"Worst-Ever Recorded" Ransomware Attack Strikes Over 57,000 Users Worldwide, Using NSA-Leaked Tools

Tyler Durden's picture

The ransomware has been identifed as WannaCry

* * *

Update 4: According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept “I’ve never seen anything like this with ransomware," and "the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over nine million computers in nearly 200 countries. As The Intercept details,

Today’s WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency’s hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance.


Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up.


As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”

Update 3: Microsoft  has issued a statement, confirming the status the vulnerability:

Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.


In March, we provided a security update which provides additional protections against this potential attack.


Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.

Update 2: Security firm Kaspersky Lab has recorded more than 45,000 attacks in 74 countries in the past 10 hours. Seventy-four countries around the globe have been affected, with the number of victims still growing, according to Kaspersky Lab. According to Avast, over 57,000 attacks have been detected worldwide, the company said, adding that it "quickly escalated into a massive spreading."

According to Avast, the ransomware has also targeted Russia, Ukraine and Taiwan. The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY." It then drops ransom notes to a user in a text file, demanding $300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.

While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom. If they fail to pay, their data will be deleted, cybercriminals warn. According to the New York Times, citing security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.

Predictably, Edward Snowden - who has been warning about just such an eventuality - chimed in on Twitter, saying "Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients."

*  *  *

Update 1: In a shocking revelation, The FT reports that hackers responsible for the wave of cyber attacks that struck organisations across the globe used tools stolen from the US National Security Agency.

A hacking tool known as “eternal blue”, developed by US spies has been weaponised by the hackers to super-charge an existing form of ransomware known as WannaCry, three senior cyber security analysts said. Their reading of events was confirmed by western security officials who are still scrambling to contain the spread of the attack. The NSA’s eternal blue exploit allows the malware to spread through file-sharing protocols set up across organisations, many of which span the globe.

As Sam Coates summed up...

*  *  *

We earlier reported in the disturbing fact that hospitals across the United Kingdom had gone dark due to a massive cyber-attack...

Hospitals across the UK have been hit by what appears to be a major, nationwide cyber-attack, resulting in the loss of phonelines and computers, with many hospitals going "dark" and some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled, the BBC reports.


The UK National Health Service said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” It added that trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected and are reporting IT failures, in some cases meaning there is no way of operating phones or computers.


At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack.


NHS England says it is aware of the issue and is looking into it.

UK Prime Minister Theresa May confirms today's massive cyber hit on NHS is part of wider international attack and there is no evidence patient data has been compromised.

The situation has got significantly worse as The BBC reports the ransomware attack has gone global.


Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.

It is not yet clear whether the attacks are all connected. One cyber-security researcher tweeted that he had detected 36,000 instances of the ransomware, called WannaCry and variants of that name.

"This is huge," he said.

There have been reports of infections in the UK, US, China, Russia, Spain, Italy, Vietnam, Taiwan and others.

The BBB details a number of Spanish firms were among the apparent victims elsewhere in Europe.

Telecoms giant Telefonica said in a statement that it was aware of a "cybersecurity incident" but that clients and services had not been affected.


Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.


There were reports that staff at the firms were told to turn off their computers.

In Italy, one user shared images appearing to show a university computer lab with machines locked by the same program.

Bitcoin wallets seemingly associated with the ransomware were reported to have already started filling up with cash.

"This is a major cyber attack, impacting organisations across Europe at a scale I've never seen before," said security architect Kevin Beaumont.

According to security firm Check Point, the version of the ransomware that appeared today is a new variant.

"Even so, it's spreading fast," said Aatish Pattni, head of threat prevention for northern Europe.

Several experts monitoring the situation have linked the attacks to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the NSA.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
TrumpRally's picture

They can trace them but by the time they catch up with them they will be gone. 

TrumpRally's picture

First of all this just smells of a government scam. I mean really Bitcoin? This could affect the markets.

The analysts at Shepwave have been showing some intersting technicals in most of the equity indexes as well as in gold and oil lately. In fact they had a sudden reversal buy signal in the gold mining plays that really played out in like two days.  So, i think something is going on.


some of their old charts and market calls can be found on a fb page. https://www.facebook.com/166578775325/photos/a.10153488951800326.1073741827.166578775325/10154415124400326/?type=3&theater 

Timming's picture

The calls from SW are dead on. I also follow Avi and there is no comparison.  But of course SW has been doing that crap for like a half a century.  I believe that does make a diference.  This week is going to be another good one I think. 

IridiumRebel's picture


The way that SHEPWAVE does tech analysis and SHEPWAVE's incredible insight make SHEPWAVE the most SHEPWAVE SHEPWAVE. I mean SHEPWAVE can SHEPWAVE the SHEPWAVE SHEPWAVE. Holy lord SHEPWAVE!!!! And remember, SHEPWAVE yada SHEPWAVE yada yada!

bookofenoch's picture

Shill elsewhere. Take your upvoting alias identities with you.

Shepwave is SPAM.

CardiacTrader's picture

Great calls last week from them. Thanks.

MexInvest's picture

Good investing and trading calls but there are not any real traders or investors left on here. Most have lost their money being bearish many years too early. 

Truthseeker20's picture

They would love to get rid of bitcoins. This could give them the reason.


Dilluminati's picture

The reason the world is burning down is because companies like Microsoft get away with charging money for crappy software, I'm "resetting this PC" or re-installing everything on a laptop becuase, you guessed it the updates don't work.

This is why companies don't update and upgrade because if they do they go into a loop with critical systems.


It's beyond absurd, piss poor and that is why Microsoft tells people they can now do Linux on their crappy software.

LA_Goldbug's picture

"This is why companies don't update and upgrade because if they do they go into a loop with critical systems."

So to encourage them to part with their money you "help" them make the right decision by .....

That is in the "national Interest".

Dilluminati's picture

Some of the older systems are fragile, but you don't see Linux getting ransomed now do you?

Microsoft is for people without brains.

It is patently pathetic that that company can force everyone to an OS and then shit on that parade the way they have.

If I had a secure way to "tether" pdanet I'd dump their pathetic asses..  

Falcon49's picture

Is this another .... problem, reaction, solution... scam?  What better way to muddy the water than to purposely leak these things?  Then orchestrate (or, facilitate to happen) a massive attack like this.  The blame game could include just about anybody....people, organization, or state. 

But, most interesting will be how it will be hyped to manipulate the reaction that will support one or more (in the wings) solutions.  Will one of its uses may be to blame the North Koreans for a cyber attack (an act of war)?  To justify???  Or, perhaps to encourage (through fear or law) everybody to go to the cloud? (very convenient for NSA) ...or, encourage everybody to move to the latest updated OS with built in backdoors.....Never let a good crisis go to waste.  

Interesting that it appears that some infrastructure and industry was affected. 

Frankly, it does not make sense for a criminal organization to do something on this scale...as it would immediately result in a massive response from governments and law enforcement. 

toocrazy2yoo's picture

Public Service Announcement, brought to you by the good folks at NSA: This Is NOT A Test! Ha! Still, it stops being funny when it stops being YOU.

toocrazy2yoo's picture

If a hack is gonna get out, not too bad for it to be ours, the ladies of NSA kept it from hitting US. Hell, maybe it was deliberate, a test? Ah well, none of my B-I-Z- business.

toocrazy2yoo's picture

Everyone, or 95% anyway. is unprotected against the newest hacks and trojans, but we didn't get hit here too much, or yet. In most business networks, especially hospitals, updates are installed on (pushed out to) workstations at the whim and command of whoever is in charge of IT. They don't occur automatically because a responsible IT guy will install updates on his test bench workstations and run the shit out of them before he sends them out to the rest, and then in only small groups. These are huge networks, dozens of locations, thousands of users attached. In critical healthcare environments it all has to work because people can croak as we saw yesterday. Windows updates will kill your network, glitch your workstation, slow things down, they're a PITA. So? Updating is an exhausting procedure and always ongoing, and so lots of folks went unprotected. Happens. Besides, even Microsoft has to see the hack to build and install a fix. Same for Norton, for all of them.

And so the spinning wheels turns. $$

rumblefish1968's picture

If I wrote a bunch of hacking tools and they got out, and others use them for crime, then I would be locked up forever. Why the hell are we tolerating ANY ORGANISATION doing this, they must be financially liable. Come on guys , its a clear case for a class action law suit against the US gov. Jeez, think about it, they purposefully waste every organisation on the planets valuble time having to update security patches and piss around fixing crap. I mean, these guys on any measure normal decent hard working people ,including their own families are low on the scale of excrement. Snivelling arsewipes who troll through other peoples undies drawers looking for some dirty "nickers". How do we send them a message that we (the people that actually work on making things, rather than raking muck) want them (the weedley little snivelling arse wipes that hide behind their positions and harm people via remote control) to just f*ck off and die?

Last of the Middle Class's picture

The downside of letting your software manufacturer control absolutely your computer a.k.a. "cloud computing" is nothing more than one big party line where everyone has everyone elses' data. It's all just one click and a "'password" away. I think it was Wozniak who said cloud computing was a "really bad idea". Duh! and the public is sold another techie scam that will cost billions and possibly a few lives to claw back. How stupid

Last of the Middle Class's picture

I NEVER open email anymore unless I can verify exactly who and where and when it was sent by a non computer (and certainly not my fucking iphone) means. In todays world that is just plain stupid.

JohninMK's picture

Microsoft is releasing a MS17-010 update especially for WinXP and out of support version of Windows!

PleasedToMeatYou's picture

How do we know this isn't an NSA operation? 

Son of Captain Nemo's picture

Few things are certainly very clear with this latest "attack"...

1) If you're a 'Buttcoin' holder the machine(s) that got infected were obviously looking for "buttchain" and were thus "MARKED"!

2) Doesn't do you a great deal of good owning "Buttcoin" if you can't use your system to transact with it... And even if you do have another system to "transact with" outside of the one that's been infected and is viable the individual(s) who pulled this off have all of your information ANYWAY!

3) The speculation is that the vast majority of the systems that got nailed are "Microsoft"?... If the stock for Microsoft goes up as well as a rise in price for "Buttcoin" continues in tandem next week I think it's safe to say "IT'S A SIGN"!

Farqued Up's picture

Shut the hospitals and the FDA down and the death rate would follow closely behind.

TemporarySecurity's picture

Only if all health information and records is controlled by a single entity like the federal government.

Time we become free again and be able to take whatever we want for our illnesses and using doctors for consultation.

Old Poor Richard's picture

Next thing you know, the government is just going to take over Windows and Apple software, "protect" us by installing their own backdoor overtly and plug the holes that were left open for them to covertly exploit. No hole anymore--it was built in from the factory.

The thing is, this exploit was patched in March, but the IT fuckwits who let it happen at all these companies aren't getting the blame. Hundreds, maybe thousands, of people should be fired as a result of this, but little will actually happen. My company is unaffected, my home computers are unaffected. This specific debacle is gross negligence pure and simple. Who the fuck puts service-critical systems out on the internet without a hardware firewall and individual machine software firewalls?

lakecity55's picture

"If you want your internets, you can keep your internets!"


restelle's picture

That's Microshaft Windblows for ya. 

Use Linux instead.  Dump Gate's Garbage.

highwaytoserfdom's picture

RomBama   DNC/RNC  raid of Fannie and Fredie was enough sick care funding now going after bitcoin.


Fuck drug funded oxymorinic intelegence fear mongers? Just another relm of http://www.zerohedge.com/news/2017-03-07/ever-growing-list-admitted-fals...


Remember the Ideas are the power. Never trust the sources...  this is  " Divide et impera"  Chaos yup dived and conquer used by recursive algorithms, Chomsky/Buckley  DNC/RNC  Trump/Hillery.    

FreeDumb FreeDumb FreeDumb Google "do no Evil" Amzon "NSA AWS servers"

Hope is alive http://www.naturalnews.com/2017-02-14-india-tosses-out-gates-foundation-...


"Sweet Caroline" "Sweet Caroline" "Sweet Caroline" "Sweet Caroline"




Griffin's picture

A accidental hero found the kill switch to stop this bug aparently.



Europol has warned that a "complex international investigation" would be required to "identify the culprits".


Its interesting that one of the main targets is Russia, and the attack on the NHS is excellent material to create a public outrage, demonizing hackers.

So many wins for certain types of people.

lakecity55's picture

If the cops in different countries want to find these guys, they will find them.

Hopefully they get them to confess, get the details, then rendite their asses to a Black Site.


me or you's picture

I bet Israel has not been attacked. 

I wonder why? 

BustainMovealota's picture

Anybody following that hash on blockchain???

Insurrexion's picture

Microsoft, Facebook, Google, Apple, Twitter is om af te gaan.


lakecity55's picture

"The malware, wearing a red Federation shirt, was the first to go."

Youri Carma's picture

'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack

Spread of malware curtailed by expert who simply registered a domain name for a few dollars, giving many across world time to protect against attack

- Cyber-attack hits dozens of countries – live updates
- Massive ransomware cyber-attack hits 74 countries around the world

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental https://twitter.com/MalwareTechBlog/status/863187104716685312

lakecity55's picture

I should have scrolled down, but this is good news.

Great Catch!

cherry picker's picture

"They" claim to see the bitcoin wallets filling up with coin.

Like a dam and the lake behind it filling with water.  If they see the lake filling with water, I am sure there are ways to determine where the water originates from and when the dam lowers its gates to release bitcoin wealth, they know where it is going downstream and who collects it.

Probably a government agency of some kind.

Government likes to play God, does some good things but also created evil.  Go figure.

Insurrexion's picture

Ngemva ufunda lesi sihloko, Khohlwa Mayelana futhi Babuyele Ukulala. 


Grandad Grumps's picture

The attack seems very large and coordinated ... only an agency can mount something this large. This looks more like the NSA attacking with their opwn weapon ... or CIA or FBI or Mossad... maybe all the bad guys.

LibertarianMenace's picture

The solution is simple, don't use fucking computers, and if you must, don't hook them the fuck up to anything else.

LibertarianMenace's picture

A cyber "attack"? More like a demonstration of what SW manufacturers do to their software to satisfy the extortive demands of the USG. And if they don't aquiesce? No software soup for you - no U.S. sales permitted. 

Reaper's picture

Your government god is dead. Our central Intelligence planners weren't intelligent enough to understand unintended consequences. Yeah, it's great that computers have back-doors into which the government can enter, but neglecting the consequence that others might also enter.

If five hundred half-wit intelligence hacks form a consensus, it's still half-witted.