- Cybersecurity expert warns the problem could spiral when people go to work Monday
- UK government calls a crisis response committee meeting after attack hit hospitals
The majority of the attacks targeted Russia, Ukraine and Taiwan. But the National Health Service in the United Kingdom and global firms such as FedEx also reported they had come under assault Friday. Experts suggested Saturday that the ransomware’s progress had been halted, but new attacks could soon follow.
Here are five things to know:
It may not be over yet
Cybersecurity experts have been working around the clock to try to halt the malware attack that is unprecedented in scale.
The ransomware’s progress has been halted by the accidental discovery late Friday of a “kill switch” hidden within the code by a security researcher, said cybersecurity consultant David Kennedy, formerly of the US National Security Agency.
“The software has actually stopped spreading across the world,” he told CNN.
“He actually probably saved lives by accident,” Kennedy said, referring to the security researcher who discovered the kill switch.
The ransomware was designed to repeatedly contact an unregistered domain listed in its code. The security researcher — who uses the Twitter handle @MalwareTechBlog — registered that domain to collect the ransomware traffic for analysis and to track infections.
However, a hacker could change the code to remove the domain and try the ransomware attack again.
Also, the kill switch won’t help anyone whose computer was already infected. Individuals and companies still have to decide if they want to pay the ransom or part with their data.
Michael Gazeley, managing director of cybersecurity firm Network Box, told CNN that the danger is far from over and that a company’s security patch on Saturday might not still work by Monday.
“A lot of people are going to go to work on Monday and click on a link in their mail — completely oblivious that all of this is going on or have heard about it and think that it’s over — and suddenly wipe out their whole company,” Gazeley said from Hong Kong.
“IT managers need to be extremely aware that new variants of this ransomware attack are being launched almost hourly, so they can’t just check that their computer systems are protected, then relax, assuming everything will stay that way,” he said.
Cybersecurity firm Avast said it tracked more than 75,000 ransomware attacks in 99 countries Friday.
European police agency Europol said it was working to support countries, saying the malware attack was at an “unprecedented level and requires international investigation.”
How it works
The malware is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that didn’t update their systems remained at risk.
Mikko Hypponen, chief research officer at cybersecurity company F-Secure in Helsinki, Finland, called it “the biggest ransomware outbreak in history,” according to an online post.
It’s having a real-life impact
The cyberattack affected 16 organizations that are part of the National Health Service on Friday, causing some surgical procedures to be canceled and ambulances diverted. But the NHS said Saturday it does not have any evidence that patient data was breached.
A senior nurse with NHS Lanarkshire in Scotland posted a video on Twitter appealing to members of the public “to stay away from acute hospitals unless it’s an absolute emergency situation” while its IT systems remain affected.
Grant Gowers, 50, from Clacton-on-Sea in southern England, told CNN how the ransomware attack had directly affected him. Doctors told him two weeks ago they needed to schedule a prostate biopsy to determine if he has cancer.
But around 5 p.m. Friday he got a call to say his biopsy had been canceled as a result of the ransomware attack.
“I have built myself up for the last two weeks,” he told CNN. “If I know I have cancer, I could deal with it.”
His procedure is being rescheduled within the next two weeks. But that’s not good enough for Gowers. “I really want to grab the person who done this today and give him a picture of how this is affecting my life,” he said.
The UK government has called a meeting of its crisis response committee, known as Cobra, on Saturday to discuss the situation.