Large organizations on every continent report being hit by a campaign of ransomware attacks on Friday. Machines are being infected using exploits developed by the U.S. National Security Agency and leaked by the group known as ShadowBrokers, according to authorities.
More than 75,000 detections in 99 countries have been recorded. Russia appears to be the most infected country by far, according to cybersecurity firms Kaspersky and Avast.
The “number [is] still growing fast,” according to Costin Raiu, Kaspersky’s director of research.
Hospitals across England were forced to divert emergency patients after the ransomware hit their networks, according to the National Health Service. Other hospitals are asking patients to avoid coming in except for emergencies, news reports said. In Spain, targets including the telecommunications company Telefónica told employees to shut down machines and networks. Other victims include Gas Natural and Iberdrola, an electric utility firm.
The ransomware is a version of WannaCry — also known as WannaCrypt0r — according to Spain’s National Cryptologic Center. Intrusions are caused by “exploiting the vulnerability described in bulletin MS17-010 using EternalBlue / DoublePulsar,” Spain’s Computer Emergency Readiness Team explained Friday. “Infection of a single computer can end up compromising the entire corporate network.” U.S. CERT concurred with its Spanish counterpart later Friday.
EternalBlue and DoublePulsar are code names for NSA hacking tools used to infect thousands of machines around the world since they were leaked in April. The patch that Microsoft published in March assigned the designation MS17-010 to the associated vulnerability.
The NSA leak was attributed to the mysterious hacking group known as the Shadow Brokers. The description of the ransomware campaign from Spanish authorities and several cybersecurity researchers point directly to the leaked tools.
The ransomware “infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other Windows machines on the same network. Microsoft published the vulnerability on March 14 in its bulletin and a few days ago a proof of concept was released that seems to have been the trigger of the campaign.” SMB is Microsoft’s Server Message Block protocol for network file sharing.
The attacks in different countries have been linked to the same group, according to the Financial Times. In Spain, the newspaper El Mundo reported that “early indications point to an attack originating in China.”
The U.S. Department of Homeland Security is “coordinating with our international cyber partners” in Europe and Asia, a spokesperson told CyberScoop. “The Department of Homeland Security stands ready to support any international or domestic partner’s request for assistance. We routinely provide cybersecurity assistance upon request, including technical analysis and support. Information shared with DHS as part of these efforts, including whether a request has been made, is confidential.”
Security researcher Kevin Beaumont advised patching machines immediately:
Confirmed – wcry ransomware spreading across Europe uses EternalBlue/MS17-010/SMB. PATCH NOW EVERYWHERE.
— Father Blockchainmas ? (@GossiTheDog) May 12, 2017
“Given the rapid, prolific distribution of this ransomware, we consider this activity poses high risks that all organizations using potentially vulnerable Windows machines should address,” a spokesperson from the cybersecurity firm FireEye told CyberScoop. “Organizations seeking to take risk management steps related to this campaign can implement patching for the MS17-010 Microsoft Security bulletin and leverage the indicators of compromise identified as associated with this activity.”
FireEye has yet to see a U.S.-based company be affected by the ransomware.
Disruption in the U.K.
An total of 48 health facilities across England had been hit by the malware, according to the NHS. One of them, St Bartholomew’s Hospital in London, received warnings earlier this year that computers using Windows XP were vulnerable, reported the technology news site the Inquirer. The Derbyshire Community Health Services NHS Trust reportedly shut down all of its IT systems. East and North Hertfordshire NHS trust, a hospital just north of London, publicly acknowledged “a major IT problem” that was “believed to be caused by a cyber attack.”
“At this stage we do not have any evidence that patient data has been accessed,” an NHS statement said. “We will continue to work with affected organizations to confirm this.”
News of the English hospitals being hit with ransomware spread quickly among doctors and hospital employees, including in a widely shared message from an English doctor that made the rounds on social media.
Why would you cyber attack a hospital and hold it for ransom? The state of the world ? pic.twitter.com/e6h6yNrBBB
— If.ra (@asystoly) May 12, 2017
“So our hospital is down,” the doctor wrote. “We got a message saying your computers are now under their control and pay a certain amount of money. And now everything is gone.”
Chris Bing contributed reporting.