Computers shut down over the weekend may be harboring a virulent ransomware virus ready to attack Monday as a new workweek kicks in, officials warned.
A massive attack Friday from the “WannaCry” malware crippled more than 20% of hospitals in the United Kingdom and affected more than 200,000 victims in 150 countries, said Rob Wainwright, the head of the European Union’s “Europol” law enforcement agency. The software, which spreads among Windows computers, infects and then locks up individual machines, demanding a ransom to be paid in the electronic currency Bitcoin. The attack mostly impacted computers in Europe and Asia and spared North America.
In some cases, hospital staff in England were forced to take notes with pens and paper and had to cancel or reschedule procedures because their computers weren’t working. Computers are often needed to control diagnostic or surgical equipment. Wainwright said banks have been unaffected because they invested heavily in computer security following previous attacks.
Fort Mill's FedEx was one of the 200,000 victims affected worldwide by the cyber attack. However, as of Monday morning, FedEx officials say their problems have been resolved.
"FedEx has resumed normal operations and systems are performing as designed," the shipping company said as well as referring customers to their website to check shipment statuses. Last week, FedEx officials said in a comment to NBC Charlotte that workers were unable to scan anything and some deliveries could not be made in time for Mother's Day due to the attack.
A computer security expert on Friday afternoon managed to blunt the attack, but Wainwright said the virus was changed over the weekend and could be poised to expand what he called an already “unprecedented” attack.
“I think the hospital sector and others should follow the example (of the banking industry) to make sure that now they sit up and take notices of what is absolutely a huge security concern,” Wainwright told a British television station Sunday. “It sends a very clear message, I think, that all sectors are vulnerable and all sectors should take seriously the need to run updated systems and patch when they can do that.”
Experts say hospitals and smaller businesses have been lax about updating their software to protect against this kind of vulnerability and warn that failure to act endangers lives. Europol is sharing a tool to prevent further virus spread, but it could be too late for computers that are already infected but not yet switched on.
Monday could bring fresh problems as users restart their computers at the start of the workweek, especially if they haven’t been “patched” to remove the vulnerability the virus exploits. American computers appeared unaffected, said Michael Daly, the chief technology officer of Raytheon Cybersecurity and Special Missions, largely because of more diligent protections.
"Gone are the days of simple annoyance with viruses and worms (like) flashing screens and website defacement," he said. "With ransomware and other destructive malware, time is of the essence."
At its core, the attack is an extortion scheme aimed at forcing hospitals and other organizations to pay a ransom to avoid having their data deleted. Infected computers showed a screen giving the user three days to pay up. After that, the price would be doubled. After seven days the files would be deleted, it threatened.
The hackers behind the ransomware attack, who have not been identified, demanded $300 worth of the online currency Bitcoin per computer to release files from encryption. In Spain, the largest telecommunications company would need to pay close to $550,000 to unlock all the encrypted computers hit on its network.
From a financial perspective, the attack seems to have been a failure: Bitdefender, a Romania-based security firm, has been monitoring the Bitcoin accounts the ransom was to be paid to and said as of Sunday morning they had only managed to garner $32,213, spokesman Emanuel Marius Buterchi said.
But ransom aside, the virus caused widespread problems for everything from transport facilities to universities across Europe and in the Ukraine, India and Russia. The attack apparently exploited a flaw exposed in documents leaked from the U.S. National Security Agency.
Microsoft first issued a fix for a problem on March 14, but many systems have not installed the crucial new software.
The WannaCry ransomware program represents a troubling evolution, said Ryan Kalember of Proofpoint, a Sunnyvale, Calif.-based security firm, because it can spread itself: “It has this hunter code that looks around the network it’s on to see if there are other servers or PCs it can infect. It will find anything on that network that’s using this file share protocol and reach out across to other networks.”
What’s worse is that even though this specific flaw may have been “patched,” hackers may be able to use similar techniques to strike again, said Craig Williams of Cisco Talso, a San Jose, Calif.-based security firm.
“I expect we’re going to see new variants roll out soon,” Williams said. “The reality is this technology is going to enable ransomware authors to continue to profit in the future.
Others worry that this technique, and others garnered from the stolen NSA files used to craft the more insidious parts of WannaCry, are likely to be an ongoing problem.
“I believe this is just the tip of the iceberg. In this case, we are seeing an opportunistic ransomware operation, but we can expect the exploit is already being used for surgical targeted attacks, the outcome of which will only be revealed in a few months due to the time it takes to execute a sophisticated targeted attack,” said Ofer Israeli, the CEO and founder of Tel Aviv, Israel-based illusive networks.