Hackers Launch Global Assault -- WSJ

By Robert McMillan in San Francisco and Jenny Gross and Denise Roland in London Features Dow Jones Newswires

A massive cyberattack scrambled computer systems in dozens of countries on Friday, in an assault computer-security experts said relied on a software vulnerability that the U.S. National Security Agency had allegedly exploited earlier.

Continue Reading Below

U.S. delivery giant FedEx Corp. was among those caught in the cyberattack. England's National Health Service said 16 hospitals and clinics were forced to cancel appointments and divert ambulances as a result of the cyberattack. Brazil's social security agency shut down its systems after being hit, and the foreign ministry said it turned off its servers as a preventive measure. Russian antivirus vendor Kaspersky Lab ZAO said the malware appeared in 74 countries and hit Russia hardest.

The malware believed to be behind the attacks encrypts data on infected computers and essentially holds it for ransom, demanding money from users in return for their files. Known as WannaCry or Wanna Decryptor, the so-called ransomware program homes in on vulnerabilities in Microsoft Windows systems.

The attack appears to exploit a vulnerability in Windows for which Microsoft issued a patch on March 14. Several cybersecurity specialists said the same vulnerability was targeted in software released in April by a hacking group calling itself "Shadow Brokers," which said it had stolen the attack code from the NSA.

The NSA has declined to comment on the authenticity of the Shadow Brokers documents. Spokespersons for the CIA and the Office of the Director of National Intelligence declined to comment on Friday's cyberattack.

A Microsoft spokeswoman said in addition to the March patch, the company added new protections Friday to shield users from the malicious software. Anyone running Microsoft's antivirus software with Windows updates enabled is protected, and the company is providing assistance to customers, the spokeswoman she said.

Continue Reading Below

Antivirus vendor Avast Software s.r.o. said the malware was hitting computers in the U.S., Russia, Ukraine and Taiwan. The Prague-based firm said it had detected more than 57,000 samples of the malware on Friday.

The spread of WannaCry represents "one of the highest peaks for a single ransomware strain" that Avast has recorded this year, said Jakub Kroustek, the leader of Avast's virus team.

FedEx said it was "experiencing interference with some of our Windows-based systems caused by malware" and taking steps to fix the problem. It declined to say how widespread the problem was and whether deliveries were affected on the eve of Mother's Day weekend.

In Britain, the NHS said it thought Wanna Decryptor was behind the attack and indicated there was so far no evidence patient data had been accessed. The British government's National Cyber Security Center said on its Twitter account that it was working with the NHS and the National Crime Agency to investigate.

In Spain, the attack caused widespread disruption among companies whose computer systems were infected, according to Luis Corrons, technical director at Spanish antivirus vendor Panda Security S.L. Some firms disconnected themselves from the internet on Friday until they could apply the appropriate software patches, he said.

The Russian Ministry of Interior said on Friday the virus had affected around 1,000 of its PCs using the Windows operating system, or less than 1% of such computers in the ministry. The ministry said its servers weren't exposed, as they used other operating systems.

"At the moment, the virus is localized, technical work is being carried out to destroy it and update the antivirus protection," ministry spokeswoman Irina Volk said.

A North Atlantic Treaty Organization official said the alliance was closely following the ransomware attacks "unfolding on such unprecedented scale and synchronization." The official said while there was no impact on the alliance's computers in Brussels or elsewhere in Europe, experts would remain on standby throughout the weekend.

U.S. authorities have said cyberattacks via ransomware are a growing problem, having previously hit entire computer networks at universities, businesses and hospitals. Last year, Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 to unlock files after an attack crippled a large portionpart of its computer systems.

In England, NHS clinics in London, the county of Essex and elsewhere issued messages asking patients not to seek medical care unless it was an emergency.

A primary-care doctor in Welwyn Garden City in southeastern England said his practice was unable to make urgent referrals to the local hospital.

"I had a patient this morning who may have been having mini-strokes and needed to be seen within 24 hours," he said. "I emailed urgent referrals but couldn't get through...We had to go to a different hospital entirely."

Another of his patients needed an ultrasound scan for a possible pregnancy complication, he said, but computer disruptions had left him unable to make an appointment. His practice has also been unable to access patients' blood test results for most of the day, he said, because that system is also linked to the local hospital.

Ransomware attacks, though seemingly sophisticated, typically start off simply: A hacker tricks someone into opening a seemingly legitimate or innocuous file that contains malicious software. The ruse is known as phishing.

"The majority of ransomware is from phishing attacks, whether that's a receptionist or a doctor on a smartphone," said Emily Orton, founder of British cybersecurity company Darktrace.

Typically users must click on a malicious attachment to install ransomware. The software now circulating comes with a nasty twist, Panda Security's Mr. Corrons said: It is also a worm that replicates itself throughout networks.

"If one computer is infected, not only is it going to encrypt all the files to which it has access. It is also going to infect each and every computer on the network that hasn't patched this vulnerability," he said.

The attack came weeks before a general election in the U.K., set for June 8. British Prime Minister Theresa May said the attack wasn't targeted at the NHS and the government wasn't aware of any evidence that patient data was compromised.

"It's an international attack and a number of countries and organizations have been affected," Mrs. May said.

Jonathan Ashworth, lawmaker for the Labour Party, said the incident underscored the need for the U.K. government to focus efforts on cybersecurity.

"The safety of the public must be the priority and the NHS should be given every resource to bring the situation under control as soon as possible," Mr. Ashworth said.

Stu Woo

and Paul Ziobro contributed to this article.

Write to Robert McMillan at Robert.Mcmillan@wsj.com, Jenny Gross at jenny.gross@wsj.com and Denise Roland at Denise.Roland@wsj.com

(END) Dow Jones Newswires

May 13, 2017 02:47 ET (06:47 GMT)