Malicious software that blocks access to computers is spreading swiftly across the world, snarling critical systems in hospitals, telecommunications and corporate offices, apparently with the help of a software vulnerability originally discovered by the National Security Agency.
The reports of the malware spread began in Britain, where the National Health Service reported serious problems throughout Friday. But officials and cybersecurity experts later described a far-more extensive problem spreading across the Internet and unbounded by national borders.
“This is not targeted at the [National Health Service],” British Prime Minister Theresa May said in a statement. “It’s an international attack, and a number of countries and organizations have been affected.”
Cyber experts said the malicious software works by exploiting a flaw in Microsoft software that was described in NSA documents that were stolen from the agency and leaked publicly by a criminal group called Shadow Brokers.
Microsoft already has released a patch fixing the flaw, but it was apparently applied inconsistently, with many computers continuing to be unprotected. The malicious software – called “ransomware” because it encrypts systems and threatens to destroy data if a ransom is not paid — is spreading among computers that have not been patched, experts said.
“The most exploitable industry in the world is the health care sector,” said Tom Kellerman, chief executive of Strategic Cyber Ventures, who said the industry is chronically hobbled by regulation and insufficient investment in computer security.
It was not immediately clear how many other countries were affected. But authorities in Spain said Spanish companies were among those targeted.
The BBC broadcast a screen-shot of a message apparently sent to the National Health Service medical facilities demanding payments for unlocking computer files that had been “encrypted” by the attack.
Officials made no public comment on the possible source of the hack, which touched off havoc and confusion across the state-run health system. Operations were canceled, emergency room services were scaled down, and medical personnel went back to using handwritten notes.
Health officials offered no indication of when services might return to normal, or whether patient records could be permanently lost to the attack.
The demand specifies that payments should be made via bitcoin, an online currency. The screen-shot shows a countdown clock that appears to have begun with three full days.
“Can I recover my files?” the message asks. “Sure. We guarantee that you can recover all your files safely and easily.”
Then it adds in slightly mangled syntax: “But you have not so enough time.” It warns that the ransom demand will double after three days and that after seven days, “you won’t be able to recover your files forever.”
A statement from NHS Digital – the computer services arm of the health service – said at least 16 hospitals or doctor’s offices were directly affected by the attack. Officials later acknowledged the number was rising, though they did not give a precise figure.
Other health-care centers, meanwhile, turned off their computers to avoid potential infiltration. NHS Digital said it did “not have any evidence that patient data has been accessed.”
There also was no immediate evidence to suggest disruptions to medical procedures that use high-tech tools. But the basic business of hospitals was being thrown into turmoil.
The style of attack that appeared to be on display Friday has become increasingly common in recent years, said Cornell University computer science professor Emin Gun Sirer.
The attacks, he said, feature hackers who infiltrate the computer network of an individual, company or institution, encrypt the files and then demand ransom payments in exchange for undoing the encryption. The attackers typically demand payment be made in bitcoins because “there are no take-backs. Once a transfer has been made, it’s final.”
Sirer said ransomware has become a lucrative business for criminal syndicates that can make millions of dollars a day from such attacks. Once a victim has been successfully attacked, their choices are limited.
“Undoing the hack is going to be just about impossible,” he said. “The only options are to wipe the machines and move on or to pay the ransom.”
Hospitals have often been targets of such attacks, he said, because they typically have limited or outdated IT infrastructure to defend against them.
Nigel Inkster, former director of operations and intelligence for MI6, told Sky News that one of the reasons the NHS in particular was vulnerable was its outdated software system. “A lot of hospital trusts in the U.K. – 40-plus last time I checked – are running their systems on Windows XP software, which hasn’t been supported by Microsoft for two or three years,” he said. “In other words, Microsoft is no longer looking for and seeking to repair vulnerabilities in the system.”
Attacks on health-care systems can also be especially high-stakes, creating potential life-or-death situations and raising the chances that the victim will ultimately pay.
Signs hung on the door at the emergency ward at the Royal London Hospital Friday afternoon read: “The emergency department has no IT facilities”
Across England on Friday, as well as at a handful of facilities in Scotland, internal tech systems were down in hospitals ranging from the center of London to rural parts of the country’s south and north.
The attack affected emergency services in some locations, and patients were urged to avoid visits to the emergency room unless absolutely necessary.
NHS Digital said it would be working with Britain’s National Cyber Security Center in efforts to resolve the outage. The attack, meanwhile, may have broader implications beyond Britain’s health service.
“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” NHS Digital said in its statement without giving details.
The statement identified the culprit as a type of malware known as Wanna Decryptor, a malware that can give hackers the ability to access to encryption-protected files.
The attack came as Spain’s National Cryptologic Center announced a “massive ransomware attack” against Spanish companies. The statement said the attackers were demanding a ransom payment in bitcoins. It’s unclear whether the two cyberattacks were related.
The attack in Britain had immediate impacts in hospitals across the country.
Richard Harvey, 50, was just about to undergo surgery Friday afternoon on his leg following a motorcycle accident when a nurse told him that the procedure had been canceled due to a cyberattack.
“I’m a bit of a nervous person and had to get settled about the operation, which I was. Now I had to go through that again,” said Harvey, a former hospital porter who had been fasting since the previous evening in preparation for the operation at Royal London Hospital in east London. “A cyberattack? That doesn’t happen every day.”
Stephen Hirst, a doctor in the northern English town of Preston, told the BBC that the first sign of the infiltration was an error message warning that “we’d have to pay money to unlock the computer because it’s been encrypted.
“It’s compromising having to open files and complete prescriptions. It’s interfering with day-to-day functioning,” Hirst said.
Doctors were using pen and paper as the National Health Service struggled to get computers back online. Routine appointments were being canceled.
The BBC reported that a list of affected locations included London, Blackburn, Nottingham, Cumbria and Hertfordshire.
Cybersecurity has been high on the agenda of many high-level gatherings of Western military and political leaders.
A report issued Wednesday by the European Commission called for greater attention to cyberthreats as the world becomes “more vulnerable to cyberattacks, with security breaches causing significant damage.” It said the commission plans a full review of European Union cybersecurity measures by September.
(c) 2017, The Washington Post · Craig Timberg, Griff Witte, Karla Adam