Wintry mix spreads across Minnesota

MPR News helps you turn down the noise and build shared understanding. Turn up your support for this public resource and keep trusted journalism accessible to all. 

Turn Up Your Support

First, there were reports of Spain's largest telecom being hit with pop-up windows demanding a $300 ransom to access files. Then at least 16 hospitals in England's National Health Service were affected, locking doctors and nurses out of patients' records unless they paid up. Now comes word that networks around the world are under attack Friday.

"Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia," cyber security firm Kaspersky says. We'll note that Kaspersky supports NPR and is a provider of security services for its IT systems.

Friday's attacks are being blamed on a piece of malware called WCry, WannaCry, or Wana Decryptor, that's been tracked in large-scale attacks in Europe and Asia — particularly Russia and China — and a scattering of attacks in the U.S. and South America, according to a map on the Malware Tech site.

https://twitter.com/MalwareTechBlog/status/863054943632187392

Victims of the attack are confronted with a pop-up window that tells them their files are now encrypted and that they need to send $300 via the bitcoin cryptocurrency.

"You can decrypt some of your files for free," reads the message, which we're seeing today in a variety of languages. "But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled."

The window includes a countdown clock that threatens the files will be lost permanently in seven days.

Wana Decryptor exploits a Windows flaw that was patched in Microsoft's Security Bulletin MS17-010 in March. But on machines that haven't been updated or patched, the malicious code encrypts all of an infected machine's files — and then spreads itself.

"Infection of a single computer can end up compromising the entire corporate network," Spain's National Cryptologic Center says.

https://twitter.com/fendifille/status/862997621039878145

The malware is alleged to have been leaked or stolen from the National Security Agency, as the 

 reports. It was reportedly distributed by the Shadow Brokers, which claimed to have hacked an NSA-linked team of hackers last August.

The Shadow Brokers group, which is suspected of having ties to Russia, posted Windows hacking tools last month.

"Activity from this ransomware family was almost inexistent prior to today's sudden explosion when the number of victims skyrocketed in a few hours," Bleeping Computer's Catalin Cimpanu writes.

In the U.S., the Computer Emergency Readiness Team, or CERT, says it has "received multiple reports of ransomware infections in several countries around the world," without identifying those countries.

https://twitter.com/elmundoes/status/862980443217555458

The Department of Homeland Security says it's coordinating with "international cyber partners" in the wake of the widespread attacks. When asked to confirm that Wana Decryptor has struck in the U.S., and at what scale, Acting Deputy Press Secretary Scott McConnell did not provide specifics.

"We routinely provide cybersecurity assistance upon request, including technical analysis and support," McConnell says. "Information shared with DHS as part of these efforts, including whether a request has been made, is confidential."

Commenting on today's attack, Sen. Ben Sasse, a member of the Senate Armed Services Committee, says:

England's NHS says at least 16 of its organizations were hit by the ransomware. In an statement released around 11:30 a.m. ET, the system's digital office said, "This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors."

The attack has also hit facilities in Scotland, where Health Secretary Shona Robison says officials are "taking immediate steps to minimize the impact of the attack across NHS Scotland and restrict any disruption."

"The investigation is at an early stage, but we believe the malware variant is Wanna Decryptor," the NHS says, referring to software that is being blamed for a number of ransom attacks in Europe Friday.

"At this stage we do not have any evidence that patient data has been accessed," the system says.

An IT worker at the public health care system tells 

 that it's the biggest problem they've seen in their six years working for the service.

The problem erupted around 12:30 p.m. local time, the IT worker says, with a number of email servers crashing. Other services soon went down, and then, the unidentified NHS worker says, a "bitcoin virus pop-up message" started taking over computer screens.

The U.K.'s National Cyber Security Center says it's working with both the digital office of the NHS and law enforcement.

Images that were posted online of the NHS pop-up look nearly identical to pop-up ransomware windows that hit Spain's Telefonica, a powerful attack that forced the large telecom to order employees to disconnect their computers from its network and to resort to an intercom system to relay messages, according to Bleeping Computer.

Science

Crime, Law and Justice

Maggie Penman

Author

"We'll likely look back at this as a watershed moment," says Sen. Ben Sasse, as malware called Wana Decryptor is blamed for large-scale attacks around the world.

Ransomware attacks ravage computer networks in dozens of countries

Go Deeper.

Like this?

News you can use in your inbox