"Worst-Ever Recorded" Ransomware Attack Strikes Over 57,000 Users Worldwide, Using NSA-Leaked Tools

Tyler Durden's picture

The ransomware has been identifed as WannaCry

* * *

Update 4: According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept “I’ve never seen anything like this with ransomware," and "the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over nine million computers in nearly 200 countries. As The Intercept details,

Today’s WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency’s hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance.


Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up.


As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”

Update 3: Microsoft  has issued a statement, confirming the status the vulnerability:

Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.


In March, we provided a security update which provides additional protections against this potential attack.


Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.

Update 2: Security firm Kaspersky Lab has recorded more than 45,000 attacks in 74 countries in the past 10 hours. Seventy-four countries around the globe have been affected, with the number of victims still growing, according to Kaspersky Lab. According to Avast, over 57,000 attacks have been detected worldwide, the company said, adding that it "quickly escalated into a massive spreading."

According to Avast, the ransomware has also targeted Russia, Ukraine and Taiwan. The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY." It then drops ransom notes to a user in a text file, demanding $300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.

While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom. If they fail to pay, their data will be deleted, cybercriminals warn. According to the New York Times, citing security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.

Predictably, Edward Snowden - who has been warning about just such an eventuality - chimed in on Twitter, saying "Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients."

*  *  *

Update 1: In a shocking revelation, The FT reports that hackers responsible for the wave of cyber attacks that struck organisations across the globe used tools stolen from the US National Security Agency.

A hacking tool known as “eternal blue”, developed by US spies has been weaponised by the hackers to super-charge an existing form of ransomware known as WannaCry, three senior cyber security analysts said. Their reading of events was confirmed by western security officials who are still scrambling to contain the spread of the attack. The NSA’s eternal blue exploit allows the malware to spread through file-sharing protocols set up across organisations, many of which span the globe.

As Sam Coates summed up...

*  *  *

We earlier reported in the disturbing fact that hospitals across the United Kingdom had gone dark due to a massive cyber-attack...

Hospitals across the UK have been hit by what appears to be a major, nationwide cyber-attack, resulting in the loss of phonelines and computers, with many hospitals going "dark" and some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled, the BBC reports.


The UK National Health Service said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” It added that trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected and are reporting IT failures, in some cases meaning there is no way of operating phones or computers.


At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack.


NHS England says it is aware of the issue and is looking into it.

UK Prime Minister Theresa May confirms today's massive cyber hit on NHS is part of wider international attack and there is no evidence patient data has been compromised.

The situation has got significantly worse as The BBC reports the ransomware attack has gone global.


Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.

It is not yet clear whether the attacks are all connected. One cyber-security researcher tweeted that he had detected 36,000 instances of the ransomware, called WannaCry and variants of that name.

"This is huge," he said.

There have been reports of infections in the UK, US, China, Russia, Spain, Italy, Vietnam, Taiwan and others.

The BBB details a number of Spanish firms were among the apparent victims elsewhere in Europe.

Telecoms giant Telefonica said in a statement that it was aware of a "cybersecurity incident" but that clients and services had not been affected.


Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.


There were reports that staff at the firms were told to turn off their computers.

In Italy, one user shared images appearing to show a university computer lab with machines locked by the same program.

Bitcoin wallets seemingly associated with the ransomware were reported to have already started filling up with cash.

"This is a major cyber attack, impacting organisations across Europe at a scale I've never seen before," said security architect Kevin Beaumont.

According to security firm Check Point, the version of the ransomware that appeared today is a new variant.

"Even so, it's spreading fast," said Aatish Pattni, head of threat prevention for northern Europe.

Several experts monitoring the situation have linked the attacks to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the NSA.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
giovanni_f's picture

Unix. Based on a Siemens OS. Made in Germany. The first computer fulfilling all criteria for a universal calculator - invented by Konrad Zuse, the so-called Z1. Made in Germany. Linux is a port to PC architecture by Linus Torvalds. It is the base of millions of appliances that can be developed without involving licence manager parasites from Microsoft, Oracle or IBM.

Any questions?

land_of_the_few's picture

RISC OS (ARM - Archimedes OS - Acorn), Psion - EPOC / Symbian, Sailfish, Tizen ...

Older - Sinclair QL / QDOS (multitasking)

Much older ones Colossus - regarded as the world's first programmable, electronic, digital computer, Lyons LEO III - it was microprogrammed and was controlled by a multitasking operating system.  Ferranti Orion / OMP "included built-in multitasking support, one of the earliest commercial machines to do so'", Ferranti / Manchester Atlas,  ICT George on ICT9000 (British, later ICL,  then Fujitsu),  English Electric KDF9 / Director OS .... most of these were sold commercially and had real world tasks to do.

Antifaschistische's picture

Russia, China, India, etc.. working together to develop their own non-NSA/CIA/FBI backdoored OS?

could that ever happen?  :)

BarkingCat's picture

Does not matter. Intel chips have backdoors built into them.

Cruel Joke's picture

Astra Linux is a Russian Linux-based computer operating system developed to meet the needs of Russian army, other armed forces and intelligence agencies. It provides data protection up to the level of "top secret" in Russian classified information grade. It has been officially certified by Russian Defense Ministry, Federal Service for Technical and Export Control and Federal Security Service.

Disclamer: I have not tested this - so I cannot add any user experience and I believe the version we can download is not "full strenght."  (Astra Linux Common Edition)


peddling-fiction's picture

I did not see any instructions in English.

Keyser's picture

If it's Linux based, then it uses the basic kernal of the OS, everything else are merely bolt-ons... The Ruskies iddn't invent it, they merely adapted the core OS to their own needs... 

Cruel Joke's picture

Yupp, it is Debian based as far as I can tell, so updating OS and apps etc. should be a breeze.

nufio's picture

So where is Linus from? Finland?

land_of_the_few's picture

Helsinki, Finland. Probably speaks Swedish as well as Finnish. Linux kernel was created in Helsinki.

Linux project influenced by the earlier MINIX which was largely done in the Free University of Amsterdam around 1987 or so.

Torvalds himself was modifying the OS of the Sinclair QL business microcomputer before he started Linux.

crazytechnician's picture

Intel hardware backdoor is OS independant , allows direct remote reading of memory contents without knowledge or protection of OS.

DollarMenu's picture

It might be interesting if they start hitting the banking systems, or maybe that's the "Big Reset" plan all along.

knukles's picture

This raises my confidence in the sanctity of ridding ourselves of silly paper money and moving to a new gold standard of electronic secure digits.

Booyah, motherfuckers

stormsailor's picture

My son is an IT professional and has been inundated with new clients calling to rid their complex systems of this plague.For his clients he has divised protection from it, but most of the calls he gets are from large hospitals, corporations, etc. that have their own IT staff.


He can fix it and prevent/firewall it so it doesn't happen but some of the systems are so complex with so many open ends, his bill is sometimes as much as the hackers are asking for.  He told me that in some cases he is tempted to tell them to just pay it, however, he said all of the payoffs have to be made with bitcoin on the "dark-web" and since you are dealing with known criminals he has heard that more than half the time they do not fix it.


He was in New Orleans about a month ago, Thursday through Sunday clearing up a large companies servers and systems,  worked 70 hours and billed them 24k plus expenses



pavman's picture

Is he hiring? I'm getting bored with my IT gig.

TheReplacement's picture

He can fix it you say... if that were even remotely possibly true then he would be a very rich man today.  That is, unless his solution is to pay the fucking ransom lol.

stormsailor's picture

yes he can fix it, it involves downloading all of their backups unto a protected mega-terabyte server even cloud,running a combination of commercially available software, and some of his propriatary code that examines the data and plugs in missing strings, etc.   scrubbing all of their storage. while those programs run he has to examine all of the possible ways the malware can invade,  set up their system so they are run through security before they can interface, etc. etc.   it is very complicated and a huge pain in the ass because a lot of these companies are not use to strict discipline and tight security.  believe me,  they go downright spartan once they are infected with this stuff and it is a complete extinction event on your data if you don't respond in time.


funny, my old xp systems at my office, that some companies are now refusing to allow us to access theirs because of the "security hazard",  havn't had any exploit problems in years. but i did notice that yesterday there was a microsoft update for my non supported systems, lol. 



stormsailor's picture

he can fix it if he is called in before it destroys all of the data,  they give you so long to pay it, the longer the more you have to pay and at a certain point they just destroy all of your data. if he can get it before that, he can fix it.

land_of_the_few's picture

Act of war they told us, tools origin - USA. Main victims - Russia, Spain, UK.

What's an appropriate response, apart from lampooning Stolte?

JohninMK's picture

So, did MS have this on the shelf ready to go

Microsoft is releasing a MS17-010 update especially for WinXP and out of support version of Windows!

stormsailor's picture

if it was released in march, why did it push on my xp machines thursday about 1000 hours est?   and my windows 7 systems didn't update.

fockewulf190's picture

Listen up ZH! This is the perfect false-flag event for governments the world over to declare "unregulated" crypto currencies as a threat to world security. You should listen to some of the politicians on the tee vee screaming bloody murder about how patients are in danger, risk to healthcare records, privacy issues, missing data, danger to power grids and infrastructure....the whole fucking works!

Mark my words, just like gold and silver stackers have had to put up with constant government sanctioned manipulations, raids, and flash crashes out of the blue, the crypto currencies have just had their 9-11 event. Don't think for one second this incident is not going to be used to push for worldwide regulation. You are going to hear all sorts of reasons why the crypto exchanges must be controlled; ranging from terrorism, to capital flight, to tax evasion, and extending to fighting against the dark web and the illegal drug trade. They don't want to kill the crypto concept, but they sure as hell want to control it!


If you own any Bitcoin or any other crypto currency, you should think about banking some profits before the "rules" come for a permanent visit.

new game's picture

what if the drug business isn't enough to fund all the activies needing critical monies.

enemy within looking like some vilans from who knows where. and we know what they can do from vault 7.

so there is my tin foiled idea...

Tall Tom's picture




Then the street price of Drugs will increase as the result of Sessions demanding maximum sentences for Drug Convictions?


They are pretty creative. I'll have to admit that.

Countrybunkererd's picture

And this is just the very first punch thrown. 

Tall Tom's picture




Until the price of BTC declines they will throw many more.


(And you think that they cannot control that?)

peddling-fiction's picture

Yep, it is only a push jab.

They have not seen anything yet.

ResistTemptation's picture

Haha the vile cesspool known as Hollywood !

If there was a virus that could make the bottom half of Cali fall off like the dick of some infected cheapskate with a hooker addiction ... I'd mail it right to Bagelman Productions asap! 

Its a good thing those pus spewing , maggot chomping sub humans are under whatever attack comes their way.

DeathingerStar's picture

The FBI has their annual Sleaze Ball (that's about the only kind of ball they can have)... and they need funds for the hall, catering and booze.

Tall Tom's picture





And this is the way to shut down cryptocurrencies and the Internet.




This message is brought to you by the fine folks over at ISIS...er...CIA or NSA.


Enjoy your blackout you File Sharing Cryptocurrency hacks. This'll learn ya.


(Notice how they want their ransom payment in BTC?)


It was not the US Government. It was ISIS, I tell you. It was those Mooslime terrrr'ists at ISIS, those dirty scoundrals. (plausible deniability much?)


We need to go into Syria to stop them, damnit!!! Russia...Russia...Russia is behind this. So is Assad. So is Kim Un Jong. It...it...it is a CONSPIRACY.

spyware-free's picture

This is a Trump program to pay for the wall. You can bet your ass those BC wallets belong to .gov.

Keyser's picture

Rachel Madcow, is that you? 

spyware-free's picture

I guess sarcasm is beyond your comprehension

BennyBoy's picture


More blowback courtesy of the dumfuks at NSA/CIA, the smartest turds in the room.

virgule's picture

First thing I suggest to do if this happens to you, is to shut down your computer, take out the HD, and boot it into a Linux system, so at least you can make a copy in a asafe environment, before things get worse.

Stranger_in_a_Strange_Land's picture

That's a good suggestion.  Boot with Knoppix (burned onto a cd) or some such; it will run direct from a cd and allow full file access.

N0TME's picture

Drunk some Kool-Aid lately?

peddling-fiction's picture

He washed down three blue pills with Kool-Aid.

Bobby wants to taste steak again...

mc888's picture

Not necessarily - if the claim is true that the data is encrypted, it's encrypted.

If it's not, then it's just 'scareware' and you should be able to recover.


duo's picture

And you know why nobody updates their Win7 or Win8 anymore, because of the Windows update that automatically upgrades your computer to Win10, leaving your computer essentially a brick. Once I heard of GWX, I stopped all updates.

brockhardman's picture

Winner of the interwebs today.

giovanni_f's picture

MDB is in the ransom business 1,2 Satoshis should suffice to make him shut up for a couple of weeks.

SickDollar's picture

Thank god I have one of those overpriced  I-laptop and not a PC


Vageling's picture

My thought too. I guess they've released him from isolation. Personally I think "it" belongs in a padded room.

He stopped changing his avatar and didn't go multiple personality disorder on us with his other accounts.

Vilfredo Pareto's picture

Accredited times is awesome.   Especially when someone falls for it and rants in the comment section.  Tmosley makes a great PC snowflake lol.