Global Ransomware Attack Stuns Systems in Up to 74 Countries

Businesses and hospitals were disrupted in a massive wave of cyberattacks Friday. Such attacks have increased by more than 500 percent in recent years.

Ambulances wait outside the emergency department at the Royal University Hospital in Liverpool, England, in January 2017.
Ambulances wait outside the emergency department at the Royal University Hospital in Liverpool, England, in January 2017. (Phil Noble / Reuters)

Updated: Friday, May 12, 2017 at 5:51 p.m.

A stunning global cyberattack disrupted business and health systems in scores of countries on Friday, including in hospitals across England that were crippled by the large-scale ransomware attack.

“Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia,” the cybersecurity firm Kaspersky Lab wrote in a blog post. “It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.”

Doctors, administrators, and other NHS workers across England were locked out of their computers, and instead saw a pop-up message demanding ransom in exchange for access to the system, according to several reports. NHS England didn’t immediately respond to questions about whether any ransom was paid, the amount of the requested ransom, or whether the system was fully operational again. “This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said in a statement emailed to The Atlantic.

The attack seemed to exploit a common vulnerability that was discovered and developed by the National Security Agency, The New York Times reported:

The hacking tool was leaked by a group calling itself the Shadow Brokers, which has been dumping stolen N.S.A. hacking tools online beginning last year. Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets — particularly hospitals — had yet to update their systems.

Some hospitals affected by the attack were diverting ambulances to other centers, and asked people to stay away from emergency rooms unless they needed urgent care, Reuters reported.

At the same time, Spain’s government warned on Friday of a large-scale ransomware attack in its country. Telefonica, the nation’s biggest telecommunications firm, was one of the targets. It wasn’t immediately clear whether the cyberattack in Spain was connected to the cyberattack on the NHS.

The attacks are alarming, but not entirely unexpected. Ransomware attacks are on the rise—particularly against vulnerable targets like hospitals, where access to electronic medical records and other computer-run systems have tremendous implications for patient safety. Police stations and emergency call centers are similarly vulnerable targets.

“The worst [scenario] we can imagine is if some malicious actor wants to undertake an act of terrorism and hamper the local response to that [attack]—disrupting 9-1-1 communications entirely,” Trey Forgety, a cybersecurity expert and the director of government affairs for the National Emergency Number Association told me in March.

There were several ransomware attacks in the United States last year—including against hospitals and libraries. Kaspersky Lab reported last year that ransomware attacks had increased by more than 500 percent compared with the year before. The firm described ransomware—often sent via a malicious email disguised as routine correspondence—as the greatest security threat online today.

One in 131 emails sent last year were malicious, according to an annual security report by Symantec, the highest rate in five years.

These sorts of attacks are so common now—and so potentially lucrative for attackers—that there’s even a cottage industry of ransomware as a service, in which cybercriminals pay a fee for someone else to carry out an attack, with the attacker taking a cut of the ransom collected.

Along with hospitals and other emergency centers, at-risk targets include banks, school districts, public transportation systems, and local governments.

“The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation,” the FBI wrote in a warning it issued last year. “Ransomware attacks are not only proliferating, they’re becoming more sophisticated.”

Attackers are also targeting more overall devices, as well as a wider array of devices, and demanding more money from victims. The average ransom demand was $1,077 last year, according to Symantec, up from $294 the year before. Friday’s NHS attackers requested at least $300 from each person who found themselves locked out of their devices, according to the BBC.

Officials caution against paying ransoms, in part because giving an attacker money doesn’t guarantee data recovery. “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity,” the FBI said.