The spread of a global cyberattack appears to have slowed after a researcher accidentally found a “kill switch.” The breakthrough won’t help fix systems worldwide that are already crippled by ransom-demanding malware.
Governments and companies on Saturday scrambled to respond to a massive global cyberattack that hit computers in nearly 100 countries by exploiting vulnerabilities believed to have been exposed in documents leaked from the US National Security Agency.
Cyber extortionists on Friday used malicious software to exploit a vulnerability in Windows operating systems to infect thousands of computers with a variant of WannaCry ransomware.
The spread of the ransomware appeared to have stopped on Saturday after a security researcher registered a domain name connected to the malware.
The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental but registering the domain name triggered a “kill switch.”
The security researcher warned that those behind the cyberattack can “change some code and start again.” Computers already infected by the malware will not be helped by the fix.
Cybersecurity experts said after the domain was registered the number of new infections dropped.
“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec. “The numbers are extremely low and coming down fast.”
One of largest cyberattacks ever
The ransomware locks up computer systems by encrypting files and data, demanding users pay $300 (275 euros) in the virtual currency Bitcoin to recover the files. Payment is demanded in three days or the price is doubled. After seven days it threatens to delete all files.
“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk.
The security firm and others have linked WannaCry to a NSA hacking code known as “Eternal Blue” that was leaked last month by hacking group Shadow Brokers. It is unclear who led the ransomware attack or from which country.
Cyber security software company Avast said it had detected 57,000 infections in 99 countries, with Russia, Britain, Ukraine and Taiwan being the hardest hit.
Friday’s wave of attacks hit several high-profile organizations, including Britain’s National Health Service (NHS), Russia’s interior ministry, French car maker Renault, Spanish telecommunications giant Telefonica, international shipper FedEx and German rail operator Deutsche Bahn.
The attack on NHS wrecked havoc on the British health care system, with a number of hospitals and clinic turning away patients and forcing ambulances to divert to neighboring hospitals. The Health Service Journal reported that X-ray imaging systems, pathology test results and patient administration systems were all affected.
Russia’s interior ministry reported that roughly 1,000 of its computers had been infected, but that the ministry’s servers had not been impacted. The central bank said it was also targeted, but that its systems were not compromised.
Deutsche Bahn said destination boards at several train stations had been infected but that transportation had not been impacted. The attack also affected the rail operator’s video surveillance technology.
Britain’s National Cyber Security Center and Spain’s National Center for the Protection of Critical Infrastructure said they were working with companies hit by or potentially targeted by the attack. The US Department of Homeland Security said that it has shared information with domestic and international partners.
Microsoft said it released Windows updates to defend against WannaCry. It issued a patch in March to protect against Eternal Blue.
cw/rc (AFP, dpa, Reuters)