Hackers used tools apparently stolen from the U.S. National Security Agency to cripple hospitals across England Friday, forcing doctors to turn away patients in what the United Kingdom’s Prime Minister Theresa May says was just one part of a widespread international assault.
By Friday evening, 16 National Health Service providers had found “ransomware” on their networks informing people that their data had been encrypted and would remain so until they paid a $300 ransom in the cryptocurrency bitcoin. More than 57,000 computers across 74 countries, including Spain, Portugal, Russia, and Taiwan, were rapidly infected by similar ransomware Friday, researchers found. Russia appears to have been hit the hardest by the attacks.
The unprecedented attack was reportedly enabled by hacking tools thought to have been originally developed by the NSA, which an entity by the name of “Shadow Brokers” stole and leaked to the internet back in April. Experts have variously dubbed the malware used in the Friday attack “Wanna-Cry,” “WanaCypt0r,” or “Wanna Decryptor,” and believe it exploits a vulnerability in Microsoft’s Windows operating system to invisibly move from computer to computer. And unlike many other forms of malware, it can spread on its own — it doesn’t need humans to, for example, click on fake email attachments.
Microsoft released a patch to fix its operating system’s vulnerability months ago, but it appears that the NHS and several other systems have yet to adopt it.
May stressed that hackers had not sought to specifically target the NHS, highlighting what Andrea Zapparoli Manzoni called “haphazard fashion” of the attack.
“This particular ransomware contains a vulnerability, called Eternal Blue, which was developed in U.S. intelligence circles and was then stolen,” Manzoni, who is a senior manager in the Information Risk Management division of Kpmg Advisory in Italy, told Reuters. “That gives you an idea about why the level is risk is particularly high. The aim isn’t to hit any specific country but to strike as widely as possible to make money.”
Within the UK, the attack forced healthcare providers to cancel appointments and tell people in affected areas to seek medical care only in case of emergency.
According to screenshots of the attack posted online, victims’ computers display a message telling victims they have three days to hand over the $300 in bitcoins. “After that the price will be doubled,” the message reads. “Also if you don’t pay in seven days, you won’t be able to recover your files forever.”
“The danger with paying the ransom is there’s no guarantee they’ll recover their encrypted data and this only makes ransomware more successful in the long run for hackers,” David Kennerley, Director of Threat Research at the American internet security firm Webroot, said in a statement.
FedEx and Spain’s telecommunications giant Telefonica were also reportedly targeted, but so far, the attack doesn’t appear to have actually affected their services.
David Gilbert contributed reporting to this story.