Authorities on Friday said they were investigating a massive ransomware attack that reportedly hit more than 45,000 computers in 74 countries worldwide, including the UK’sNHS England national health service, international delivery service FedEx, and Spanish telecom firm Telefonica.
Security experts have linked the exploit to an earlier leak by the Shadow Brokers, who allegedly accessed a trove of hacking tools from the National Security Agency.
No Patient Care Crisis
Based on early information, a number of organizations reported that they were affected by a ransomware attack linked to the Wanna Decryptor, said NHS Digital spokesperson Tom Donnelly.
There was no immediate evidence that patient data was breached, he said, but the NHS was working with various organizations to confirm that.
The NHS was working with the National Cyber Security Centre, the Department of Health, and NHS England to support the affected organizations and recommend steps to mitigate the damage, according to Donnelly.
Patients who need emergency care should visit A&E or access emergency services the same way they normally would, said Anne Rainsberry, NHS incident director.
There are “tried and tested” contingency plans to deal with this incident, she added.
The brunt of the attack was felt in Russia, and the Russian Interior Ministry posted a statement confirming that it had localized an attack on thousands of personal computers, Kaspersky Lab reported.
Spain’s National Cybersecurity Institute confirmed that a number of companies were targeted. Telefonica, the country’s largest phone company, confirmed that some computers on its internal corporate network were hit, but it did not provide details.
The ransomware attack is linked to the WannaCry ransomware family, and it is spreading aggressively around the world to other organizations, said Adam Meyers, vice president of intelligence at CrowdStrike.
The attack thus far reportedly has breached telecom systems, hospitals, doctors’ surgeries, healthcare organizations, and gas and electric utilities in several European and Asian countries, ranging from the UK to Russia, Pakistan, Spain and others, he noted.
“The group behind the attack does not appear to be picky about the nation or sector it is targeting,” Meyers told the E-Commerce Times.
The attack vector has “all the hallmarks of a traditional computer worm,” he noted, adding that before now CrowdStrike had not seen a large-scale ransomware campaign that used a self-propagating technique at this scale, which makes this attack unique.
The victims likely have been targeted in bulk through massive phishing campaigns, delivering .zip archives with fake invoices, job offers, security warnings and undelivered mail, Meyers said.
Wana encrypts files using the AES-128 cipher and demands a bitcoin ransom that increases as time passes on, according to Meyers. The files are appended with a .wncry file extension. Demands from this attack include requests for US$300 or $600 in bitcoin for a decryption key.
Companies should install ransomware prevention and machine learning tools, Trend Micro recommended. The firm also urged installation of MS17-010, a critical security patch Microsoft issued in March.
The most severe of the vulnerabilities could allow remote code execution, according to the Microsoft bulletin, if an attacker should send specially crafted messages to a Microsoft server message block 1.0 (SMBv1) server.
“We are aware of reports of ransomware affecting multiple entities in Europe and Asia and are coordinating with our international cyber partners,” DHS spokesperson Scott McConnell told the E-Commerce Times in a statement.
The DHS “stands ready to support any international or domestic partner’s request for assistance,” he added, noting that the agency routinely provides cybersecurity assistance upon request, including “technical analysis and support.” Information shared with DHS as part of these efforts is confidential.