Global ransomware attack using stolen NSA tool hits 74 countries

A massive international ransomware campaign apparently using hacking tools stolen from the NSA struck computers across the world Friday, shuttering British hospitals and hobbling a Spanish telecom. 

As many as 74 countries in all were hit by the attack. 

The ransomware, named “WanaCrypt0r 2.0,” appears to use the stolen NSA Windows hacking tool “Eternal Blue.” Ransomware makes computers or files unusable until a victim pays a ransom.

One antivirus company alone reported capturing tens of thousands of instances of the apparently enormous ransomware attack. 

“We have observed a massive peak in WanaCrypt0r 2.0 attacks today, with more than 36,000 detections, so far,” Avast Threat Lab Team Lead Jakub Kroustek said in a statement.

According to Kroustek, most of the targets are in Russia, Ukraine, and Taiwan. But some of the most damaging attacks have taken place in western Europe. 

{mosads}British hospitals were forced to refuse patients after coming under the cyberattack, Reuters reported. The British National Health Service said in a statement that 16 NHS organizations were affected by the attacks.

“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organizations and ensure patient safety is protected,” read the statement. 

Telefonica, a Spanish telecom, told employees to shut down all computers after it was struck, according to the Spanish newspaper El Mundo.

FedEx announced it had been hit by the WanaDecrypt0r as well, although it did not announce the scope of their exposure. 

“Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware,” the company said in a statement. “We are implementing remediation steps as quickly as possible.  

The Russian Interior Ministry said 1,000 of its computers were infected, reported the Associated Press.

Eternal Blue was one of many hacking tools released in the latest round of leaks from the ShadowBrokers, who have periodically released documents and tools apparently stolen from the NSA since August.

When the group first appeared, it tried to auction off the full set of tools. After being disappointed by the bids and other attempts to make money off the tools, ShadowBrokers gave up in January. Along the way, the group released files to prove that the tools on sale were genuine. 

In April, as an alleged protest against Donald Trump becoming too much of a centrist and abandoning the far right, the Brokers released its largest set of documents, including series of Windows tools and evidence that the NSA had hacked a Middle Eastern network of financial institutions. 

Microsoft had already patched the security flaws the tools took advantage of when the files were released. But many users do not regularly update their computers, meaning that they remain now-public vulnerabilities.

Past ShadowBrokers releases lead to attacks, with Friday’s WanaCrypt0r ranking as the largest so far.

“This event should serve as a global wake-up call — the means of delivery and the delivered effect is unprecedented,” Rich Barger, the director of threat research at security firm Splunk, said in a statement.

The attacks are likely to reignite a debate over what circumstances the government should and should not keep security flaws in software secret. Digital rights groups believe that informing companies of the vulnerabilities in their products and allowing companies to fix them will provide security to users more valuable than the intelligence NSA hacking programs could produce by keeping them secret. 

“It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner,” said ACLU attorney Patrick Toomey in a statement. “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”

– This story was updated at 5:49 p.m.