World’s biggest cyberattack sends countries into ‘disaster recovery mode’

LONDON — The biggest cyberattack the world has ever seen is still claiming victims and threatens to create even more havoc on Monday, May 15th when people return to work.

The attack is a virus that locks people out of their computer files until they pay a ransom to the hackers.

Experts say the spread of the virus had been stymied by a security researcher in the U.K. Hackers have issued new versions of the virus that cyber security organizations are actively trying to counter and stamp out.

“We will get a decryption tool eventually, but for the moment, it’s still a live threat and we’re still in disaster recovery mode,” Rob Wainwright, the head of the European Union’s law enforcement agency Europol, told CNN’s Becky Anderson on Sunday. He added that the agency is still analyzing the virus and has yet to identify who is responsible for the attack.

The U.K.’s National Cyber Security Centre said Sunday that there have been “no sustained new attacks” of the kind that struck Friday.

But the agency added that some infections may not yet have been detected, and that existing infections can spread within networks.

Wainwright said earlier on British TV that the attack was “unprecedented” in its reach, with more than 200,000 victims in at least 150 countries.

Organizations around the world spent the weekend trying to recover after being hit by a virus that seeks to seize control of computers until victims pay a ransom.

Hospitals, major companies and government offices were among those that were badly affected. Cybersecurity experts have said the majority of the attacks targeted Russia, Ukraine and Taiwan. But U.K. hospitals, Chinese universities and global firms like Fedex also reported they had come under assault.

U.S. Treasury Secretary Steven Mnuchin, at a meeting in Italy, said Saturday the attack was a reminder of the importance of cybersecurity. “It’s a big priority of mine that we protect the financial infrastructure,” he said.

Europol’s Wainwright underscored the point Sunday. All sectors of the economy were vulnerable and organizations could take lessons from the banking industry, which appeared to have largely escaped the global attack.

“Very few banks if any have been affected because they’ve learned from painful experience of being the number one target for cybercrime,” he said on ITV’s Peston on Sunday program.

The ransomware, called WannaCry, locks down files on an infected computer and asks the computer’s administrator to pay in order to regain control of them. The exploit was leaked last month as part of a trove of NSA spy tools.

The ransomware is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that hadn’t updated their systems were still at risk.

In the wake of the attack, Microsoft said it had taken the “highly unusual step” of releasing a patch for computers running older operating systems including Windows XP, Windows 8 and Windows Server 2003.

The patches won’t do any good for machines that have already been hit.

Experts said Sunday it appeared that the ransomware had made just over $32,000, although they expected that number to pop when people went back into the office Monday.

Security agencies have so far not been able to identify who was behind the attack. Wainwright said Europol did not know the motive. He added that ransomware attacks were normally criminal rather than political in nature. “Remarkably few payments” had so far been made in response to this attack, he added.

WannaCry has already caused massive disruption around the globe.

Sixteen National Health Service organizations in the U.K. were hit, and some of those hospitals canceled outpatient appointments and told people to avoid emergency departments if possible.

Barts Health, which runs five hospitals in London, said Sunday it was still experiencing disruption to its computer systems and it asked for the public to use other NHS services wherever possible.

In China, the internet security company Qihoo360 issued a “red alert” saying that a large number of colleges and students in the country had been affected by the ransomware, which is also referred to as WannaCrypt. State media reported that digital payment systems at some gas stations were offline, forcing customers to pay cash.

Major global companies said they also came under attack. Fedex said Friday it was “experiencing interference with some of our Windows-based systems caused by malware.” Two big telecom companies, Telef√≥nica of Spain and Megafon of Russia, were also hit, as was Japanese carmaker Nissan in the U.K.

Russia’s Interior Ministry acknowledged a ransomware attack on its computers. It said less than 1% of computers were affected, and that the virus was now “localized” and being destroyed.

U.K. defense secretary Michael Fallon said Sunday that Britain’s nuclear submarines were safe from cyberattack.

According to Matthew Hickey, founder of the security firm Hacker House, the attack is not surprising, and it shows many organizations do not apply updates in a timely fashion.

When CNNTech first reported the Microsoft vulnerabilities leaked in April, Hickey said they were the “most damaging” he’d seen in several years, and warned that businesses would be most at risk.

Consumers who have up-to-date software are protected from this ransomware. Here’s how to turn automatic updates on.

It’s not the first time hackers have used the leaked NSA tools to infect computers. Soon after the leak, hackers infected thousands of vulnerable machines with a backdoor called DOUBLEPULSAR.

Here’s an explanation as to what happened:

What the attack does

Cyber bad guys have spread ransomware, known as WannaCry, to computers around the world. It locks down all the files on an infected computer. The hackers then demand $300 in order to release control of the files. That’s why it’s called ransomware.

How it happened

WannaCry takes advantage of a vulnerability in Microsoft Windows.

The software tools to create the attack were revealed in April among a trove of NSA spy tools that were either leaked or stolen. The tools were made public by a hacking group called the Shadow Brokers.

Microsoft released a security patch for the vulnerabilities in March. But many corporations don’t automatically update their systems, because Windows updates can screw up their legacy software programs.

The phenomenon of companies failing to update their systems has been a persistent security problem for years. Playing with fire finally caught up with the victims.

Consumers are also at risk. Microsoft requires Windows 10 customers to automatically update their computers, but some people with older PCs disabled automatic updates.

How widespread is the damage

The attack has been found in 150 countries, affecting 200,000 computers, according to Europol, the European law enforcement agency. FedEx, Nissan, and the United Kingdom’s National Health Service were among the victims.

In the U.K., hospitals were crippled by the cyberattack, which forced operations to be canceled and ambulances to be diverted.

Also hit were Deutsche Bahn, the Russian Central Bank, Russian Railways, Russia’s Interior Ministry, Megafon and Telef√≥nica.

Who is vulnerable

Anyone who hasn’t updated their Windows PC recently.

Microsoft said it had taken the “highly unusual step” of releasing a patch for computers running older operating systems including Windows XP, Windows 8 and Windows Server 2003. So even people with older computers should go update them.

Apple’s Mac computers were not targeted by this ransomware attack so are clear. Bad guys generally target Windows far more than Apple’s operating system because there are vastly more computers running Windows around the world.

How to prevent being attacked

According to security company Bitdefender, follow these five steps:

1. Disable your computer’s Server Message Block service. 2. Install Microsoft’s patch. 3. Back up your data on an offline hard drive. 4. Install all Windows updates. 5. Use a reputable security software to prevent attacks in the future.

Who is behind the attack

The hackers remain anonymous for now, but it appears that they are amateurs. A 22-year old security researcher in the U.K. discovered a “kill-switch” to initially stop the spread of the attack. The ease of stopping the attack suggests the hackers were new to this game.

Experts said it appeared that the ransomware had made just over $32,000, although they expected that number to pop when people went back into the office Monday.

What happens next

Computers and networks that hadn’t recently updated their systems are still at risk because the ransomware is lurking. And WannaCry threatens to create even more havoc on Monday when people return to work.

Experts say the spread of the virus had been stymied by a security researcher in the U.K. hackers have issued new versions of the virus that cyber security organizations are actively trying to counter and stamp out.

The U.K. government’s cyber office put it succinctly: “[T]he way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks.”