Huge cyberattack forces Microsoft to offer free tech fix

May 13, 2017 by Sylvia Hui And Jim Heintz
An exterior view shows the main entrance of St Bartholomew's Hospital, in London, one of the hospitals whose computer systems were affected by a cyberattack, Friday, May 12, 2017. A large cyberattack crippled computer systems at hospitals across England on Friday, with appointments canceled, phone lines down and patients turned away. (AP Photo/Matt Dunham)

Teams of technicians worked "round the clock" Saturday to restore hospital computer systems in Britain and check bank or transport services in other nations after a global cyberattack hit dozens of countries and crippled the U.K.'s health system.

The worldwide attack was so unprecedented that Microsoft quickly changed its policy and announced that it will make security fixes available for free for older Windows systems, which are still used by millions of individuals and smaller businesses.

In Russia, where a wide array of systems came under attack, officials said services had been restored or the virus contained.

The extortion attack, which locked up computers and held users' files for ransom, is believed to be the biggest of its kind ever recorded, disrupting services in nations as diverse as the U.S., Russia, Ukraine, Spain and India.

Europol, the European Union's police agency, said the onslaught was at "an unprecedented level and will require a complex international investigation to identify the culprits."

The ransomware appeared to exploit a vulnerability in Microsoft Windows that was purportedly identified by the U.S. National Security Agency for its own intelligence-gathering purposes and was later leaked to the internet.

Before Friday's attack, Microsoft had made fixes for older systems, such as 2001's Windows XP, available only to mostly larger organizations that paid extra for extended technical support. Microsoft says now it will make the fixes free for everyone.

It was not yet known who perpetrated Friday's . Two security firms—Kaspersky Lab and Avast—said they had identified the malicious software behind the attack in over 70 countries, although both said the attack had hit Russia the hardest.

In Britain, the National Cyber Security Center said it is "working round the clock" with experts to restore vital health services.

A security guard stands outside the Telefonica headquarters in Madrid, Spain, Friday, May 12, 2017. The Spanish government said several companies including Telefonica had been targeted in ransomware cyberattack that affected the Windows operating system of employees' computers. (AP Photo/Paul White)

British Home Secretary Amber Rudd—who was chairing a government emergency security meeting Saturday in response to the attack—said 45 were hit, though she stressed that no patient data had been stolen. The attack froze computers at hospitals across the country, with some canceling all routine procedures. Patients were asked not to go to hospitals unless it was an emergency and even some key services like chemotherapy were canceled.

Security officials in Britain urged organizations to protect themselves from ransomware by updating their security software fixes, running anti-virus software and backing up data elsewhere.

The Russian Interior Ministry, which runs the country's police, confirmed it was among those that fell victim to the ransomware, which typically flashes a message demanding a payment to release the user's own data.

Ministry spokeswoman Irina Volk was quoted by the Interfax news agency Saturday as saying the problem had been "localized" and that no information was compromised. But the ministry's website still carried a banner on Saturday afternoon saying that technical work was continuing.

A spokesman for the Russian Health Ministry, Nikita Odintsov, said on Twitter that the cyberattacks on his ministry were "effectively repelled."

"When we say that the health ministry was attacked you should understand that it wasn't the main server, it was local computers ... actually nothing serious or deadly happened yet," German Klimenko, a presidential adviser, said on Russian state television.

Russian cellular phone operators Megafon and MTS said some of their computers were hit and the Russian national railway system said although it was attacked, rail operations were unaffected.

Russia's central bank said Saturday that no incidents had "compromising the data resources" of Russian banks, state news agency Tass reported.

French carmaker Renault's assembly plant in Slovenia halted production after it was targeted in the global cyberattack. Radio Slovenia said Saturday the Revoz factory in the southeastern town of Novo Mesto stopped working Friday evening to stop the malware from spreading—and was working with the central office in France to resolve the problem.

A screenshot of the warning screen from a purported ransomware attack, as captured by a computer user in Taiwan, is seen on laptop in Beijing, Saturday, May 13, 2017. Dozens of countries were hit with a huge cyberextortion attack Friday that locked up computers and held users' files for ransom at a multitude of hospitals, companies and government agencies. (AP Photo/Mark Schiefelbein)

Krishna Chinthapalli, a doctor at Britain's National Hospital for Neurology & Neurosurgery who wrote a paper on cybersecurity for the British Medical Journal, said many British hospitals still use Windows XP software, introduced in 2001.

Security experts said the attack appeared to be caused by a self-replicating piece of software that enters companies when employees click on email attachments, then spreads quickly internally from computer to computer when employees share documents.

The security holes it exploits were disclosed several weeks ago by TheShadowBrokers, a mysterious group that has published what it says are hacking tools used by the NSA. Shortly after that disclosure, Microsoft announced that it had already issued software "patches," or fixes, for those holes—but many users haven't yet installed the fixes or are using older versions of Windows.

In the U.S., FedEx Corp. reported that its Windows computers were "experiencing interference" from malware, but wouldn't say if it had been hit by ransomware.

Elsewhere in Europe, the attack hit companies including Spain's Telefonica, a global broadband and telecommunications company.

Germany's national railway said Saturday departure and arrival display screens at its train stations were affected, but there was no impact on actual train services. Deutsche Bahn said it deployed extra staff to busy stations to help customers, and recommended that they check its website or app for information on their connections.

Other European organizations hit by the massive cyberattack included soccer clubs in Norway and Sweden, with IF Odd, a 132-year-old Norwegian soccer club, saying its online ticketing facility was down.

Explore further: Nations battle cyberattack damages; UK focuses on hospitals

Related Stories

Nations battle cyberattack damages; UK focuses on hospitals

May 13, 2017

Teams of technicians worked "round the clock" Saturday to restore hospital computer systems in Britain and check transport services in other nations after a global cyberattack that hit dozens of countries crippled the U.K.'s ...

UK working to restore hospital systems after cyberattack

May 13, 2017

Britain's National Cyber Security Center says teams are working "round the clock" to restore hospital computer systems after a global cyberattack that hit dozens of countries forced British hospitals to cancel and delay treatment ...

Organisations hit by global cyberattack

May 13, 2017

A huge range of organisations around the world have been affected by the WannaCry ransomware cyberattack, described by the EU's law enforcement agency as "unprecedented".

Recommended for you

Startup Pi out to slice the charging cord

September 19, 2017

Silicon Valley youngster Pi on Monday claimed it had developed the world's first wireless charger that does away with cords or mats to charge devices.

A solar cell you can put in the wash

September 18, 2017

Scientists from RIKEN and the University of Tokyo have developed a new type of ultra-thin photovoltaic device, coated on both sides with stretchable and waterproof films, which can continue to provide electricity from sunlight ...

21 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

kochevnik
May 13, 2017
This comment has been removed by a moderator.
TheGhostofOtto1923
1 / 5 (2) May 13, 2017
More USA state-sponsored terrorism
Well we couldnt let it happen by itself now could we? Attack is the only way to improve defense.

You should be thanking us.

Frenemy - Wikipedia
https://en.wikipe.../Frenemy
"Frenemy" (less commonly spelled "frienemy") is an oxymoron and a portmanteau of "friend" and "enemy" that refers to "a person with whom one is friendly, despite a fundamental dislike or rivalry" or "a person who combines the characteristics of a friend and an enemy."
gkam
1 / 5 (4) May 13, 2017
Pootie thinks he won, but really dark clouds are forming for him.

Do you think all his nasty work will go unanswered?
axemaster
5 / 5 (3) May 13, 2017
This is a frustrating situation because it's exactly what experts expected was going to happen. The NSA develops hacking weapons, they get leaked or stolen by criminal enterprises, and then get used to attack key infrastructure...
thisisminesothere
not rated yet May 13, 2017
This is a frustrating situation because it's exactly what experts expected was going to happen. The NSA develops hacking weapons, they get leaked or stolen by criminal enterprises, and then get used to attack key infrastructure...


Hmm, yes and no. Shouldnt these government bodies be notifying the public about these vulnerabilities and telling to get patched ASAP as opposed to looking for exploits that they can use to their advantage that puts millions at risk at the same time?

I think the blame is being directed at the wrong groups here.
kochevnik
2 / 5 (2) May 13, 2017
I think the blame is being directed at the wrong groups here.
How would the CIA then obtain slush funds for their wet works, sex trafficking, organ harvesting and narco peddling? Theft and state sponsored terrorism is the backbone of USA economy. Biggest enemy of US politicians is you, the public. You are best able to thwart their machinations. So they spy on you
ZergSurfer
5 / 5 (2) May 13, 2017
"Shouldnt these government bodies be notifying the public about these vulnerabilities"
Until an exploit is discovered by a white/grey hat they're regarded as zero-day, meaning there is no current defense.
https://en.wikipe...mputing)
Incredibly useful to a black hat/state actor.
" and telling to get patched ASAP as opposed to looking for exploits that they can use to their advantage that puts millions at risk at the same time?""
Until it's publicly disclosed, it puts no-one new at risk.
The worm and backdoor components were built from stolen NSA code, an auction was held, nobody paid, and the code was dumped to a public repository. I strongly suspect the miscreants regret what seemed like a good idea "Let's spread our ransomware as far as possible using this worm, and a backdoor will let us build a botnet as well, profit!"
They've pissed off a lot of TLA's :]

Occulus
2 / 5 (4) May 13, 2017
This is why the NSA should not have requested/required (who knows what sort of blackmail tactics were at play there, but the safe assumption is a nonzero value) coders at Microsoft to build them backdoors.

This entire incident is *exactly*what they were warned about. They demanded backdoors anyway. They have yet to prove conclusively that their backdoors had any positive impact on any intelligence gathering activity.

I hope other companies hotly refuse any such requests in the future. We've seen the end result now. To do anything but refuse to cooperate with the NSA on this is total madness.
ZergSurfer
5 / 5 (3) May 13, 2017
The file sharing exploit was not requested by the NSA.It was (probably) exploited by them.
This on the other hand would be more useful.
https://arstechni...0-years/
TheGhostofOtto1923
not rated yet May 14, 2017
How would the CIA then obtain slush funds for their wet works, sex trafficking, organ harvesting and narco peddling? Theft and state sponsored terrorism is the backbone of USA economy. Biggest enemy of US politicians is you, the public. You are best able to thwart their machinations. So they spy on you
-I think you're talking about the Russian mafia aren't you? The real govt over there?
kochevnik
1 / 5 (3) May 14, 2017
I think you're talking about the Russian mafia aren't you? The real govt over there?
Russian mafia is 80% Jews and they freely came to USA because banning them would be anti-Semitic LOL

Enjoy
dirk_bruere
5 / 5 (2) May 15, 2017
Thank God someone just emailed me a fix. Clicking on it now
rrrander
1 / 5 (1) May 15, 2017
This at the doorstep of hackers and scum like Snowden. The U.S. studies deadly viruses too, has them in labs, and some malcontent could release them, but it wouldn't be the scientist's fault and this isn't the NSA's fault.
antialias_physorg
5 / 5 (3) May 15, 2017
I strongly suspect the miscreants regret what seemed like a good idea

Depends on how many people paid.
I hope other companies hotly refuse any such requests in the future.

Unfortunately companies can be forced to do just about anything when one applies the blanket "for national security" excuse.
This at the doorstep of hackers and scum like Snowden

No. This is at the doorstep of scum like you who think the US should develop weapons of (cyber)war.
sascoflame
2 / 5 (1) May 16, 2017
The whole thing is garbage nothing outside of a computer should be able to exert that much control of a person's computer. As long as we accept the idea that the people should be powerless and business have total control will will have cyber attacks like this.
antialias_physorg
5 / 5 (2) May 16, 2017
The whole thing is garbage nothing outside of a computer should be able to exert that much control of a person's computer.

Soo...how again would you roll out bugfixes? Have a service person come round your house? know what software would cost in that case? Are you willing to pay that kind of money?

Thought not.

(and if your answer is "we should only roll out bug free software" then you know nothing about software. Nothing)
JimWitte338
1 / 5 (2) May 16, 2017
This is why the NSA should not have requested/required (who knows what sort of blackmail tactics were at play there, but the safe assumption is a nonzero value) coders at Microsoft to build them backdoors [..] To do anything but refuse to cooperate with the NSA on this is total madness.

Is there any proof out there that they did this? True, maybe I'm just a trusting sheeple here (what's the singular of "sheeple"?). But I'd like to at least sort of think that this wasn't *completely* created by the government(s) that are supposed to be protecting us.
ZergSurfer
5 / 5 (1) May 16, 2017
It was a simple buffer overflow;
https://en.wikipe...overflow
No-one (AFAIK) thinks it was deliberate. OS's are complex beasts, stuffing a 32 bit value into a 16 bit field is an easy error to miss on review.
A fuzzing test may have picked it up, but I'm not sure that would have been used extensively at the time of XP.
https://en.wikipe.../Fuzzing
Da Schneib
not rated yet May 16, 2017
Gee, now it looks like it was the DPRK.

Not private hackers. Not the NSA. No one anywhere in the West. A state actor. A rogue state.

Wonder what Britain will do if they can prove it. Not to mention Spain.
antialias_physorg
5 / 5 (1) May 17, 2017
Gee, now it looks like it was the DPRK

I'm not yet sold on that idea. It would make "sense" for them to start a cyber attack - but to demand ransom instead of just destroying stuff makes little sense (most of all because of potential traceability).

Also Russia is, while not directly speaking in favor of NK, one of the few nations not outright condeming them., And it was one of the hardest hit by the virus.
ZergSurfer
5 / 5 (1) May 17, 2017
I've read speculation that it escaped during testing by the norks. Could be a gov lab with permission to access the 'net, and it hopped from a test net to an outward facing node.
Or it could be a false flag, dropping some Lazarus Group code as a red herring.
If it was a cyber attack, I would have expected it to not include the ransomware, just the backdoor. Better to own a box than cripple it. Speculation abounds :)
Write up by the guy who found the KS, recommended read;
https://www.malwa...cks.html

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.