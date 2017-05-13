(Adds U.S. Department of Homeland Security statement, paragraph
9)
* Attack leverages tools developed by U.S. NSA -researchers
* UK hospitals, surgeries, ambulance service disrupted
* Spanish firms targeted, but impact limited
* Microsoft works on detection, protection -statement
By Costas Pitas and Carlos Ruano
LONDON/MADRID, May 12 A global cyberattack
leveraging hacking tools widely believed by researchers to have
been developed by the U.S. National Security Agency hit
international shipper FedEx, disrupted Britain's health system
and infected computers in nearly 100 countries on Friday.
Cyber extortionists tricked victims into opening malicious
malware attachments to spam emails that appeared to contain
invoices, job offers, security warnings and other legitimate
files.
The ransomware encrypted data on the computers, demanding
payments of $300 to $600 to restore access. Security researchers
said they observed some victims paying via the digital currency
bitcoin, though they did not know what percent had given in to
the extortionists.
Researchers with security software maker Avast said they had
observed 57,000 infections in 99 countries with Russia, Ukraine
and Taiwan the top targets.
The most disruptive attacks were reported in Britain, where
hospitals and clinics were forced to turn away patients after
losing access to computers.
International shipper FedEx Corp said some of its
Windows computers were also infected. "We are implementing
remediation steps as quickly as possible," it said in a
statement.
Still, only a small number of U.S.-headquartered
organizations were hit because the hackers appear to have begun
the campaign by targeting organizations in Europe, said Vikram
Thakur, research manager with security software maker Symantec.
By the time they turned their attention to the United
States, spam filters had identified the new threat and flagged
the ransomware-laden emails as malicious, Thakur said.
The U.S. Department of Homeland Security said late on Friday
that it was aware of reports of the ransomware, was sharing
information with domestic and foreign partners and was ready to
lend technical support.
Telecommunications company Telefonica was among
many targets in Spain, though it said the attack was limited to
some computers on an internal network and had not affected
clients or services. Portugal Telecom and Telefonica Argentina
both said they were also targeted.
Private security firms identified the ransomware as a new
variant of "WannaCry" that had the ability to automatically
spread across large networks by exploiting a known bug in
Microsoft's Windows operating system.
"Once it gets in and starts moving across the
infrastructure, there is no way to stop it," said Adam Meyers, a
researcher with cyber security firm CrowdStrike.
The hackers, who have not come forward to claim
responsibility or otherwise been identified, likely made it a
"worm," or self spreading malware, by exploiting a piece of NSA
code known as "Eternal Blue" that was released last month by a
group known as the Shadow Brokers, researchers with several
private cyber security firms said.
"This is one of the largest global ransomware attacks the
cyber community has ever seen," said Rich Barger, director of
threat research with Splunk, one of the firms that linked
WannaCry to the NSA.
The Shadow Brokers released Eternal Blue as part of a trove
of hacking tools that they said belonged to the U.S. spy agency.
Microsoft on Friday said it was pushing out automatic
Windows updates to defend clients from WannaCry. It issued a
patch on March 14 to protect them from Eternal Blue.
"Today our engineers added detection and protection against
new malicious software known as Ransom:Win32.WannaCrypt,"
Microsoft said in a statement. It said the company was working
with its customers to provide additional assistance.
SENSITIVE TIMING
The spread of the ransomware capped a week of cyber turmoil
in Europe that kicked off a week earlier when hackers posted a
huge trove of campaign documents tied to French candidate
Emmanuel Macron just 1-1/2 days before a run-off vote in which
he was elected as the new president of France.
On Wednesday, hackers disputed the websites of several
French media companies and aerospace giant Airbus.
Also, the hack happened four weeks before a British
parliamentary election in which national security and the
management of the state-run National Health Service (NHS) are
important campaign themes.
Authorities in Britain have been braced for possible
cyberattacks in the run-up to the vote, as happened during last
year's U.S. election and on the eve of this month's presidential
vote in France.
But those attacks - blamed on Russia, which has repeatedly
denied them - followed an entirely different modus operandi
involving penetrating the accounts of individuals and political
organizations and then releasing hacked material online.
On Friday, Russia's interior and emergencies ministries, as
well as the country's biggest bank, Sberbank, said
they were targeted. The interior ministry said on its website
that around 1,000 computers had been infected but it had
localized the virus.
The emergencies ministry told Russian news agencies it had
repelled the cyberattacks while Sberbank said its cyber security
systems had prevented viruses from entering its systems.
NEW BREED OF RANSOMWARE
Although cyber extortion cases have been rising for several
years, they have to date affected small-to-mid sized
organizations, disrupting services provided by hospitals, police
departments, public transportation systems and utilities in the
United States and Europe.
"Seeing a large telco like Telefonica get hit is going to
get everybody worried. Now ransomware is affecting larger
companies with more sophisticated security operations," Chris
Wysopal, chief technology officer with cyber security firm
Veracode, said.
The news is also likely to embolden cyber extortionists when
selecting targets, Chris Camacho, chief strategy officer with
cyber intelligence firm Flashpoint, said.
"Now that the cyber criminals know they can hit the big
guys, they will start to target big corporations. And some of
them may not be well prepared for such attacks," Camacho said.
In Spain, some big firms took pre-emptive steps to thwart
ransomware attacks following a warning from Spain's National
Cryptology Centre of "a massive ransomware attack."
Iberdrola and Gas Natural, along with
Vodafone's unit in Spain, asked staff to turn off
computers or cut off internet access in case they had been
compromised, representatives from the firms said.
In Spain, the attacks did not disrupt the provision of
services or networks operations of the victims, the government
said in a statement.
(Additional reporting by Jim Finkle, Eric Auchard, Jose
Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella
Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden,
David Milliken, Rosalba O'Brien, Julien Toyer, Tim Hepher, Luiza
Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh;
Writing by Mark Trevelyan and Jim Finkle; Editing by Ralph
Boulton and Grant McCool)