Hunt the hackers: Gang behind ‘unprecedented’ attack using ‘atom bomb of malware’ which has now spread to 130,000 systems in more than 100 countries are targeted by global task force
- Hackers hit dozens of countries on Friday by exploiting a stolen ‘superweapon’
- The cyber attack rapidly spread and infected computers across the globe
- Europol launching investigation to track down the culprits and help victims
- Hackers are believed to have exploited the NSA tool, which was stolen and released to the world by a group known as the Shadow Brokers last month
- British hospitals, the Russian government, Spanish telecoms firm, Renault factories and German railways were among those affected by the cyber attack
- Victims reported in more than 100 countries including Germany, Spain and USA
More than 100 countries across the world have been affected by the ‘unprecedented’ cyber attack using a computer virus ‘superweapon’ dubbed the ‘atom bomb of malware’.
It is believed more than 130,000 IT systems are affected around the world, including hospitals in the UK, telecoms and gas firms in Spain, schools in China, railways in Germany and the FedEx delivery company.
The European Union’s police agency, Europol, says it is working with countries hit by the ransomware scam to rein in the threat, help victims and track down the criminals.
In a statement, Europol’s European Cybercrime Centre, known as EC3, said the attack ‘is at an unprecedented level and will require a complex international investigation to identify the culprits.’
EC3 says its Joint Cybercrime Action Taskforce, made up of experts in high-tech crime, ‘is specially designed to assist in such investigations and will play an important role in supporting the investigation.’
The attack, which has locked up computers and held users’ files for ransom, is believed the biggest of its kind ever recorded.
It used code developed by the US National Security Agency which was leaked online last month by a mysterious group called the Shadow Brokers.
The culprits are still unknown but it is understood criminal gangs will be investigated and it is likely Russia – which suffered the most from the attack – will form a large part of the inquiry.
This map released by cybersecurity experts, shows the impact of the ransomware around the world – with blue dots representing incidents across the globe. Russia is thought to be worst affected
The identity of the culprits remains unknown but the EU’s police agency Europol has launched a taskforce to investigate the crimes, with Russia expected to form a large part of the inquiry (file picture)
Russia has been the focus of several hacking investigations in recent months, with allegations from US sources of state-sponsored attempts to influence last year’s US election.
Cyber spies Fancy Bears also operate out of Russia and have been involved in many recent hacking incidents including releasing details of athletes receiving therapeutic use of banned substances ahead of international competitions.
These included British cyclists Sir Bradley Wiggins and Chris Froome, both Tour de France winners, which showed they had been given exemptions to use banned drugs to treat asthma and allergies.
The spotlight could also fall on North Korea following claims from security experts last month that state-sponsored hackers targeted banks in 18 countries to steal funds to boost its nuclear programme.
Cyber security firm Kaspersky Lab said it had obtained digital evidence that fuels suspicions that North Korea was involved in last year’s $81 million cyber heist of the Bangladesh central bank’s account at the Federal Reserve Bank of New York.
Many systems around the world are back up today, with the Home Office confirming all but six of 48 affected UK hospitals are running as normal.
In Russia, where a wide array of systems came under attack, officials said services had been restored or the virus contained.
According to the Guardian, the criminals behind the scam have only generated around $20,000 (£15,500) so far.
Investigators Elliptic, a firm that works with law enforcement agencies to track illegal activity around online currency bitcoin, said it had identified a number of addresses for recipients of the funds, but was unable to identify them so far.
Co-founder Tim Robinson told the paper: ‘In terms of identifying the attacker, what we can see at the moment is that around $20,000 worth of ransoms have been paid to these addresses.
‘There are actually two versions of this malware, there was one that appeared in April and we’ve identified one bitcoin address associated with that, and there’s a second version which appeared on Friday and we’ve identified three bitcoin addresses associated with that.
‘These three addresses have received 8.2 bitcoins to date, which is about $14,000 dollars, and all of those bitcoins are still within those addresses. The ransomer hasn’t withdrawn any of the funds yet so there’s no opportunity to trace them.’
So far Europe seems to be the focus of the attack, with several high-profile businesses affected.
Union members at French carmaker Renault say the global cyberattack has forced it to halt production at sites in France in an effort to stop the malware from spreading.
The two unionists spoke on condition of anonymity because of the sensitiveness of the issue.
They say the factory of Renault factory at Sandouville, in northwestern France, was one of the sites affected.
Hundreds of private users in Taiwan were also struck by the malware.
Deutsche Bahn in Germany said departure and arrival display screens at its stations were hit Friday night by the attack.
The railway said that there was no impact on actual train services.
The head of Turkey’s Information and Communication Technologies Authority or BTK says the nation was among those affected by the ransomware attack.
The NHS has been hit by a major cyber attack hitting computers, phones and emergency bleepers in hospitals and GP surgeries – and pop-ups like this one have appeared demanding a ransom
Omer Fatih Sayan said the country’s cyber security center is continuing operations against the malicious software.
The company said it deployed extra staff to busy stations to provide customer information, and recommended that passengers check its website or app for information on their connections.
Security experts say the malicious software behind the onslaught appeared to exploit a vulnerability in Microsoft Windows that was identified by the US National Security Agency for its own intelligence-gathering purposes.
The NSA documents were stolen and then released to the world last month by a mysterious group known as the Shadow Brokers.
WHO HAS BEEN AFFECTED BY CYBER ATTACK?
The UK’s National Health Service: British hospitals and clinics were forced to send patients away and cancel appointments.
Russia: The country was believed to be among the worst hit when computers in the interior ministry were hit. Megafon – Russia’s second largest phone network – had also been affected.
German railway stations: Photos surfaced on social media appeared to show ticketing computers at train stations having been affected by the cyber attack.
Spanish companies: Telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural all suffered from the virus.
FedEx: The shipping company confirmed they were affected and were implementing remediation steps.
The hackers, who have not come forward to claim responsibility, likely made it a ‘worm’, or self spread malware, by exploiting a piece of NSA code known as Eternal Blue, according to several security experts.
A cybersecurity researcher told AFP they appeared to have discovered a ‘kill switch’ that could prevent the spread of the ransomware for now.
The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.
‘Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading,’ @MalwareTechBlog told AFP in a private message on Twitter.
The researcher warned however that people ‘need to update their systems ASAP’ to avoid attack: ‘The crisis isn’t over, they can always change the code and try again.’
The Shadow Brokers released Eternal Blue last month as part of a trove of hacking tools that they said belonged to the US spy agency. It has stoked fears that the spy agency’s powerful cyber weapons had been stolen and repurposed by hackers with nefarious goals.
The malicious software was blocking access to computers and demanding payments of as much as $600 to restore access and scrambling data. It is thought to have impacted at least 75,000 computers, including machines in the Russian government.
The technological meltdown began earlier on Friday afternoon in Britain when more than 40 NHS organisations including hospitals and GP surgeries were hit by the virus.
Russia is thought to have been among the worst hit by the ransomware amid reports that 1,000 computers in the country’s Interior Ministry were affected, but sources say no information was leaked.
Ministry spokeswoman Irina Volk told Russian news agencies it had ‘recorded a virus attack on the ministry’s personal computers controlled by a Windows operating system.’
Leading international shipper FedEx Corp was among the companies whose Microsoft Corp Windows systems were affected. They said they were ‘implementing remediation steps’.
The German rail system was also experiencing issues due to the ransomware. Photos surfaced on social media appeared to show ticketing computers at train stations having been affected by the cyber attack.
In Spain, the Telefonica mobile phone network, power firm Iberdrola and utility provider Gas Natural all suffered from the virus.
Some big firms in Spain took pre-emptive steps to thwart ransomware attacks following a warning from the National Cryptology Centre of ‘a massive ransomware attack’.
Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised.
Security teams at large financial services firms and businesses were reviewing plans for defending against cyber attacks, according to executives with private cyber security firms.
Chris Wysopal, chief technology officer with cyber security firm Veracode, said: ‘Seeing a large telco like Telefonica get hit is going to get everybody worried.
‘Now ransomware is affecting larger companies with more sophisticated security operations.’
Some hospitals said they were forced to divert emergencies on Friday after a suspected national cyber attack.
Computer expert Lauri Love, who is facing extradition to the US over the alleged theft of data from government computers, said the attack is being powered by a ‘top of the range cyber weapon’ used by spies in the US.
‘It appears the cyber attack affected so many computers in the UK in the NHS and in Spain by taking advantage of a very nasty vulnerability in Microsoft Windows, which was dumped by hacking group Shadow Brokers who obtained it from the NSA in America.’
RANSOMWARE: THE CYBER ATTACK THAT CRIPPLED THE WORLD
What is ransomware?
Ransomware is a type of malicious software that criminals use to attack computer systems.
Hackers often demand the victim to pay ransom money to access their files or remove harmful programs.
The aggressive attacks dupe users into clicking on a fake link – whether it’s in an email or on a fake website, causing an infection to corrupt the computer.
In some instances, adverts for pornographic website will repeatedly appear on your screen, while in others, a pop-up will state that a piece of your data will be destroyed if you don’t pay.
In the case of the NHS attack, the ransomware used was called Wanna Decryptor or ‘WannaCry’ Virus.
What is the WannaCry virus?
The WannaCry virus targets Microsoft’s widely used Windows operating system.
The virus encrypts certain files on the computer and then blackmails the user for money in exchange for the access to the files.
It leaves the user with only two files: Instructions on what to do next and the Wanna Decryptor program itself.
When opened the software tells users that their files have been encrypted and gives them a few days to pay up or their files will be deleted.
It can quickly spread through an entire network of computers in a business or hospital, encrypting files on every PC.
How to protect yourself from ransomware
Thankfully, there are ways to avoid ransomware attacks, and Norton Antivirus has compiled a list of prevention methods:
1. Use reputable antivirus software and a firewall
2. Back up your computer often
3. Set up a popup blocker
4. Be cautious about clicking links inside emails or on suspicious websites
5. If you do receive a ransom note, disconnect from the Internet
6. Alert authorities
In December last year it was revealed about 90 per cent of NHS Trusts were still running Windows XP, two and a half years after Microsoft stopped supporting the system.
Citrix, an American software company, sent a Freedom of Information request to 63 NHS Trusts, 42 of which responded. It revealed that 24 Trusts were unsure when they would even upgrade, The Inquirer reported.
Windows XP was released more than 15 years ago and is now particularly vulnerable to viruses. Microsoft stopped providing virus warnings for the ageing Windows XP in 2015.
A number of UK hospitals continue to run the outdated software, including East Sussex, Sheffield’s Children’s hospital and Guy’s and St Thomas’ NHS Trust.
Hours after news of the cyber attacks broke, a Microsoft spokesman revealed that customers who were running the company’s free antivirus software and who had enabled Windows updates were ‘protected’ from the attack.
It raises questions about why NHS computers using the operating system were not shielded from the ransomware.
The spokesman said: ‘Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.
‘In March, we provided a security update which provides additional protections against this potential attack.
‘Those who are running our free antivirus software and have Windows updates enabled, are protected.
‘We are working with customers to provide additional assistance.’
One message circulated online claims the hackers demand 300 US dollars (£230) in the virtual currency bitcoins to relinquish control of their IT systems.
The pop-up contains a countdown clock with a deadline of next Friday. At least 10 payments of around USD$ 300 have been made to Bitcoin accounts that the hackers have asked to be paid on Friday.
But, although all Bitcoin transactions are public, we cannot see who made the payments so cannot know if they have been made by anyone in the NHS.
‘Non urgent’ appointments and operations were postponed across the UK and some hospitals diverted ambulances to neighbouring ones to ensure patient safety.
Computer systems were switched off or immobilised and key services including the bleeper system for doctors were also believed to be down.
In the minutes after the attack one doctor in the UK tweeted: ‘Massive NHS hack cyber attack today. Hospital in shut down. Thanks for delaying emergency patient care & endangering lives. A******s’.
NHS Digital, which is responsible for the health service’s cyber security, says computer systems are believed to have been hit by a ransomware cyber attack using malware called ‘Wanna Decryptor’. Three hospitals in America were hit in the same way last year.
The National Cyber Security Centre is investigating and is working with Britain’s FBI – the National Crime Agency.
GP surgeries hit in the attack say their phones went down and patients should avoid calling unless ‘absolutely necessary’ and doctors were back to using pen and paper in some areas.
Explaining the fallout, one doctor said in a message shared on Twitter: ‘So our hospital is down. We got a message saying your computers are now under their control and pay a certain amount of money. And now everything is gone.’
A screenshot obtained by the Health Service Journal (HSJ) purported to show the pop-up that appeared on at least one of the computers affected.
It said: ‘Your important files are encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time.
‘Nobody can recover your files without our decryption service.’
It goes on to demand payment, otherwise the files will be deleted. It gives a deadline of next Friday afternoon, May 19, to pay.
The HSJ said services affected were thought include archiving systems for X-rays, pathology test results, phone and bleep systems, and patient admin systems.
OUR SCREENS WERE ‘WIPED OUT ONE BY ONE’
A shocked worker at Colchester General Hospital described how her office’s computers were ‘wiped out, one by one’.
She said: ‘My computer locked at about 3pm and I couldn’t get anything to work. Then my colleague sat next to me said her computer was down.
‘It swept through the office and everyone was effected and didn’t know what was going on. One by one the computers were wiped out.
‘Nothing was working and switching them off and on did not solve the problems.
The NHS has been hit by a major cyber attack and criminals have taken control of computers and cut off phone lines across England, leaving some departments working with pen and paper
‘Some of our colleagues from a neighbouring department came in and they’d been told to unplug their internet cables and await further instruction.’
The health worker said the effect of such a hack on modern hospitals would be catastrophic because ‘all the doctors’ notes’ are kept on the computers now.
‘They record their notes to a dictaphone during a consultation but that’s only so the the notes can be typed up and stored on the computer.
‘It’s very worrying that the impact has been so far-reaching in such a short space of time.’
A Colchester Hospital University NHS Foundation Trust spokesman, which runs Colchester General, confirmed patients are being warned to told to avoid A&E where possible.
According to a hospital official statement patients are being warned that all non-urgent activity is being postponed.
East and North Herts NHS Trust issued this warning to patients on their website
Blackpool Victoria Hospital is one of many across the country hit – operations have been cancelled and ambulances diverted
Barts NHS Trust in east London said they are treating it as a ‘major incident’ to ensure they can ‘maintain the safety and welfare of patients’.
A spokesman said: ‘We are experiencing a major IT disruption and there are delays at all of our hospitals.
‘Ambulances are being diverted to neighbouring hospitals. The problem is also affecting the switchboard at Newham hospital but direct line phones are working. All our staff are working hard to minimise the impact and we will post regular updates on the website’.
Fylde and Wyre NHS Trust and Blackpool Hospitals in Lancashire, East and North Hertfordshire NHS Trust and Derbyshire Community Health Services NHS Trust have admitted having problems. Colchester University Hospitals Trust is also a victim as is neighbouring Chelmsford in Essex.
York Teaching Hospital NHS Foundation Trust which runs York and Scarborough hospitals has confirmed its computers have been affected by the widespread attack.
They have urged people to be patient and avoid calling GP surgeries and hospitals unless ‘absolutely necessary’.
NHS Merseyside said: ‘Following a suspected national cyber attack we are taking all precautionary measures possible to protect our local NHS systems and services’.