Global cyberattack hits more than 200,000 organizations in 150 countries

ABCNews logo
Sunday, May 14, 2017
An alert researcher, cooperation helped stem cyberattack
The cyberattack spread malicious software around the world

The unprecedented, global ransomware attack that started Friday has hit more than 200,000 companies, hospitals, government agencies and other organizations in 150 countries, the European Union's law enforcement agency said.

Separately, Europol Jan Op Gen Oorth said Sunday that the number of individuals who have fallen victim to the cyberextortion attack could be much higher than is currently known as more people may find they were hit by the virus when they return to work Monday and switch on their computers.

He said it was too early to say who is behind the onslaught and what their motivation was.

The attack is believed to be the biggest online extortion attack ever recorded, with victims including Britain's hospital network and Germany's national railway.

The malicious cyber attack used leaked tools of the National Security Agency to exploit a vulnerability in Microsoft Windows.

Tens of thousands of users from London to St. Petersburg logged on Friday to find ominous threats to delete their suddenly encrypted computer files unless they cough up $300 or more in Bitcoin payments to the unknown perpetrators, security experts and intelligence officials told ABC News on Saturday.

A message saying "Oops, your important files are encrypted" flashed across screens all over the world. According to The New York Times, experts estimated that before the last affected computers are unlocked, victims could collectively pay more than $1 billion to the attackers.

The spread of the attack appears to have been thwarted by private cyber security researchers who identified and triggered the malware's "kill switch," which halted the attacks before it spread throughout U.S. networks, a senior U.S. intelligence official confirmed, but it is unclear whether, the official said, a modified attack will soon be launched.

"That is a huge concern right now," Darien Huss, a senior security research engineer at Proofpoint who was among the researchers who helped disable the virus, called "WannaCry," told ABC News Saturday. "It would not be very difficult at all to re-release this ransomware attack without a kill switch or without an approved kill switch that only they can activate."

Huss is also worried about copycats, who could "take the exploit code that was used in this attack and implement it into their own virus."

The tally of victims so far includes FedEx in the United States, railroads in Germany and Russia, factories and phone companies across Europe. Among the worst impacted by the historic attack unprecedented in its breadth was Britain's National Health Service, where more than 45 facilities had to suspend operations and divert patients and surgeries.

"The impact on the U.S. seems to be negligible -- very tiny impact, very few victims," the senior intelligence official told ABC News on Saturday.

"It's impacting overseas among those who have outdated software or pirated software," the senior intelligence official said. "The U.S. government is better suited to react and respond to something like this than some other countries because of years of work between the private sector and the government."

Cybersecurity experts believe the attack was carried out with the help of tools first developed by the U.S. National Security Agency for targeting terrorists and foreign adversaries, which was leaked to the public by a hacker group called The Shadow Brokers in April.

"They lost it, somebody stole the information published it on the internet, and now it's being used against victims in the United States and elsewhere," said John Bambenek of Fidelis Cybersecurity.

While Microsoft broadened access to a security patch on Saturday to thousands of users whose old Windows support agreements have expired, law enforcement and intelligence authorities around the world, led by Britain's new cyber security agency, are working to track down whoever was responsible -- with Russian organized crime considered a leading suspect, some experts said.

"The reason this is hitting so many computers at once is that they discovered a vulnerability in the most popular operating system in the world, in Microsoft windows," said John Carlin, former assistant attorney general for national security and an ABC News contributor. "And they're taking advantage of it. It's one that Microsoft delivered a solution for, but a lot of people haven't used it."

As the attack spread to five continents, the damage was contained, for the moment, when a computer programmer in Great Britain says he stumbled upon the kill switch after Huss shared some of his work on social media. The researcher, who uses the pseudonym "MalwareTech" for personal security, registered a domain name buried in the code of the attack and was surprised to discover that it was the kill switch that sent a signal to stop the attacks.

"In this case, when we registered it, it turned out to be a kill switch," Salim Neino, CEO of Kryptos Logic, which employs MalwareTech as a cyber-security researcher, told ABC News. "We verified it and turned the information over to the FBI."

The researcher behind "Malware Tech" sent the virus down a "sinkhole," preventing it from spreading more widely.

"If Malware Tech had not sinkholed that domain as quickly as he had, we definitely could have seen many, many more infection that occurred," Huss said. "Potentially hundreds of thousands and into the millions."

While this attack has slowed, experts warn that networks remain vulnerable.

"This was a combination attack, obviously coordinated. We need to take the act of keeping our systems and devices up to date seriously," said Tyler Cohen Wood, a former senior intelligence official involved in cyber operations. "Unfortunately, until this is taken more seriously, this massive wide-scale type of attack is only the beginning."

The Associated Press contributed to this story.

Copyright © 2024 ABC News Internet Ventures.