Manhunt for hackers behind global cyberattack (Update)

May 13, 2017
The huge cyberattack wiped out display screens at rail stations in Germany

International investigators hunted Saturday for those behind an unprecedented cyber-attack that affected systems in dozens of countries, including at banks, hospitals and government agencies, as security experts sought to contain the fallout.

The assault, which began Friday and was being described as the biggest-ever cyber ransom attack, struck state agencies and major companies around the world—from Russian banks and British hospitals to FedEx and European car factories.

"The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits," said Europol, Europe's police agency.

Europol said a special task force at its European Cybercrime Centre was "specially designed to assist in such investigations and will play an important role in supporting the investigation".

The attacks used ransomware that apparently exploited a security flaw in Microsoft operating systems, locking users' files unless they pay the attackers a designated sum in the virtual currency Bitcoin.

Images appeared on victims' screens demanding payment of $300 (275 euros) in Bitcoin, saying: "Ooops, your files have been encrypted!"

Payment is demanded within three days or the price is doubled, and if none is received within seven days the files will be deleted, according to the screen message.

But experts and government alike warn against ceding to the hackers' demands.

"Paying the ransom does not guarantee the encrypted files will be released," the US Department of Homeland Security's computer emergency response team said.

"It only guarantees that the malicious actors receive the victim's money, and in some cases, their banking information."

'Painful'

Experts and officials offered differing estimates of the scope of the attacks, but all agreed it was huge.

Mikko Hypponen, chief research officer at the Helsinki-based cyber security company F-Secure, told AFP it was the biggest ransomware outbreak in history, saying that 130,000 systems in more than 100 countries had been affected.

He said Russia and India were hit particularly hard, largely because Microsoft's Windows XP—one of the operating systems most at risk—was still widely used there.

French police said there were "more than 75,000 victims" around the globe, but cautioned that the number could increase "significantly".

The virus spread quickly because the culprits used a digital code believed to have been developed by the US National Security Agency—and subsequently leaked as part of a document dump, according to researchers at the Moscow-based computer security firm Kaspersky Lab.

Microsoft said the situation was "painful" and that it was taking "all possible actions to protect our customers".

It issued guidance for people to protect their systems, while taking the highly unusual step of reissuing security patches first made available in March for Windows XP and other older versions of its operating system.

Europe worst hit

US software firm Symantec said the majority of organisations affected were in Europe, and the attack was believed to be indiscriminate.

The companies and government agencies targeted were diverse.

In the United States, package delivery group FedEx said it was "implementing remediation steps as quickly as possible," while French carmaker Renault was forced to stop production at sites in France, Slovenia and Romania.

Russia's interior ministry said some of its computers had been hit by a "virus attack" and that efforts were underway to destroy it. The country's banking system was also attacked, although no problems were detected, as was the railway system.

Germany's rail operator Deutsche Bahn said its station display panels were affected. Universities in Greece and Italy also were hit.

China's network information safety working group sent a warning to universities about the cyber-attack and the National Internet Emergency Center suggested that users update Windows security patches.

Shanghai's Fudan University received reports that a large number of school computers were infected with the virus.

Accidental 'kill switch'

Kaspersky said it was "trying to determine whether it is possible to decrypt data locked in the attack—with the aim of developing a decryption tool as soon as possible."

On Saturday, a cyber security researcher told AFP he had accidentally discovered a "kill switch" that could prevent the spread of the ransomware.

The researcher, tweeting as @MalwareTechBlog, said registering a domain name used by the malware stops it from spreading, though it cannot help computers already affected.

"If you have anything to patch, patch it," the researcher said in a blog post. "Now I should probably sleep."

A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, Kaspersky said.

"Unlike most other attacks, this malware is spreading primarily by direct infection from machine to machine on local networks, rather than purely by email," said Lance Cottrell, chief scientist at the US technology group Ntrepid.

G7 finance ministers meeting in Italy vowed to unite against cyber crime, as it represented a growing threat to their economies and should be tackled as a priority. The danger will be discussed at the G7 leaders' summit next month.

In Britain, the attack disrupted care at National Health Service facilities, forcing ambulances to divert and hospitals to postpone operations.

"There will be lessons to learn from what appears to be the biggest criminal cyber-attack in history," Interior minister Amber Rudd said.

"But our immediate priority as a government is to disrupt the attack, restore affected services as soon as possible, and establish who was behind it so we can bring them to justice."

Explore further: Researcher finds 'kill switch' for cyberattack ransomeware

Related Stories

Alarm grows over global ransomware attacks

May 12, 2017

Security experts expressed alarm Friday over a fast-moving wave of cyberattacks around the world that appeared to exploit a flaw exposed in documents leaked from the US National Security Agency.

Organisations hit by global cyberattack

May 13, 2017

A huge range of organisations around the world have been affected by the WannaCry ransomware cyberattack, described by the EU's law enforcement agency as "unprecedented".

Explainer: What is ransomware?

May 13, 2017

Computers across the world were locked up Friday and users' files held for ransom when dozens of countries were hit in a cyber-extortion attack that targeted hospitals, companies and government agencies.

Recommended for you

Flexible, highly efficient multimodal energy harvesting

May 21, 2018

A 10-fold increase in the ability to harvest mechanical and thermal energy over standard piezoelectric composites may be possible using a piezoelectric ceramic foam supported by a flexible polymer support, according to Penn ...

Self-assembling 3-D battery would charge in seconds

May 17, 2018

The world is a big place, but it's gotten smaller with the advent of technologies that put people from across the globe in the palm of one's hand. And as the world has shrunk, it has also demanded that things happen ever ...

5 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

julianpenrod
1 / 5 (7) May 13, 2017
The fact is, this could have been prevented. Engineers, software designers are always building back doors, channels, ways to get into systems into the machines and software. One can suspect they, themselves, want to be able to know what people are doing and so make it easy to get into their machines. It would not be surprising if they worked hand in hand with the hackers, if they were the hackers. That and scams like constantly requiring people to buy newer and bigger machines and software looks like they revenge against those who identified them for the antisocial slobs they are.
They could, for example, devise two systems, one to handle the questionable downloaded material first. If the downloaded material behaves strangely in the first machine, it won't be released to the larger system. They could devise software that could examine a file line by line to see if it would lead to undesirable behavior. They could do things like this, if they wanted to.
kochevnik
1 / 5 (2) May 13, 2017
USA digs own hole, takes world down with it. Only thing they make now is war and bribes from narcotrading. More NSA Equation toolz at https://github.com/x0rz/EQGRP
kochevnik
1 / 5 (1) May 14, 2017
Of course investigation will not lead back to CIA perps, but some patsy
ZergSurfer
5 / 5 (1) May 14, 2017
"They could, for example, devise two systems, one to handle the questionable downloaded material first."
Define questionable. Consider encryption.
"If the downloaded material behaves strangely in the first machine, it won't be released to the larger system."

This is called a virtual machine; https://en.wikipe..._machine

"They could devise software that could examine a file line by line to see if it would lead to undesirable behavior. They could do things like this, if they wanted to."
They do, and they do.
antialias_physorg
5 / 5 (1) May 15, 2017
"If the downloaded material behaves strangely in the first machine, it won't be released to the larger system."

1) It's easy to detect whether you're running in a virtual machine or not. Current malicious code can detect this and just doesn't run (or it runs just at a specific date - what then?).
2) If you do this then you're effectively crippling your system. If you quarantine every bit of script you run first before passing it on you just managed to convert an ultra fast server farm into a first generation calculator.

They could devise software that could examine a file line by line to see if it would lead to undesirable behavior.

Guess what anti-virus software does? However you cannot test all combinations of effects.
Is a routine for reading/writing a registry value malicious or not? Is a routine for writing a file malicious or not? Both are routines used for any number of legit pourposes. In combination they can be malicious.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.