Lucky Break Slowed Cyberattack; What's Coming Could Be Worse

People walk past a Megafon mobile phone shop in Moscow, Russia on May 13. A top mobile operator said Friday that it had been hit by cyperattacks similar to those that crippled some U.K. hospitals. (AP Photo/Ivan Sekretarev)
People walk past a Megafon mobile phone shop in Moscow, Russia on May 13. A top mobile operator said Friday that it had been hit by cyperattacks similar to those that crippled some U.K. hospitals. (AP Photo/Ivan Sekretarev)

LONDON -- As terrifying as the unprecedented global "ransomware" attack was, cyber-security experts say it's nothing compared to what might be coming -- especially if companies, organizations and governments don't make major fixes.

Had it not been for a young cyber-security researcher's accidental discovery of a so-called "kill switch," the malicious software likely would have spread much farther and faster. Security experts say this attack should wake up every corporate board room and legislative chamber around the globe.

Security experts tempered the alarm bells by saying that widespread attacks are tough to pull off. This one worked because of a "perfect storm" of conditions, including a known and highly dangerous security hole in Microsoft Windows, tardy users who didn't apply Microsoft's March software fix, and malware designed to spread quickly once inside university, business and government networks.

What's worse, those responsible were able to borrow a weaponized "exploit," apparently created by the U.S. National Security Agency, to launch the attack in the first place.

Darien Huss, a 28-year-old research engineer who assisted the anonymous British researcher lauded a hero, said he was "still worried for what's to come in the next few days because it really would not be so difficult for the actors behind this to re-release their code without a kill switch or with a better kill switch. Or we could potentially see copycats mimic the delivery or exploit method they used."

Now that this "WannaCry" malware is out there, the world's computer systems are vulnerable to a degree they haven't been before, unless people everywhere move quickly to install Microsoft's security patches.

This is already believed to be the biggest online extortion attack ever recorded, disrupting computers that run factories, banks, government agencies and transport systems in nations as diverse as the U.S., Russia, Ukraine, Brazil, Spain and India. Europol, the European Union's police agency, said the onslaught was at "an unprecedented level and will require a complex international investigation to identify the culprits."

The attack held hospitals and other entities hostage by freezing computers, encrypting their data and demanding money through online bitcoin payment -- $300 at first, rising to $600 before it destroys files hours later.

The worldwide effort to extort cash from computer users is so unprecedented in its nature -- the first widely successful example of ransomware that self-replicates like a virus -- that Microsoft quickly changed its policy, announcing free security patches to fix this vulnerability in the older Windows systems still used by millions of individuals and smaller businesses. Normally, such patches are reserved for organizations willing to pay for extended support.

Security officials in Britain urged organizations to protect themselves by installing the security fixes, running antivirus software and backing up data elsewhere. Experts say this vulnerability has been understood among experts for months, yet too many organizations either failed to take it seriously or chose not to share what they'd found.

The ransomware exploited a vulnerability that has been patched in updates of recent versions of Windows since March, but Microsoft didn't make freely available the patch for Windows XP and other older systems.

"The problem is the larger organizations are still running on old, no longer supported operating systems," said Lawrence Abrams, a New York-based blogger who runs "So they no longer get the security updates they should be."

Britain's National Cyber Security Center said it could have been much worse if not for a young cyber-security researcher who helped to halt its spread by accidentally activating a skill switch in the malicious software.

The 22-year-old Britain-based researcher, identified online only as MalwareTech, explained Saturday that he spotted a hidden web address in the "WannaCry" code and made it official by registering its domain name. That inexpensive move redirected the attacks to MalwareTech's server, which operates as a "sinkhole" to keep malware from escaping.

His move may have saved governments and companies millions of dollars and slowed the outbreak before U.S.-based computers were more widely infected.

But the kill switch couldn't help those already infected. Short of paying, options for these individuals and companies are usually limited to recovering data files from a backup, if available, or living without them.

The Windows vulnerability in question was purportedly identified by the NSA for its own intelligence-gathering purposes. (Intelligence officials wouldn't comment on the authenticity of the claims.) The tools appeared stolen by hackers, who dumped them on the internet.

British cyber-security expert Graham Cluley doesn't want to blame the NSA for the attack.

"There are other criminals who've launched this attack, and they are ultimately responsible for this," he said from his home in Oxford, England. "But there's clearly some culpability on the part of the U.S. intelligence services. Because they could have done something ages ago to get this problem fixed, and they didn't do it."

He said most people "are living an online life," and these agencies have a duty to protect their countries' citizens in that realm as well.

"Obviously, they want those tools in order to spy on people of interest, on other countries, to conduct surveillance," Cluley said. "It's a handy thing to have, but it's a dangerous thing to have. Because they can be used against you. And that's what's happening right now."


Heintz reported from Moscow and Breed from Raleigh, N.C. Associated Press writer Sara Burnett in Chicago and AP Technology Writer Anick Jesdanun in New York contributed to this story.

Related Video:

World-class threat hunters powered by advanced technology. Raytheon’s new approach to cybersecurity protects organizations from cyber attacks by finding threats others miss.

Show Full Article