Officials in nearly 100 countries raced on Saturday to contain one of the biggest cybersecurity attacks in recent history, as British doctors were forced to cancel operations, Chinese students were blocked from accessing their graduation theses, and passengers at train stations in Germany were greeted by hacked arrival and departure screens.
Companies and organizations around the world potentially faced substantial costs after hackers threatened to keep computers disabled unless victims paid $300 or more in ransom, the latest and most brazen in a type of cyberattack known as โransomware.โ
The malware hit Britainโs beloved but creaky National Health Service particularly hard, causing widespread disruptions and interrupting medical procedures across hospitals in England and Scotland. The government said that 48 of the NHSโs 248 organizations were affected, but by Saturday evening, all but six were back to normal.
When asked if the British government paid any ransom in this situation, a Downing Street spokesman said Saturday that it had not. Amber Rudd, Britainโs home secretary, also advised against others paying ransom.
In Germany, people posted pictures on social media of scheduling screens at train stations displaying the ransomware message. Deutsche Bahn, Germanyโs national railway service, tweeted that its train service had not been compromised and that it was working full speed to solve the problems. According to DPA news agency, Deutsche Bahnโs video surveillance technology also was hit.
Other targets in Europe included Telefรณnica, the Spanish telecom giant; the French carmaker Renault; and a local authority in Sweden, which said about 70 computers were infected.
It was still unclear on Saturday who was behind the sophisticated attack.
โWeโre not able to tell you who is behind that attack. That work is still ongoing,โ Rudd told the BBC. She said that it has affected โup to 100 countriesโ and that it wasnโt specifically targeted at Britainโs NHS.
The attack was notable because it took advantage of a security flaw in Microsoft software found by the National Security Agency for its surveillance tool kit. Files detailing the capability were leaked online last month, though after Microsoft, alerted by the NSA to the vulnerability, had sent updates to computers to patch the hole.
Still, countless systems were left vulnerable, either because system administrators failed to apply the patch or because they used outdated software.
It was a jarring reminder of a stubborn reality facing security experts: Companies and other organizations collectively spent $73 billion on cybersecurity measures in 2016, according to the research firm IDC. Yet systems around the world were crippled by human error โ failure to do routine software updates and employees unknowingly clicking on email attachments that contained the malware.
โThis was a completely preventable attack โ to the extent that organizations have comprehensive patching systems in place,โ said Paul Lipman, chief executive of the cybersecurity firm BullGuard. โHowever, life is never that simple.โ
On Friday, Microsoft released additional security updates to Windows and guidelines for consumers and businesses to protect themselves.
Itโs possible that the malware didnโt spread further because of the enterprising work of a 22-year-old British cybersecurity researcher.
The researcher, whose Twitter handle is @MalwareTechBlog, realized the hackers had designed a โkill switch,โ which involved a domain name that enabled them to stop the attack from spreading if the victims paid the ransoms. The researcher bought the domain name of the kill switch, and when the site when live, the attack stopped spreading.
The move didnโt help organizations that were already impacted by the attack, but experts said that it limited the spread of the virus. The researcher, however, warned in a blog post that the hackers could alter the code and try again.
Health-care IT experts said it was no surprise that hospitals so easily fell victim to the ransomware attack. Health systems have faced hundreds of ransomware attacks in the past two years.
They are the ideal target for this type of malware due to a โperfect stormโ of factors, said Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University. For one, Rubin said, the data that they have is incredibly time-sensitive, making them most susceptible to ransomware.
โIf no one ever paid these ransoms, the hackers would have no reason to launch these attacks,โ Rubin said. โBut Iโm not the one sitting in a hospital in need of immediate medical attention.โ
Hospitals also lag far behind other industries in upgrading their security and doing basic software updates. Health-care organizations in general spend 2 to 4 percent of their operating budgets on information technology, compared with 25 to 35 percent for financial services, said John D. Halamka, chief information officer of the Beth Israel Deaconess Medical Center and Harvard Medical School.
โWe spend billions on new technology,โ he said. โYet the reality is that weโre still as vulnerable as our most gullible employee.โ
Health-care organizations in the United States are also subject to additional regulations, which constrain their ability to do updates. Many updates require systems to go dark for some period of time, and many hospitals are not allowed to put critical systems out of use.
Poorer hospitals are particularly vulnerable. While wealthy hospitals have effectively built cybersecurity war rooms over the past two years, some smaller hospitals โdonโt have enough budget to keep the lights on,โ said Rubin. They often cannot afford to backup data, perhaps the most critical tool in fighting ransomware.
Cybersecurity researchers were far more surprised that sophisticated telecommunications firms, such as Spainโs Telefรณnica, were so vulnerable. โThis just goes to show that even the largest, most resource-rich enterprises can be brought low by something as simple as a skipped patch,โ Lipman said.
The malware, known as WanaCrypt0r 2.0, or WannaCry, also affected systems for FedEx, major telecommunications firms, Brazilโs social security administration, and many others around the world.
TMT post, a Chinese online news outlet focusing on the Internet industry, reported that a number of Chinese universities had been affected by the attack.
Several schools โ including Nanchang University, Shandong University and University of Electronic Science and Technology of China โ issued alerts on their Weibo social-media feeds, warning staff and students to back up important files and not to open suspicious emails.
According to Chinese magazine Caijing, some studentsโ graduation theses and projects have reportedly been encrypted.
In Russia, hacking attacks were confirmed on Saturday at the Health Ministry, the state-run Russian Railways and the telecommunications company Megafon, along with the Interior Ministry, which manages the police force. There were also reports that the powerful Investigative Committee, which investigates high-level crime, and several other telecommunications companies had been targeted.
The Interior Ministry said that 1,000 of its computers had been blocked by prompts demanding payment. By Friday evening, the ministry said it had โcontainedโ the attack and denied that any of its information had been stolen.
Jakub Kroustek, a malware researcher with Avast, a security software company in the Czech Republic, said in a blog post that Russia was the most-affected country so far. โWe are now seeing more than 75,000 detections of WanaCrypt0r 2.0 in 99 countries,โ he wrote Friday night.
Kaspersky Lab, a Moscow-based Internet security firm, also said that the attacks were mostly in Russia.
One reason Russia may have been hit so hard is the use of outdated software by government agencies.
โRussia has a very rickety, out-of-date infrastructure, using not just outdated software but pirated out-of-date software,โ said Mark Galeotti, a senior researcher at the Institute of International Relations Prague.
According to Galeotti, one Interior Ministry official in 2013 estimated that 40 percent of the ministryโs computers could be using pirated Windows software, which is widely available in Russia for download or at local computer markets.
In Brazil, the attack struck at the heart of the government โ employee computers at the Justice Ministry and Brazilโs social security administration were infected. The local media also reported that the attack locked up computers in the countryโs labor courts and the public prosecutorโs office.
In Britain, which is in the middle of an election campaign, the cyberattack triggered criticism of the NHSโs aging computer systems, particularly the use of Windows XP, an outdated version of the Microsoft operating system that doesnโt have the same level of defense against cyberattacks as newer operating systems.
The opposition Labour Partyโs Jonathan Ashworth tweeted that the government had been complacent over cybersecurity. โWe need answers on whether funding squeeze compromised security,โ he wrote.
Rudd, the home secretary, stressed that there was no evidence that patient data had been compromised but said that there were lessons to learn.
She told the BBC that Windows XP was โnot a good platform for keeping your data as secure as the modern ones because you canโt download the effective patches and anti-virus software.โ
โI would expect NHS trusts to learn from this and to make sure that they do upgrade,โ she said.
Adam reported from London. Andrew Roth in Moscow; Luna Lin in Beijing; Griff Witte and Stephanie Kirchner in Berlin; Marina Lopes in Sรฃo Paulo; and Michael Birnbaum in Tallinn, Estonia, contributed to this report.