A virulent computer malware that has been spreading across the globe since Friday has hit government departments, universities and companies in nearly 100 countries. The WannaCryptor 2.0 ‘ransomware’, aka WannaCry, spreads using a flaw in older Microsoft Windows systems, which was made public when documents and cyber tools of the United States’ National Security Agency were leaked online.
The biggest hit has been the U.K.’s National Health Service, which has been forced to halt treatments and surgeries. There are reports that Spain’s major telephone company Telefonica, Germany’s biggest transport company Deutche Bahn, and universities in China have been severely affected. Japan, Indonesia, South Korea have all reported infections.
Several plants of carmakers Renault and Nissan have stopped production in France and England due to the malware, according to agency reports.
The Russian Interior Ministry has reported about 1,000 computers as infected, according to the Guardian .
Several cyber security firms have identified this as the biggest cyberattack in over a decade, after the Conficker worm infected millions of computers.
Ransomware, also called Business Email Compromise, is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Individuals and organisations are discouraged from paying the ransom, as this does not guarantee access will be restored. It was reported last year that this malware globally caused companies a loss of a whopping $3 billion.
What is a ransomware?
A ransomware is a malware that encrypts the files on an infected system and then demands a ransom to decrypt them, with escalation in the demand over time. The ransom demand is in Bitcoins, the cyber cryptocurrency that is hard to trace. The WannaCryptor 2.0 has been asking a ransom of the Bitcoin equivalent of $300.
It often reaches victims as mail attachment, masquerading as important documents or offer. Once opened, it spreads to other computers in the network exploiting the Windows vulnerability.
This malware originates from a tool called EternalBlue that was among the NSA-related tools dumped online in April by an anonymous group called the Shadow Brokers. It was first spotted active online by security experts in the U.K. on Friday, and within hours it had managed to spread exponentially.
Microsoft had earlier made available an update to eliminate the vulnerability from its Windows versions including Windows XP, Windows 8 and Server 2003. But evidently a whole lot of systems, including those of crucial institutions, had not been updated.
Reuters is quoting researchers with security software maker Avast as saying that they had observed 126,534 ransomware infections in 99 countries, with Russia, Ukraine and Taiwan the top targets. Reuters said that researchers have observed some victims making the ransom payment, though the exact amount that has reached the extortionists is unknown. Some estimates say if the malaware is not fully contained the loot could be over a billion dollars.
The U.S. reportedly has been spared the brunt of the attack after a cyber security researcher “accidentally” triggered a kill switch built into the malware. The researcher, known online as Malware Tech, describes in a blog post how he found that the malware was trying to contact a strange unregistered web address. He registered the web address paying a few dollars and immediately began getting hits from infected computers across the world. Later, along with another cyber security researcher Darrien Hess, he figured out that the malware begins its work only if it is unable to contact that specific address. Once the address was live, the malware reached it and shut down before encrypting files in infected systems.
“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” Vikram Thakur, principal research manager at Symantec, told Reuters.
