Advertisement

SKIP ADVERTISEMENT

What We Know and Don’t Know About the International Cyberattack

Hospitals in Britain, several companies in Spain and 11 other countries have confirmed attacks to their systems. Patient information does not appear to have been stolen or compromised, according to the National Health Service of Britain.Credit...Ben Stansall/Agence France-Presse — Getty Images

Right Now: Security experts warned that the full impact of the audacious cyberattack that crippled 200,000 computers in more than 150 countries might be truly felt in the new workweek as workers return to their offices and turn back on their computers.

■ The spread of a “ransomware” attack against computer systems around the world affected the United States much less than other nations because a British cybersecurity researcher accidentally stopped the attack from spreading more widely, according to cybersecurity experts.

■ Hackers appeared to have exploited a flaw in Microsoft’s Windows operating system that was first discovered by the United States National Security Agency. The flaw and a tool to exploit it with malicious software were made public in April by a hacker collective known as Shadow Brokers.

■ Cybersecurity experts identified the malicious software as a variant of ransomware known as WannaCry. Workers at hospitals and companies across the globe were confronted with a message on their monitors that read, “Oops, your files have been encrypted!” and demanded $300 in Bitcoin, an anonymous digital currency preferred by criminals, to restore access.

■ Experts said that the attackers may pocket more than $1 billion from individuals worldwide before the deadline ran out to unlock the machines.

■ Among the companies and government agencies affected were FedEx, Britain’s National Health Service and the Russian Interior Ministry.

■ In Asia, there were widespread reports of attacks at universities, with students locked out of their theses and final papers as graduation loomed.

■ Over all, more than 45,000 attacks were recorded in nearly 100 countries. Russia was the worst hit, followed by Ukraine, India and Taiwan, according to Kaspersky Lab, a Russian cybersecurity firm.

■ Microsoft issued a new patch for its Windows software after the attack.

■ At least 45 British hospitals and other medical facilities seemed to be hit hardest by the attacks, which blocked doctors from gaining access to patient files and caused emergency rooms to divert patients. Prime Minister Theresa May said there was no evidence that patient data had been stolen.

■ On Saturday, British authorities said that 48 of Britain’s 248 public health trusts, or about 20 percent, had been assailed in the attack. All but six are back to normal.

■ Companies like Deutsche Bahn, the German transport giant; Telefónica, a Spanish telecommunications firm; and Renault, the French automaker, said that some of their systems had been affected, though no major outages had yet been reported across the region’s transports or telecom networks.

■ The Russian Interior Ministry confirmed in a statement that 1,000 of its computers had also been hit.

■ The Chinese online security company Qihoo 360 issued a warning about the virus, saying that many networks there had been hit and that some computers used to mine Bitcoin in China were among those infected.

■ A FedEx spokesman said of the attack: “Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible.”

Reports last year found that some state-run hospitals in Britain had spent nothing on cyberdefense and were running outdated software on their systems.

■ In a typical attack, hackers send their victims an email that includes a link to what appears to be for an innocuous web address or email attachment. In this case, attackers appear to have sent their victims encrypted .zip file attachments intended to make it more difficult to detect their nefarious purpose.

■ Victims who click on that attachment soon find their computers infected. The program encrypts files, folders, and drives on the computer — and potentially the entire networks to which they are connected. “Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key,” according to the F.B.I.

■ The messages that victims receive include directions for paying the attackers a ransom. Payment is typically demanded, as it was in the most recent string of attacks, in bitcoin.

■ A hospital in Los Angeles was similarly attacked in February of last year, paying a bitcoin ransom equivalent to about $17,000 to hackers who used malware to hold its computer system hostage.

■ The attackers, who have yet to be identified, had included a “kill switch” in their attack, a way of disabling the malware in case they wanted to shut down their activities. To do so, the assailants included code in the ransomware that would stop it from spreading if the virus sent an online request to a specific website, such as one created by the attackers.

■ When the 22-year-old British researcher whose Twitter handle is @MalwareTechBlog saw during the attack that the kill switch’s domain name had not been registered, he bought it himself. By making the site go live, the researcher inadvertently shut down the attack before it could fully spread to the United States, experts said. (He confirmed his involvement and wrote a blog post about it but insisted on anonymity because he did not want the public scrutiny.)

■ “The kill switch is why the U.S. hasn’t been touched so far,” said Matthieu Suiche, founder of Comae Technologies, a cybersecurity company in the United Arab Emirates. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name.”

■ Who is behind the attack.

While the Shadow Broker hackers released one of the tools used in the attack, it is not clear who orchestrated Friday’s attacks. It is also not clear who the Shadow Broker hackers are. Initially, an insider at the N.S.A. or the C.I.A. was suspected of having leaked the agency’s hacking tools, but the hackings continued after an N.S.A. contractor was arrested.

Security experts have said that the timing of the hackers’ data dumps often align with Russian political interests. For instance, one of the latest Shadow Broker dumps occurred after the United States bombed Syria. Hackers cited the bombing as part of the impetus for their latest leak.

■ If anyone has paid the ransom.

Security experts said those who had already fallen victim to ransomware on Friday may have little recourse. Jason Rebholz, a senior director at Crypsis Group, which specializes in ransomware, said victims could try to search the web for a decryption service, but chances are that in a sophisticated attack like this one, cybercriminals had already taken steps to immunize their encryption from such services.

■ If anyone was harmed.

Emergency rooms, doctors’ offices and ambulances were disrupted in Britain and communications were affected in other countries. It is still unknown if anyone suffered further injury or died because of the disruption.

For more breaking news and in-depth reporting, follow @nytimesworld on Twitter. Follow Russell Goldman @GoldmanRussell on Twitter.

A version of this article appears in print on  , Section A, Page 9 of the New York edition with the headline: Ransomware: How Hackers Hold Data Hostage. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT