TORONTO – A wave of “unprecedented”,cyber attacks struck hundred countries, on Saturday affecting the operation of many companies and organizations, including British hospitals and French manufacturer Renault.
From Russia to Spain and from Mexico to Australia, tens of thousands of computers were infected Friday with ransom software exploiting a flaw in Windows systems, disclosed in pirated documents from the security agency American NSA.
The UK public health service (NHS), the world’s fifth-largest employer with 1.7 million employees, appears to have been the main victim – and potentially the most worrying – endangering patients – of these attacks.
But it is far from being the only one. French automaker Renault said on Saturday AFP had been assigned and production sites were stopped in France but also in Slovenia, in the subsidiary of Renault, Revoz.
The Russian central bank said Saturday that the country’s banking system had been targeted by the cyberattack, as well as several ministries, and that the pirates had attempted to force the computer facilities of the railway network.
The US parcel delivery giant Fedex or the Spanish telecom company Telefonica have also been affected.
The German railway company is also concerned. While station billboards were pirated, Deutsche Bahn certified that the attack had no impact on traffic.
According to computer security company Kaspersky, Russia is the country that has been most affected by these attacks.
The attack is “of an unprecedented level” and “will require a complex international investigation to identify the culprits,” the European Police Office said in a statement Saturday.
Cyber security expert Varun Badwhar also spoke of an attack of “unprecedented scale”, adding, on the microphone of the British channel SkyNews, that it gave a glimpse of what a “cyber apocalypse” could give.
Former Spanish hacker Chema Alonso, who has become Telefonica’s cybersecurity officer, said on Saturday, however, that despite “the media rumors he produced, this” ransomware “did not have much impact “Because” you can see on the BitCoin portfolio used, that the number of transactions “is low.
According to the latest count, he assures, only “6,000 dollars have been paid” to the rancors in the world.
The malicious software locks the users’ files and forces them to pay a sum of money in the form of virtual currency bitcoin to recover its use: it is called the “rannongiciel”.
Screenshots of infected computers of the British NHS show that the hackers are asking for a payment of 300 dollars in bitcoins. The payment must occur within three days, or the price double, and if the money is not paid within seven days the pirated files will be erased.
Forcepoint Security Labs, a security company, spoke of “a major campaign to spread infected emails,” with some five million emails sent every hour spreading the malware called WCry, WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r.
US and UK authorities advised affected individuals, businesses and organizations not to pay hackers.
G7 finance ministers meeting Saturday in Bari, Italy, were to announce enhanced cooperation to combat computer piracy, with the United States and the United Kingdom leading a think tank to develop an international strategy of prevention.
” Not finished “
The British NHS on Saturday tried to reassure its patients, but many feared a risk of chaos, especially in emergencies, while the public health system, undergoing a cure austerity, is already on the brink of rupture.
“About 45 facilities” of the public health service have been affected, said Saturday Interior Minister Amber Rudd on the BBC. Several of them were forced to cancel or postpone medical interventions.
M me Rudd added that the authorities were still trying to identify the perpetrators of the attack.
According to Kaspersky, the malware was published in April by the hacker group “Shadow Brokers”, which claims to have discovered the flaw by the NSA.
“This ransom software can spread without anyone opening an email or clicking on a link,” said Lance Cottrell, Scientific Director of the US-based Ntrepid Technology Group.
A cyber security researcher told AFP to find a parade to slow the spread of the virus. Tweeting from @Malwaretechblog, he explained that “generally malicious software is connected to a domain name that is not registered. By simply registering this domain name, we can stop its spread, “he said.
The researcher nevertheless insisted on the importance of an immediate updating of the computer systems because according to him “the crisis is not finished, they can still change code and try again”, he warned.
“If the NSA had privately discussed this flaw used to attack hospitals when they” discovered “it, rather than when it was stolen from them, it could have been avoided,” said Twitter on Twitter Edward Snowden, Former consultant of the US security agency who had unveiled the extent of surveillance of the NSA in 2013.
Phillip Misner, the Prinicipal Security Manager for the Microsoft Security Response Center, a group tasked with delivering timely security fixes and setting the priority of exploits, took to the TechNet blog to explain the company’s stance on the issue and the steps it has taken.
- In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.
- For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.
- This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).
Misner also noted that Microsoft “worked throughout the day” to understand the attack, and was assisting their customers in dealing with the issue.
As a result, Microsoft has released a security patch for the following operating systems:
- Windows Server 2003 SP2 x64
- Windows Server 2003 SP2 x86
- Windows XP SP2 x64
- Windows XP SP3 x86
- Windows XP Embedded SP3 x86
- Windows 8 x86
- Windows 8 x64
It’s also important to note that, more recent operating systems, such as Windows 8.1 and Windows 10, already have patches available since March.