"Worst-Ever Recorded" Ransomware Attack Strikes Over 57,000 Users Worldwide, Using NSA-Leaked Tools

Tyler Durden's picture

The ransomware has been identifed as WannaCry

* * *

Update 4: According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept “I’ve never seen anything like this with ransomware," and "the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over nine million computers in nearly 200 countries. As The Intercept details,

Today’s WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency’s hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance.


Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up.


As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”

Update 3: Microsoft  has issued a statement, confirming the status the vulnerability:

Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.


In March, we provided a security update which provides additional protections against this potential attack.


Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.

Update 2: Security firm Kaspersky Lab has recorded more than 45,000 attacks in 74 countries in the past 10 hours. Seventy-four countries around the globe have been affected, with the number of victims still growing, according to Kaspersky Lab. According to Avast, over 57,000 attacks have been detected worldwide, the company said, adding that it "quickly escalated into a massive spreading."

According to Avast, the ransomware has also targeted Russia, Ukraine and Taiwan. The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY." It then drops ransom notes to a user in a text file, demanding $300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.

While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom. If they fail to pay, their data will be deleted, cybercriminals warn. According to the New York Times, citing security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.

Predictably, Edward Snowden - who has been warning about just such an eventuality - chimed in on Twitter, saying "Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients."

*  *  *

Update 1: In a shocking revelation, The FT reports that hackers responsible for the wave of cyber attacks that struck organisations across the globe used tools stolen from the US National Security Agency.

A hacking tool known as “eternal blue”, developed by US spies has been weaponised by the hackers to super-charge an existing form of ransomware known as WannaCry, three senior cyber security analysts said. Their reading of events was confirmed by western security officials who are still scrambling to contain the spread of the attack. The NSA’s eternal blue exploit allows the malware to spread through file-sharing protocols set up across organisations, many of which span the globe.

As Sam Coates summed up...

*  *  *

We earlier reported in the disturbing fact that hospitals across the United Kingdom had gone dark due to a massive cyber-attack...

Hospitals across the UK have been hit by what appears to be a major, nationwide cyber-attack, resulting in the loss of phonelines and computers, with many hospitals going "dark" and some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled, the BBC reports.


The UK National Health Service said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” It added that trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected and are reporting IT failures, in some cases meaning there is no way of operating phones or computers.


At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack.


NHS England says it is aware of the issue and is looking into it.

UK Prime Minister Theresa May confirms today's massive cyber hit on NHS is part of wider international attack and there is no evidence patient data has been compromised.

The situation has got significantly worse as The BBC reports the ransomware attack has gone global.


Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.

It is not yet clear whether the attacks are all connected. One cyber-security researcher tweeted that he had detected 36,000 instances of the ransomware, called WannaCry and variants of that name.

"This is huge," he said.

There have been reports of infections in the UK, US, China, Russia, Spain, Italy, Vietnam, Taiwan and others.

The BBB details a number of Spanish firms were among the apparent victims elsewhere in Europe.

Telecoms giant Telefonica said in a statement that it was aware of a "cybersecurity incident" but that clients and services had not been affected.


Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.


There were reports that staff at the firms were told to turn off their computers.

In Italy, one user shared images appearing to show a university computer lab with machines locked by the same program.

Bitcoin wallets seemingly associated with the ransomware were reported to have already started filling up with cash.

"This is a major cyber attack, impacting organisations across Europe at a scale I've never seen before," said security architect Kevin Beaumont.

According to security firm Check Point, the version of the ransomware that appeared today is a new variant.

"Even so, it's spreading fast," said Aatish Pattni, head of threat prevention for northern Europe.

Several experts monitoring the situation have linked the attacks to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the NSA.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
ironmace's picture

Skynet has got Shylocks.

The Ram's picture

Not seeing anything in the lame stream media...but no surprise there.  Any other sources for this??  As much as I like 'the Hedge' one source is not too crediable for a potential issue like this.

shovelhead's picture

CNN reports that the bitcoin address has been traced to 1600 Pennsylvania Ave. Washington, DC.

More news after the break...

imbrbing's picture

I thought it might have benn Hillaries bathroom closet, the clitnut foundation aint doing so well

Dickweed Wang's picture

 As much as I like 'the Hedge' one source is not too crediable for a potential issue like this.


I guess I would tend to agree with you but in this case the screen shots of the locked up computers seem awfully convincing.  For one thing, read the message sent by the hackers - English is obviously not their first language.  Could all that be faked?  Sure, but I doubt it . . . .

Kevin Trader's picture

so buy bitcoin now?

dlweld's picture

If your computer works...

Kevin Trader's picture

Is this Tyler's reset in motion

j0nx's picture

Deltree c: and restore from a backup drive. Oops you didn't make one? Oh well.

Bopper09's picture

Well, I suppose if the CIA shuts me down, I'd miss out on chats like this with you fine gentlemen.  It'd be nice to continue having internet, simply to find truth, but I'd be fine without the 4 or 5 websites that I go on.  Fuck it, EMP it all and lets get it over with.  It's highly likely inevitable anyway.

Nice talking with you these last few years. 

bluskyes's picture

intel op to demonize bitcoin

Consuelo's picture



- Demonize

- Stigmatize

- Marginalize

- $Monetize...  

Dickweed Wang's picture

Me thinks you are on to something big there BlueSky . . . nothing poses more of a threat to the world-wide banking cabal than Bitcoin and what better way to turn the general public against it?  For instance, I know that there are a lot of Joe Blow's out there that have had their computers locked up by this malware that are thinking "If it wasn't for Bitcoin they wouldn't be able to do something like this so easily . . . they need to get rid of it."  And the banksters who are behind this whole scam laugh their fucking asses off . . . .

buzzkillb's picture

How are these companies getting their bitcoin to pay the ransom? Bet that site is buying some champagne today.

GreatUncle's picture

Very likely because a bitcoin monetary system if used to measure a fiat monetary system will expose the fraud in the end.

A rope leash's picture

Just for the record, I was against computers way before they got so evil.

whatamaroon's picture

I was against cell phones before I caught the ex talking to her BF.

clade7's picture

Right here with you boys!  I was against cordless screwdrivers, chainsaws, and pneumatic nail guns until I used them once!...

Bemused Observer's picture

I turned against them when they became the size of bacteria and there was danger of accidently inhaling them during use. Thankfully that trend peaked, and now they're getting big again, but maybe too big, just below tablet size. Maybe soon a backpack model so you can carry around the new 15" screen?

bluskyes's picture

too bad their bitcoin transfers wont confirm before the files are lost

tmosley's picture

Just have to not cheap out and actually pay for priority.

reload's picture

Pretty serious that here in the UK the health service is apparently `shut down`. Horribly serious for those awaiting tretment or diagnosis. Immagine waking up from an anaesthetic and finding your procedure not done, because the surgeon could not access your notes.

Those of us who dared ask questions about the security of the multi billion overspend on the digitisation of health records were labelled `ludites`

Will it be permitted to question the digitisation of our beloved HMRC (Tax collectors / record keepers)  now? I fucking doubt it - in fact it is still a secret who got the multi billion £ contract to `facillitate the upgrade`

Funnily enough, the contents of my rather heavy, 80 year old safe - are still safe. 




Bastiat's picture

That can quickly make this a mass murder.  It will be interesting to see what they can do in tracking that bitcoin account.

Dickweed Wang's picture

It will be interesting to see what they can do in tracking that bitcoin account.


The account that the BTC are originally sent to to "release" the files is obviously not the final account used by the perps.  All they have to do is send the funds through various bitcoin tumblers before getting sent to their final/actual account(s) and the trail will be extremely hard for anyone to follow - if not totally impossible.

Bastiat's picture

". . . if not totally impossible"   That will be the intersting part.  I once overheard an NSA recruiter at a University jobfair in the 70s bragging that "we measure our computers by the acre."   It's very hard to imagine what is possible with a budget that is nearly infinite (if you count black and white sources).

Dickweed Wang's picture

You're probably right there . . . the question is at what point does this problem to become big enough for someone like the En Es Ay to dedicate the resources to do the tracking?  Even then I am not convinced they have a 100% chance of catching the guys . . . I think a lot of the talk about the invincible powers of that agency are somewhat overblown just to scare people into not doing certain things.  We shall see (probably).

techpriest's picture

They will be caught, but not through tracking the Bitcoin. Now that its an international issue, an international price will be put on the perp's head, and someone will talk. Then they can have the hackers explain how they pulled it off - at least, this should be standard police work?

Or maybe once they find out the real perps they will say it was impossible to find them, because, they can' actually arrest "them."

espirit's picture

I was wondering where the Saud's and Qatari's were going to come up with $50 Billion.

tmosley's picture

Stuff that is difficult for people is easy for AI. Evildoers would do well not to leave digital footprints in any way shape or form, because they WILL be traced back to you eventually. Every transaction in history is recorded in the blockchain. I suspect it would be trivial to trace the inputs and outputs of a service like coinjoin and reconstruct the transactions.

Probably the smartest thing they could do here is own quite a lot of bitcoin before releasing this malware and take advantage of the surge in demand to make a profit. Just dump the ransom into a dead wallet.

Grumbleduke's picture

an idea worth exploring. In the analog world a russian in Germany went short on  the soccer club BVB Dortmund (the only one listed in Germany). To boost his profits he detonated 3 bombs in the vicinity of the team bus. Nice profit for a day, then he got busted.

logicalman's picture

Luddite - a word whose meaning was corrupted by The Powers That Were, at the time and continuing to this day.

Same goes for anarchism - doesn't have anything to do with chaos of violence, just the lack of the need for 'leaders'.

Both ideas scare those who wish to control the populace for their own advantage.



OverTheHedge's picture

A long time ago, in a galaxy far away, I was briefly involved with giving the nhs, and doctors' surgeries specifically, an intranet, so they could send patient records to and from hospitals digitally. Last I heard it is is still undergoing implementation, nearly 20 years on. No one ever wanted to consider what the implications of someone hacking an entire surgery' s worth of medical notes would be, but I assume it has already happened by now. Thank God I am not involved with that nonsense any more.

reload's picture

Health records are serious things. So are Tax records. HMRC intend to have the un negotiable ability to help themselvs to `amounts due` as well as `estimated amounts deemed due`directly from the accounts of individuals - and especially small businesses. Reporting periods will become quarterly instead of annualy, and reports must be submitted in digital form only - in a format yet to be announced. This starts April 2018, so far there is no news on what software those affected will be required to use, wether it is going to be remotely compatible with their own, or their accountants systems OR indeed how much it will cost. There is also some indication that the revenue will only accespt submissions from the taxable entity directly, having your accountant do it for you may not be possible. This means in effect that, we, happless small business owners will have to bring `in house` all sorts of housekeeping functions that we have been allowed to subcontract out. Things like employee PAYE / NI and all that goes alongside it, plus employee pension administration and tax coding. It has the potential to be hugely stressful and time consuming as well as costly. Small business owners can not do this stuff nearly as cheaply or efficiently as the dedicated departments run by competant accountancy practices, who are curently allowed to do it on our behalf. Of course the lovely people at HMRC will be delighted to levy fines and penalties for mistakes or late filings direct to our bank accounts, and then relax while we go through the almost impossible `appeal proccess`.

Even more omminously, under the current system, when HMRC decide that an entity needs to be investigated, they have to provide notification and reason - effectively they have to make an appointment. Fair enough, and a well run small business can take out extremely cheap insurance to cover the cost of coping with this should it ever happen to them. Under the new system no notification of investigation will be required, a knock or boot to the door will take its place. The current few hundred £ a year premium which we insure against this £10 -20,000 fee generating event befalling us, is likely to become a multi thousand pound premium  -IF it is available at all. 

At 52 I am completely debt free. House paid for, kids university fees paid for, some hard earned savings of various types on hand, a lovely wife & 3 great, energetic outward going kids leaving the nest, showing encouraging signs of self reliance and independance. I have never taken one sigle penny from the state and always paid my taxes in full and on time. I employ a dozen staff who have mostly been with me over a decade. There have been many times when (like many I know) I have had to choose - pay the wages, pay the tax - pay myself, pay supliers? I have never paid a bill late in 22 years of trading. There have been extremely long periods without hollidays or new cars. I do not expect praise or sympathy, I  have followed my own path for my own reasons. But I really, really wonder: WHAT do our digital / faceless `modernising` overlords immagine the motivation for carrying on, while being treated increasingly like a serf actually is? 

Fuck me: I need to get out more - rant over, have a great weekend fellow Hedgers.


clade7's picture

Beautiful!  I expect to kill myself right before I die, just on the principle of being proactive and a DIY kind of personality....In all the years I have been together with myself, I have been a wonderful drinking buddy, fantastic lover, safe driver, problem solver...Intelligent speaker and an interested audience!  We love to take long drives together and walks on the beach!   I am going to miss those days We spent together when I'm gone...I doubt I could find a better friend than me...


I wanna do it up right though, something outside of the norm even...Creative and appropriate for an unusual Life Well Lived.....People say about riches and possessions: "You cant take it with you!"...Granted...Although, if you contemplate and develope a realistic plan, you can certainly take somebody else along riding shotgun!

OverTheHedge's picture

Don't get out more - just get out. Serious question - what do you get out of it all? Only you can answer that, but if the answer is not to your liking, give it all up. The hardest decision I ever made, was to stop working. Everything else after that was easy, and I now live in paradise, even if it is a bankrupt paradise.

reload's picture

Excellent question. My 20's were spent chasing money and adrenaline in the way depicted in my avatar. In my 30's it got very empty very quickly when the kids started arriving. I changed tack, turned a hobby/ interest into a one man business. It grew and stopped being a hobby, but growing a business was rewarding in the sense that all the problems were mine to solve. The compromises, mine to resolve. I suppose, the business itself became the hobby, our trade the vehicle for it to travel on. Its success has given me much satisfaction, not least seeing my first 3 employees grow with the business and make good life choices while turning from boys into men. Having customers stick with us through decades is satisfying too.

I think what I want is simply to keep what I have. The sense that this is possible shrinks by the day. The taxes I once paid in the belief that they produced a functional society in which to live and work, is a belief that is harder to sustain. The notion that a big part of this functioning society was due to the independence of the judiciary and the rule of equally applied laws was a motivation and comfort. Those basic beliefs that the state, despite its inefficiency and sloth, was essentially benevolent are gone. The rapacious determination to wrest more control, more power and more wealth from the population and into the hands of politicians, unaccountable NGO,s and multi national corporations is a relentless multi channel effort.
Like many, I just want to be left alone, I want less government, not more. I want accountable decision makers in the realm of public life.
I am not holding my breath !

GreatUncle's picture

UK government should have coded its own operating system so it could stay in control for the NHS, police, education = the nation.

Oh no, got to buy windows ... the political establishment put their faith in an NSA backdoor.

JohninMK's picture

Of course they did, their protection team, in Cheltenham, were blood brothers and nothing they did could or would ever escape.

Would it?

spastic_colon's picture

hurry!! we need more .gov control of the internet STAT!

espirit's picture

A little EMP will do just fine, thank you.

artichoke's picture

It's so great that Obamacare forced so much medical stuff off of paper and onto the internet.  Isn't it?  F U Obama.

Snaffew's picture

I'm guessing CHKP hits $110 plus next week off a momo play of this news.

Savyindallas's picture

Well? He probably did-don't you think? 

KGB, murderer, invades other countries, stole our election away from Hillary, congressmen from both sides of the aisle will likely conclude this. (except for Rand Paul, Tulsi gabbard and a few others) ? 

All the evidence is adding up. Yep  -looks like it was Putin. Let's send the Tomohawks into Moscow. Ungrateful bunch  - and after we saved their sorry asses by bailing them out and defeating the Nazis.