknowledged to state-run Tass media that its computers had also been hit.

"As of now the virus has been localized," ministry spokeswoman Irina Volk told TASS. "There have been no inside information leaks from the Russian Interior Ministry's information resources."