Friday’s cyberattack hit 200,000 victims in at least 150 countries, the head of the European Union’s police agency says, adding he fears the number will grow when people return to work on Monday and switch on their computers.
- Businesses, institutions across the world scramble to protect systems
- New ransomware infections expected at the start of business on Monday
- Europol spokesman says it is too early to say who was behind the onslaught
The warning was issued after Britain announced 97 per cent of the country’s health service trusts were “working as normal”.
But Europol Director Rob Wainwright said he feared the attack was not over and that the number of attacks would continue to grow.
He told ITV what was unique about the attack was that the ransomware was used in combination with “a worm functionality” so the infection spread automatically.
“The global reach is unprecedented. The latest count is over 200,000 victims in at least 150 countries, and those victims, many of those will be businesses, including large corporations,” he said.
“At the moment, we are in the face of an escalating threat. The numbers are going up, I am worried about how the numbers will continue to grow when people go to work and turn [on] their machines on Monday morning.”
Monday is expected to be a busy day, especially in Asia which may not have seen the worst of the impact yet, as companies and organisations turn on their computers.
“Expect to hear a lot more about this tomorrow morning when users are back in their offices and might fall for phishing emails [or other as yet unconfirmed ways the worm may propagate],” said Christian Karam, a Singapore-based security researcher.
Europol spokesman Jan Op Gen Oorth said it was too early to say who was behind the onslaught and what their motivation was.
Attackers used encryption algorithms to lock files and demanded owners pay a ransom to access those files.
Mr Oorth said the main challenge was the fast-spreading capabilities of the malware, but added that, so far, not many people have paid the ransoms that the virus demands.
Cyber security research experts warned against giving in to criminal syndicates in order to have data unlocked.
Director for Centre for Cyber Security Research at Deakin University, Professor Yang Xiang, said it was not ethical to pay ransom for data.
“If you keep paying ransom it’s actually helping attackers to grow the industry,” he told the ABC.
Attack slowed by discovery of ‘kill switch’
The attack that began Friday is believed to be the biggest online extortion attack ever recorded, with victims including Britain’s hospital network and Germany’s national railway.
As terrifying as the unprecedented global “ransomware” attack was, cybersecurity experts said it was nothing compared to what might be coming — especially if companies and governments do not make major fixes.
How did the attack occur?
- Attack appeared to be caused by a self-replicating piece of software that takes advantage of vulnerabilities in older versions of Microsoft Windows, security experts say
- It spreads from computer to computer as it finds exposed targets.
- Ransom demands start at $US300 and increase after two hours, a security researcher at Kaspersky Lab says
- Security holes were disclosed several weeks ago by TheShadowBrokers, a mysterious group that has repeatedly published what it says are hacking tools used by the NSA
- Shortly after that disclosure, Microsoft announced it had already issued software “patches” for those holes
- But many companies and individuals have not installed the fixes yet or are using older versions of Windows that the company no longer supports and for which no patch was available
Had it not been for a young cybersecurity researcher’s accidental discovery of a so-called “kill switch”, the malicious software likely would have spread much farther and faster that it did Friday.
The 22-year-old — identified online only as MalwareTech — partnered with 28-year-old research engineer Darien Huss to register a domain name and redirect the attacks to Malware Tech’s server to activate the “kill switch”, halting the ransomware’s infections and creating what is called a “sinkhole”.
But MalwareTech said sinkholing would only stop the spread until hackers removed the domain check and tried again. He said it was “incredibly important that any unpatched systems are patched as quickly as possible”.
“You’re only safe if you patch ASAP,” he warned.
This is already believed to be the biggest online extortion attack ever recorded, disrupting computers that run factories, banks, government agencies and transport systems in nations as diverse as Russia, Ukraine, Brazil, Spain, India and the US.
Security experts tempered the alarm bells by saying that widespread attacks are tough to pull off.
This one worked because of a “perfect storm” of conditions, including a known and highly dangerous security hole in Microsoft Windows, tardy users who did not apply Microsoft’s March software fix, and malware designed to spread quickly once inside university, business or government networks.