A massive cyberattack galloped across international borders on 12 May 2017, crippling such vital organizations as Telefonica (a telecom company in Spain),  Britain’s network of hospitals run by the National Health Service (NHS), and the Russian Interior Ministry. A live graphic of the malware’s spread generated by MalwareTech.com showed it propagate rapidly through Europe, North and South America, Asia and Australia.

The attack utilized a type of malware called ransomware, which blocks users from accessing their own computer systems by encrypting their files and demanding payment (in Bitcoin) to release them. The NHS said in a statement that 16 of its organizations were affected. Cyber security firm Avast said they tracked “75,000 detections of WanaCrypt0r 2.0, in 99 countries.” Russia, Ukraine and Taiwan were the biggest geographical targets.

Damon McCoy, an assistant professor of computer science at New York University, explained “ransomware” by phone:

Ransomware targets key files — documents, photographs, et cetera — and essentially encrypts them to remove them so you can no longer use them unless you had backups. Then they try and hold your files for ransom. They try and extort money out of you. Usually they request payment via Bitcoin.

Bitcoin is a form of digital currency favored by cyber criminals because it’s unregulated and transactions are difficult to track, McCoy said. Further, Bitcoin transactions can’t be reversed, meaning payments are permanent.

According to a Microsoft spokesperson, the software company issued a security update to guard against the potential for an attack by the new malicious software, known as “Ransom:Win32.WannaCrypt.” Although most individual consumers will not be affected so long as they employ automatic update installations on their computers, large companies and institutions like hospitals are getting hit because it’s more complicated for them to update — they can’t afford to have system downtime. 

McCoy said a hacking group known as Shadow Brokers stole vulnerability information from the National Security Agency, which the agency acquired through a hacking program known as Equation Group. The NSA for years used the information to exploit vulnerabilities for cyber espionage. After hijacking it, Shadow Brokers tried to auction the information, and when they didn’t succeed they gave it away.

The American Civil Liberties Union responded to the cyber attack with a statement from staff attorney Patrick Toomey:

It would be deeply troubling if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen. These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world. It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner. Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.

In April 2017, Matthew Hickey, the cofounder of cyber security firm Hacker House, presciently told Ars Technica that the hack was an effective release of “cyber weapons”:

The Shadow Brokers — the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency’s weaponized software exploits — just published its most significant release yet. Friday’s dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.

Friday’s [14 April 2017] release — which came as much of the computing world was planning a long weekend to observe the Easter holiday — contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.

“It is by far the most powerful cache of exploits ever released,” Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.”

Hickey told us that whoever the attacker or attackers are, they are using Tor, a software tool that allows people use use the internet anonymously while obfuscating their geographical location. We asked the NSA for comment, but got no response.

Hours after the attack started, Ars Technica reported someone had discovered a “kill switch” to stop the worm:

The virally spreading worm was ultimately stopped when a researcher who uses the Twitter handle MalwareTech and works for security firm Kryptos Logic took control of a domain name that was hard-coded into the self-replicating exploit. The domain registration, which occurred around 6 AM California time, was a major stroke of good luck, because it was possible only because the attackers had failed to obtain the address first.

The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign. MalwareTech’s registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world. As a result, the number of infection detections plateaued dramatically in the hours following the registration. It had no effect on WCry infections that were initiated through earlier campaigns.

Sources:

Avast. “Ransomware That Infected Telefonica and NHS Hospitals Is Spreading Aggressively, With Over 50,000 Attacks So Far, Today.”
  12 May 2017.

Bilefsky, Dan, and Perlroth, Nicole. “Cyberattacks in 12 Nations Said to Use Leaked N.S.A. Hacking Tool.
  The New York Times. 12 May 2017.

Solon, Olivia. “Hacking Group Auctions ‘Cyber Weapons’ Stolen From NSA.”
  The Guardian. 16 August 2016.

Fingas, Jon. “‘Shadow Brokers’ Give Away More NSA Hacking Tools.”
  End Gadget. 8 April 2017.

Goodin, Dan. “NSA-Leaking Shadow Brokers Just Dumped Its Most Damaging Release Yet.”
  Ars Technica. 14 April 2017.

Ruano, Carlos, et al. “Telefonica, Other Spanish Firms Hit in ‘Ransomware’ Attack.”
  Reuters. 12 May 2017.

Winning, Alexander. “Cyberattack Hits Russian Interior Ministry Computers: Interfax.”
  Reuters. 12 May 2017.

Goodin, Dan. “An NSA-Derived Ransomware Worm Is Shutting Down Computers Worldwide.”
  Ars Technica. 12 May 2017.