A cyber weapon believed to have escaped the control of the United States’ top-secret National Security Agency appears to be behind a massive wave of cyber ransom attacks Friday in scores of countries around the globe that researchers said was the largest computer hack ever.
Computers seized in the attack flashed a message on a black screen with red letters: “Oops, your important files are encrypted.” Users were then unable to access their files and told to pay a ransom to regain access to their machines.
A Czech security research firm, Avast Software, said it had detected more than 57,000 computers frozen by the attack. The Moscow-based Kaspersky Lab said 74 countries had been hit, with Russia, Ukraine, India and Taiwan suffering the biggest impact. The global criminal attacks crippled 16 hospitals and clinics in Britain and affected telecommunications in Spain and Portugal.
“I believe this is the largest, in the effect it is having,” said Lior Div, chief executive of Cybereason, a Boston-based cybersecurity firm.
Div joined a chorus of cybersecurity experts that traced the global ransomware shakedown to a powerful cyber weapon developed by an elite offensive unit of the NSA that was leaked into the open in mid-April.
“There is no question about it,” Div said.
The NSA did not respond to a request for comment.
The day’s events highlighted the expanding scope of cyber ransom attacks and the potential to cause harm at institutions like hospitals.
The attack also underscored the power of cyber tools that U.S. intelligence agencies have developed to conduct cyber warfare, and the danger when those tools inadvertently become publicly available. Some experts cited it as reason for U.S. intelligence agencies to immediately notify software manufacturers when a vulnerability is discovered rather than keep it secret in order to exploit it.
“It would be shocking if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen. These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world,” said Patrick Toomey, a staff attorney with the American Civil Liberties Union’s National Security Project.
“It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner,” Toomey added.
Avast said the wave of attacks had begun in Europe before dawn and grown throughout the day, affecting the Spanish telecom giant Telefonica and other companies. The hackers demanded $300 in ransom from each user to unlock the frozen hard drives of computers hit by the malware.
The malicious code used by the hackers is variously known as WanaCrypt0r, WannaCrypt or .WNCRY, and it first appeared in February, Avast said in a blog post. It attacks computers using Microsoft Windows operating systems. Microsoft issued a security patch in mid-March to block the malware, but any computer that failed to update its programming remained vulnerable.
Within the hacker code is a powerful cyber tool bug called EternalBlue, which emerged from the NSA, the incubator of U.S. cyber weapons. A mysterious group called The Shadow Brokers, which has been plaguing the NSA with disclosures of its offensive arsenal since mid-2016, released EternalBlue on April 14.
“WanaCrypt0r 2.0 is most likely spreading on so many computers by using an exploit the Equation Group, which is a group that is widely suspected of being tied to the NSA, used for its dirty business. A hacker group called ShadowBrokers has stolen Equation Group’s hacking tools and has publicly released them,” Avast said in a blog post.
Spain’s official Computer Emergency Readiness Team said the ransomware attacks included software it described as “EternalBlue/DoublePulsar.”
“An infection of just one computer can spread to the rest of a corporate network,” it said in an emergency bulletin.