Worldwide cyberattack could spark more trouble Monday

NEW YORK — Companies worldwide are bracing for even more fallout from the biggest cyberattack ever as their workers head back to the office Monday.

The massive ransomware attacks that started late Friday have locked people out of their computers and demanded hundreds of dollars from the users before they could regain control.

The attacks exploit a vulnerability in outdated versions of Microsoft Windows that is particularly problematic for corporations that don’t automatically update their systems.

Microsoft’s president and top lawyer said Sunday that the ongoing cyberattacks — which experts are calling the largest in history — should be a “wake-up call” for governments.

Hackers have used “ransomware” to freeze at least 200,000 computers so far, and they have demanded that users pay up to regain access.

The attacks exploited the computers because they were running outdated versions of Microsoft’s Windows operating system. Brad Smith, who is Microsoft’s chief legal officer, said Sunday in a blog post that his company, its customers and the government all share the blame.

Smith said Microsoft has the “first responsibility” to address the problem, and added that the company is working “comprehensively” to fight threats.

But he also placed fault in the governments. The security flaw that hackers used to launch the attacks Friday was made public after information was stolen from the U.S. National Security Agency, which routinely searches for flaws in software and builds tools to exploit them.

The government is not legally bound to notify at-risk companies. Smith says that’s wrong.

He argued there should be “a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote.

The NSA alerted Microsoft about the issue three months ago and Microsoft released an upgrade that patched the flaw. But some experts have argued this attack could have been vastly mitigated if the NSA told Microsoft sooner.

Smith also called cyberattack protection a “shared responsibility” between companies and customers.

Companies and institutions are often slow to update their computers because it can screw up internal software that is built to work with a certain version of Windows.

“As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” he wrote. “Otherwise they’re literally fighting the problems of the present with tools from the past.”

He said tech companies, customers and the government need to “work together” to protect against attacks.

“More action is needed, and it’s needed now,” he said.

The virus has hit at least 150 countries, according to the European Union’s law enforcement agency Europol. Hospitals, universities, manufacturers and government agencies in the U.K., China, Russia, Germany and Spain have all been affected.

And experts say the scope of the problem could expand as people return to work and fire up their computers.

There are several factors in play. While a U.K. security researcher managed to stop the spread of the virus, hackers have issued new versions that cybersecurity organizations are trying to counter and stamp out.

“We will get a decryption tool eventually, but for the moment, it’s still a live threat and we’re still in disaster recovery mode,” Europol director Rob Wainwright told CNN’s Becky Anderson on Sunday.

He added that the agency is still analyzing the virus and has yet to identify who is responsible for the attack.

At least one strain of the ransomware has proven especially vicious. Once it infects one computer within a network, it can spread to all the computers in that network “within seconds,” said Israel Levy, the CEO of the cybersecurity firm Bufferzone.

For example, if one of your coworkers opens an infected PDF attached to an email, soon everyone in your office could be under attack.

In the world of ransomware, that was “unheard of six months ago,” Levy said. The attacks used to only be able to target one machine at a time.

Officials say they’re aware of those problems.

“It is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks,” said the U.K.’s National Cyber Security Centre in a statement Sunday.

That’s why companies are anxious to beef up security or combat potential infections, according to Aviv Grafi, the chief technology officer of Votiro, another cybersecurity firm.

Grafi said his firm has been contacted by companies that are scrambling to avoid potential pitfalls.

What the attack does

Cyber bad guys have spread ransomware, known as WannaCry, to computers around the world. It locks down all the files on an infected computer. The hackers then demand $300 in order to release control of the files. That’s why it’s called ransomware.

How it happened

WannaCry takes advantage of a vulnerability in Microsoft Windows.

The software tools to create the attack were revealed in April among a trove of NSA spy tools that were either leaked or stolen. The tools were made public by a hacking group called the Shadow Brokers.

Microsoft released a security patch for the vulnerabilities in March. But many corporations don’t automatically update their systems, because Windows updates can screw up their legacy software programs.

The phenomenon of companies failing to update their systems has been a persistent security problem for years. Playing with fire finally caught up with the victims.

Consumers are also at risk. Microsoft requires Windows 10 customers to automatically update their computers, but some people with older PCs disabled automatic updates.

How widespread is the damage

The attack has been found in 150 countries, affecting 200,000 computers, according to Europol, the European law enforcement agency. FedEx, Nissan, and the United Kingdom’s National Health Service were among the victims.

In the U.K., hospitals were crippled by the cyberattack, which forced operations to be canceled and ambulances to be diverted.

Also hit were Deutsche Bahn, the Russian Central Bank, Russian Railways, Russia’s Interior Ministry, Megafon and Telefónica.

Who is vulnerable

Anyone who hasn’t updated their Windows PC recently.

Microsoft said it had taken the “highly unusual step” of releasing a patch for computers running older operating systems including Windows XP, Windows 8 and Windows Server 2003. So even people with older computers should go update them.

Apple’s Mac computers were not targeted by this ransomware attack so are clear. Bad guys generally target Windows far more than Apple’s operating system because there are vastly more computers running Windows around the world.

How to prevent being attacked

According to security company Bitdefender, follow these five steps:

1. Disable your computer’s Server Message Block service. 2. Install Microsoft’s patch. 3. Back up your data on an offline hard drive. 4. Install all Windows updates. 5. Use a reputable security software to prevent attacks in the future.

Who is behind the attack

The hackers remain anonymous for now, but it appears that they are amateurs. A 22-year old security researcher in the U.K. discovered a “kill-switch” to initially stop the spread of the attack. The ease of stopping the attack suggests the hackers were new to this game.

Experts said it appeared that the ransomware had made just over $32,000, although they expected that number to pop when people went back into the office Monday.

What happens next

Computers and networks that hadn’t recently updated their systems are still at risk because the ransomware is lurking. And WannaCry threatens to create even more havoc on Monday when people return to work.

Experts say the spread of the virus had been stymied by a security researcher in the U.K. hackers have issued new versions of the virus that cyber security organizations are actively trying to counter and stamp out.

The U.K. government’s cyber office put it succinctly: “[T]he way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks.”

 

The list of institutions affected is expected to grow as more become aware of hacks or if more variants spread infections.

Global Companies

FedEx: The company said it was “experiencing interference with some of our Windows-based systems caused by malware” and was trying to fix the problems as quickly as possible.

Nissan: The carmaker said in a statement that “some Nissan entities were recently targeted” but “there has been no major impact on our business.”

China

Colleges: Internet security firm Qihoo360 issued a “red alert” over the weekend, saying a large number of colleges and students in China had been hit by the ransomware attack.

Gas stations: State-run media in China reported that some gas stations saw their digital payment systems shut down, forcing customers to bring cash.

Germany

Deutsche Bahn: The German railway company told CNNMoney that due to the attack “passenger information displays in some stations were inoperative” as were “some ticket machines.”

Russia

Russian Central Bank: State media agency Tass reported the bank discovered malware bulk emails to banks but detected no compromise of resources. The central bank reportedly said those monitoring the cyberattacks found “no incidents compromising data resources of banking institutions.”

Russian Railways: State media said a virus attacked the IT system of Russian Railways, but it did not affect operations due to a prompt response. The company said the virus has been localized and “technical work is underway to destroy it and update the antivirus protection.”

Interior Ministry: The Russian Interior Ministry acknowledged a ransomware attack on its computers, adding that less than 1% of computers were affected. The statement said antivirus systems are working to destroy it.

Megafon: A spokesperson for Russian telecommunications company Megafon told CNN that the cyberattack affected call centers but not the company’s networks. He said the situation was under control.

Spain

Telefónica: Spanish authorities confirmed the Spanish telecom company Telefónica was one of the targets, though the attack affected only some computers and did not compromise the security of clients’ information.

United Kingdom

National Health Service: At least sixteen NHS organizations have been hit, according to NHS Digital. “At this stage, we do not have any evidence that patient data has been accessed. We will continue to work with affected (organizations) to confirm this,” the agency said. The NHS has said hospitals have had to cancel some outpatient appointments because of the attack.

The UK government called a meeting of its crisis response committee, known as Cobra, to discuss how to handle the situation. The British Home Secretary said most of the NHS systems were back to normal by midday Saturday.