Massive Ransomware Attack Hits Approximately 150 Countries

A massive cyberattack spread to at least 150 countries and more than 200,000 victims beginning Friday. The software exploit, which is used to take advantage of a system’s or program’s vulnerability, at the center of the attack appears to have used code that was developed by the National Security Agency. The exploit was recently released to the public by a group of hackers called the Shadow Brokers. The exploit delivered the WannaCry ransomware to computers running unpatched versions of Microsoft Windows. The software exploit has a sophisticated delivery system, which when triggered (often through a phishing email), spread quickly through vulnerable systems, encrypting data throughout networks and individual computers.

Victims were required to send $300 worth of bitcoins to the attackers in order to get their data decrypted. The first major reports were from hospitals in the U.K. National Health Service (NHS), where numerous patients were unable to be treated and were turned away from at least 16 NHS organizations. Other significant organizations that were reportedly hit hard include Spain’s Telefonica telecommunications firm and FedEx. While reports are still coming out of China, Germany, Turkey, France, Brazil, the US and many other countries, the hardest hit appears to be Russia, as a result of having a very large number of unpatched Windows machines. Microsoft issued an emergency patch for Windows XP, which has not been supported since 2014, in order to reduce the scope of the damage.

The impact of the cyberattack would have been significantly worse if a 22-year old British cyber researcher hadn’t found a “kill” switch in the software. It appears that the software was looking for a specific website, and as long as the site was not active, the ransomware kept spreading. The researcher registered the domain for approximately $10, and once set up, with a specific technology known as a “sink” to absorb the attacks, the ransomware ceased being active on new computers. Those who had been attacked already were not helped by these efforts. The researcher speculates that the “kill” switch was actually a botched attempt to throw off cyber defenses. He stated that it would be simple for the attackers to fix this error and issue new code, and the attack would begin to spread again. To date, this has not happened.

Because the Shadow Brokers released the exploit for public access, there is no identification of the person or organization that launched the attack. The White House activated the Cyber Response Group, and the attack was the subject of a senior level National Security Council meeting on Saturday. A number of experts are predicting that this is a prelude to a major attack against critical infrastructure, which has the potential to cause far more harm.

These attacks provide the most recent and significant example of cybersecurity vulnerabilities. Immediate steps that should be taken include checking with your Information Systems (IS) experts to ensure that your systems are fully updated, reviewing your incident response plan, reporting the incident to the appropriate authorities and checking your cyber insurance coverage for ransomware protection.