Nearly 100 countries were struck Friday, May 12, by cyber extortionists believed to be using a tool stolen from the US NSA to infect the computers of some 75,000 victims, mainly in Britain, Spain, Russia, Ukraine and Taiwan. In the biggest global ransom cyberassault known to date, unknown hackers tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files. They demanded ransom payments of $300 to $600 to restore access – some victims paid up in the digital bitcoin currency.
In April, a group calling itself the Shadow Brokers reportedly stole the tool from the NSA but it may have spread to other hackers.
The most disruptive attacks were reported in Britain where dozens of hospitals and clinics had to turn away patients. In Russia, they targeted the Home Ministry and many police stations across the country.
Only a small number of US-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Vikram Thakur, research manager with security software maker Symantec. By the time they turned their attention to the United States spam filters had identified the new threat and flagged the ransomware-laden emails as malicious. The US Homeland Department offered to share information with domestic and foreign partners.
Private security firms identified the ransomware as a new variant of "WannaCry" that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft's Windows operating system.
Spanish authorities confirmed the ransomware is spreading through the vulnerability, called "EternalBlue," and advised people to use an updated Microsoft patch issued in March.
Kaspersky Lab says that although the WannaCry ransomware can infect computers even without the vulnerability, EternalBlue is "the most significant factor" in the global outbreak. It has a 'hunter' module, which seeks out PCs on internal networks. "So, for example, if your laptop is infected and you went to a coffee shop, it would spread to PCs at the coffee shop. From there, to other companies."
"This is one of the largest global ransomware attacks the cyber community has ever seen," said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.