A cyber weapon believed to have escaped the control of the United States’ top-secret National Security Agency appears to be behind a massive wave of cyber ransom attacks Friday in scores of countries around the globe that researchers said was the largest computer hack ever.
Computers seized in the attack flashed a message on a black screen with red letters: “Oops, your important files are encrypted.” Users were then unable to access their files and told to pay a ransom to regain access to their machines.
A Czech security research firm, Avast Software, said it had detected more than 57,000 computers frozen by the attack. The Moscow-based Kaspersky Lab said 74 countries had been hit, with Russia, Ukraine, India and Taiwan suffering the biggest impact. The global criminal attacks crippled 16 hospitals and clinics in Britain and affected telecommunications in Spain and Portugal.
“I believe this is the largest, in the effect it is having,” said Lior Div, chief executive of Cybereason, a Boston-based cybersecurity firm.
Div joined a chorus of cybersecurity experts that traced the global ransomware shakedown to a powerful cyber weapon developed by an elite offensive unit of the NSA that was leaked into the open in mid-April.
“There is no question about it,” Div said.
The NSA did not respond to a request for comment.
The day’s events highlighted the expanding scope of cyber ransom attacks and the potential to cause harm at institutions like hospitals.
The attack also underscored the power of cyber tools that U.S. intelligence agencies have developed to conduct cyber warfare, and the danger when those tools inadvertently become publicly available. Some experts cited it as reason for U.S. intelligence agencies to immediately notify software manufacturers when a vulnerability is discovered rather than keep it secret in order to exploit it.
“It would be shocking if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen. These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world,” said Patrick Toomey, a staff attorney with the American Civil Liberties Union’s National Security Project.
“It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner,” Toomey added.
Avast said the wave of attacks had begun in Europe before dawn and grown throughout the day, affecting the Spanish telecom giant Telefonica and other companies. The hackers demanded $300 in ransom from each user to unlock the frozen hard drives of computers hit by the malware.
The malicious code used by the hackers is variously known as WanaCrypt0r, WannaCrypt or .WNCRY, and it first appeared in February, Avast said in a blog post. It attacks computers using Microsoft Windows operating systems. Microsoft issued a security patch in mid-March to block the malware, but any computer that failed to update its programming remained vulnerable.
Within the hacker code is a powerful cyber tool bug called EternalBlue, which emerged from the NSA, the incubator of U.S. cyber weapons. A mysterious group called The Shadow Brokers, which has been plaguing the NSA with disclosures of its offensive arsenal since mid-2016, released EternalBlue on April 14.
“WanaCrypt0r 2.0 is most likely spreading on so many computers by using an exploit the Equation Group, which is a group that is widely suspected of being tied to the NSA, used for its dirty business. A hacker group called ShadowBrokers has stolen Equation Group’s hacking tools and has publicly released them,” Avast said in a blog post.
Spain’s official Computer Emergency Readiness Team said the ransomware attacks included software it described as “EternalBlue/DoublePulsar.”
“An infection of just one computer can spread to the rest of a corporate network,” it said in an emergency bulletin.
A prominent computer security expert, Chris Wysopal, co-founder of the application security company Veracode, in Burlington, Massachusetts, said in a tweet that the WanaCrypt0r ransomware epidemic may be an indicator of how powerful some NSA hacking tools are.
“When you see the # of victims of ransomware attack using NSA’s EternalBlue you realize how easy it was for them to penetrate adversaries,” Wysopal tweeted.
The wave of attacks largely sidestepped the United States, and the reason wasn’t entirely clear. But the attacks grabbed the attention of U.S. legislators and cyber researchers alike.
“We’ll likely look back at this as a watershed moment,” said Sen. Ben Sasse, a Nebraska Republican who is a member of the Senate Armed Services Committee. He said the attacks on Britain’s health system had left physicians and nurses “scrambling to treat patients without their digital records or prescription dosages.”
U.S. computers networks may face their day soon, said cyber experts.
“There is cause for alarm in the U.S. as well, given the speed at which this attack has spread and the fact that it seems to know no border,” said Mounir Hahad, senior director at Cyphort Labs in California’s Silicon Valley.
Another cyber expert said cyber criminals were learning to amplify their reach.
“With WannaCrypt leveraging EternalBlue, ransomware has taken on a new form of automation. The author only has to infect one computer on the network. Once that device is infected, the ransomware will worm across the network compromising other computers,” said researcher Daniel Smith of Radware, a cybersecurity services firm based in Tel Aviv, Israel.
Others saw the attack on the 16 hospitals and clinics of Britain’s National Health Service as a harbinger of attacks on specific sectors of economic activity.
“The NHS hospital attack is an indicator for a new evolution of malware that will focus on critical systems such as airlines and hospitals where paying ransoms may be the only way to resume business operations in some case of life or death,” said Paul Calatayud, chief technology officer at FireMon, an Overland Park, Kansas, cybersecurity firm.
Others worried that U.S. intelligence agencies can give criminal groups powerful new ways to refine their techniques by failing to safeguard their cyber arsenals or failing to alert software makers quickly when vulnerabilities are discovered.
Federal agencies like the NSA develop their own tools to hack systems but also buy them from malware vendors. The U.S. government and other nations are believed to stockpile certain security vulnerabilities, declining to disclose them to software developers so they can continue to exploit them.
That has provoked tension with some high-tech companies, and it led in early 2016 to the release of a framework known as the Vulnerabilities Equity Process, as a way to determine when and whether the government should disclose software flaws.