Updated on May 14, 2017 at 2:54 p.m.
Friday’s global cyberattack on businesses, universities, and health systems has reached new size, with large institutions and security experts hurrying to address a breach that has now affected more than 150 countries. The cyberattack was first identified in the United Kingdom, whose National Health Service (NHS) suffered one of the day’s largest and most severe hacks. In total, 48 NHS organizations were hit, rendering x-rays, test results, and patient records unavailable and forcing the NHS to suspend its operations. According to British Home Secretary Amber Rudd, all but six agencies have resumed normal operations and no patient data has been compromised.
The attack incited political debate in the U.K. on Sunday, with both the Labour Party and the Liberal Democrats accusing the nation’s Conservative government of failing to prevent the security breach and demanding an investigation. The Labour Party specifically criticized Conservatives for slashing the NHS’s IT budget and opting not to renew a 2015 contract that protected the organization’s computer systems. On Sunday, the British defense minister, Michael Fallon, fired back, telling the BBC that the government was spending around $64 million to improve NHS cybersecurity.
In the 24 hours following the attack, at least 75,000 systems were affected. By Sunday, the executive director of Europol, the European Union’s police agency, said that 200,000 computers had been hit, many of which belong to some of the largest institutions and government agencies in the world. Experts speculate that big organizations were particularly vulnerable to attack because of their outdated technology. The NHS, for instance, has been known to rely on out-of-date and unprotected software that made it highly susceptible to a malware infection.
Last week in the U.S., President Trump signed an executive order designed to protect the nation from cybersecurity risks, with a focus on modernizing the federal government’s aging IT systems. On Sunday, a senior U.S. administration official told Reuters that Trump called an emergency meeting Friday night to assess the threat of the cyberattack, with the White House conducting a second meeting on Saturday to determine the perpetrators.
On Saturday, Europol called the hacking “unprecedented,” while U.S. security expert Rich Barger told Reuters it was “one of the largest global ransomware attacks the cyber community has ever seen.” In Spain, the nation’s biggest telecommunications firm, Telefonica, was hacked alongside a Spanish electric utility company, Iberdrola, and a utility provider, Gas Natural. In the U.S., FedEx reported that some of its Windows computers had been hacked. And in Russia, 1,000 computers were infected at the nation’s interior ministry. The ministry later reported that the virus had been handled and no sensitive information was compromised.
Other victims of the attack include the German railway company Deutsche Bahn and a Nissan manufacturing center in the north of England. The French car manufacturer Renault was also forced to temporarily shut down one of its plants in Slovakia. Amid speculation on social-media, China’s official news agency, Xinhua, revealed that some of the nation’s companies, secondary schools, and universities had been affected as well.
How was such a massive, coordinated attack possible? On Friday, infected computer systems around the world received emails demanding ransom payments of $300 to $600 in the form of bitcoin to unlock their devices. With users around the world delivering payments in order to prevent their files from being erased, the hackers stand to gain up to $1 billion, The New York Times reported Saturday.
Many experts believe the attackers relied on a tool developed by the U.S. National Security Agency to breach Microsoft’s Windows software. In April, a group known as the “Shadow Brokers” released the stolen malware online in political protest. According to an emailed statement from Don Foster, the senior director of solutions marketing at Commvault, a U.S. data-protection company, “ransomware has proved to be one of the most effective ways to infiltrate an organization.”
On Friday, an anonymous British cybersecurity researcher operating under the Twitter handle @MalwareTechBlog discovered a “kill switch” that seems to have prevented the malware from spreading. According to the researcher’s blog, he noticed that the virus was searching for an unregistered web address. Without knowing if it would disrupt the malware, he then registered the domain and was able to halt the spread of the attack.
On Saturday, Matthieu Suiche, the founder of a cybersecurity company in the United Arab Emirates, told the Times that the kill switch was responsible for minimizing the impact in the U.S. Still, the solution is only temporary. In the wake of Friday’s cyberattack, government officials and security experts now fear that additional hackers may be inclined to alter the malware code to carry out similar attacks. “We haven’t seen spikes of new attacks yet, but that’s a strong likelihood,” Suiche told the Times.
In a statement to Reuters, William Saito, a cybersecurity adviser to the Japanese government, argued that many companies may still not realize their systems were hacked. “Things could likely emerge on Monday,” Saito told the news site. As of this writing, the source of the attack remains unclear. In all likelihood, uncovering the complete origin and motivation will require months of investigation.