"Worst-Ever Recorded" Ransomware Attack Strikes Over 57,000 Users Worldwide, Using NSA-Leaked Tools

Tyler Durden's picture

The ransomware has been identifed as WannaCry

* * *

Update 4: According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept “I’ve never seen anything like this with ransomware," and "the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over nine million computers in nearly 200 countries. As The Intercept details,

Today’s WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency’s hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance.


Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up.


As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”

Update 3: Microsoft  has issued a statement, confirming the status the vulnerability:

Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.


In March, we provided a security update which provides additional protections against this potential attack.


Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.

Update 2: Security firm Kaspersky Lab has recorded more than 45,000 attacks in 74 countries in the past 10 hours. Seventy-four countries around the globe have been affected, with the number of victims still growing, according to Kaspersky Lab. According to Avast, over 57,000 attacks have been detected worldwide, the company said, adding that it "quickly escalated into a massive spreading."

According to Avast, the ransomware has also targeted Russia, Ukraine and Taiwan. The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY." It then drops ransom notes to a user in a text file, demanding $300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.

While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom. If they fail to pay, their data will be deleted, cybercriminals warn. According to the New York Times, citing security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.

Predictably, Edward Snowden - who has been warning about just such an eventuality - chimed in on Twitter, saying "Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients."

*  *  *

Update 1: In a shocking revelation, The FT reports that hackers responsible for the wave of cyber attacks that struck organisations across the globe used tools stolen from the US National Security Agency.

A hacking tool known as “eternal blue”, developed by US spies has been weaponised by the hackers to super-charge an existing form of ransomware known as WannaCry, three senior cyber security analysts said. Their reading of events was confirmed by western security officials who are still scrambling to contain the spread of the attack. The NSA’s eternal blue exploit allows the malware to spread through file-sharing protocols set up across organisations, many of which span the globe.

As Sam Coates summed up...

*  *  *

We earlier reported in the disturbing fact that hospitals across the United Kingdom had gone dark due to a massive cyber-attack...

Hospitals across the UK have been hit by what appears to be a major, nationwide cyber-attack, resulting in the loss of phonelines and computers, with many hospitals going "dark" and some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled, the BBC reports.


The UK National Health Service said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” It added that trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected and are reporting IT failures, in some cases meaning there is no way of operating phones or computers.


At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack.


NHS England says it is aware of the issue and is looking into it.

UK Prime Minister Theresa May confirms today's massive cyber hit on NHS is part of wider international attack and there is no evidence patient data has been compromised.

The situation has got significantly worse as The BBC reports the ransomware attack has gone global.


Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.

It is not yet clear whether the attacks are all connected. One cyber-security researcher tweeted that he had detected 36,000 instances of the ransomware, called WannaCry and variants of that name.

"This is huge," he said.

There have been reports of infections in the UK, US, China, Russia, Spain, Italy, Vietnam, Taiwan and others.

The BBB details a number of Spanish firms were among the apparent victims elsewhere in Europe.

Telecoms giant Telefonica said in a statement that it was aware of a "cybersecurity incident" but that clients and services had not been affected.


Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.


There were reports that staff at the firms were told to turn off their computers.

In Italy, one user shared images appearing to show a university computer lab with machines locked by the same program.

Bitcoin wallets seemingly associated with the ransomware were reported to have already started filling up with cash.

"This is a major cyber attack, impacting organisations across Europe at a scale I've never seen before," said security architect Kevin Beaumont.

According to security firm Check Point, the version of the ransomware that appeared today is a new variant.

"Even so, it's spreading fast," said Aatish Pattni, head of threat prevention for northern Europe.

Several experts monitoring the situation have linked the attacks to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the NSA.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Guderian's picture

you are one ignorant mofo!

Consuelo's picture



Although it is inconvenient, always consider half a tank, an empty tank.   Don't get caught with 1/8 tank and the yellow warning light coming on when shit like this gets going...

coast1's picture

This is why I dont own bitcoin....a hacker could take every dime...

affirmed_78's picture

8 years running and the bitcoin network hasn't been hacked.  Many have tried.  Now, if you don't secure your personal wallet, that's not bitcoin's fault.  If you do secure it, you have nothing to worry about.  Buy yourself a Trezor for under $100.

Cruel Joke's picture

An electromagnetic surge from a solar storm could knock out the internet and make Bitcoin and credit/debit cards worthless, at least until most of it is rebuilt. Cash, gold & silver would still work as payment tho.

Consuelo's picture



A close friend was heard to commnet in the weeks leading up to Y2K, when a media personality stated that 'In such a state of panic, people would literally be shitting in their front yards'...   To which he retorted:


'Why can't they shit in the back yard'...?

shovelhead's picture


Relax...It won't be a crisis until the trannie porn sites get locked up. Then the libs will be on the streets screaming about...

Ah...Who the fuck cares?

Mr. Bones's picture

This isn't that sophisticated.  The attacker gets you to open a corrupted file usually by priming you by saying it's an invoice or the like.  Then the executable goes through your drives encrypting your files and splashes the ransom screen up with the countdown.  The computer system thinks that you are doing authorized file operations because you launched the program.  The ransom is so low because they usually get small businesses.

It can be mitigated with best practice or good backups, but no one does that because it would be expensive once.

Edit: there are unconfirmed reports that this is MS17-10 which is related to eternalblue from the leaks, a critical vulnerability patched by Microsoft in March.

Edit2: if it is that vulnerability, then it's sort of sophisticated in that they reverse engineered a documented vuln.  Also, it's an impeachment of the victims because they didn't patch.


techpriest's picture

We had to clean one of these up at my office recently - ALWAYS keep good backups of shit you don't want to lose.

And yes, one of the employees opened an infected file. We then had to shut everything down, and restore from the previous day's backup. Annoying, but whatever.

Yeah, if you haven't patched in 30 days that's a shame. I remember Drupalgeddon, which started 7 hours after the patch was released.

Hannibal's picture

Must be Russians.

cheech_wizard's picture

When the first web pages appeared, I always had this vision of the ultimate hack.

I even put a name to it... SADE (after the Marquis de Sade)... which stands for Search And Destroy Engine.

it's purpose was simple, hack into computers, and then delete all the web pages it finds.

Standard Disclaimer: Get busy hackers...


SubjectivObject's picture

5-11, or close enough

Wait for it .... cash will be king, for a while anyway ....

Professorlocknload's picture

Now, why am I reluctant to click on any links in the comments here?

YourAverageJoe's picture

Better fill the tanks

Falconsixone's picture

Have you tried turning it off and on again?


Well, is it plugged in?

OverTheHedge's picture

Press any key to continue....

"But, I don't have an "any" key. Which one is the NE key?"

BidnessMan's picture

If I am on life support and not responding, unplug me and then plug me back in.  See if that works.

barysenter's picture

Obamacare website: over $2 BILLION dollars.

The app that took it down: priceless.

bshirley1968's picture

I thought cash was the prefered transaction medium of criminals.

ogretown's picture

Cash??? Maybe there are still a few old criminals left who hoard cash, but you do know that you can buy *anything* you want using bitcoin - even some things that perhaps should not be offered up for sale - and in many cases what you purchase also includes delivery.  Took a walk on the wild side last year as a young lad in a coffee bar allowed me to look over his shoulder as he visited the darker side of the net. No cash, no checks (obviously), no credit cards, all *bitcoin*.  And for what it is worth, the one site we visited seemed to be doing an extremely robust business.  The kid asked me what I wanted to buy, churlish and condescending little prick - so I thought I would throw him for a loop and asked if he could get me a baby. Nonplussed he asked me sex and color without batting an eye.    

barysenter's picture

What commodity class sells itself and commands a massive premium because its criminalized by the UN? 

clade7's picture

Not any more..Now a days cash is the preferred medium of HONEST people..like buying a teeter table or some beanie babies at a garage sale...The Crooks dont go for the effort or the risk of getting pulled over with cash..'cause then the cops take it..Cash is for the honest little guy...like you and me, beanie babies, packs of gum and such...


Per the article, there aint no REAL money in cash anymore...In fact, nobody fucking wants it!  Go down to your local auto dealership tomorrow and just see..they DONT want cash!  They want you to finance with electrons!

barysenter's picture

Bill Mortimer! BILLLL! 

Turn the machines back on...

shovelhead's picture


"Haha Jared, your Russians are beautiful. This bitcoin thing will knock that prick Comey off the front page for a week and long before then I'll have em yapping about something else."

HominyTwin's picture

Let's see. It was through a backdoor created by the NSA, and you are blaming the Russian's?


You are so dumb, you should just kill yourself and sterilize your children.

chosen's picture

The key sentence is "But you have not so enough time."   Clearly this is not from an English-speaking group.  Could be Russian, or Eastern Europe.

shovelhead's picture

Bitcoin addy registered to Wei Fuk Yiu LTD., Hong Kong.

Them Russians is sneaky.

quesnay's picture

Or Chinese, or Indians, or Nigerians. Sheesh open up that mind just a little bit. Yes it could be Russians or Eastern Europeans, but it could be practically anyone, including someone in the US that purposely used bad grammar.

aardvarkk's picture

If I wanted to misdirect in this way, I would run perfect English through google translate to Swahili and back again.  Nearly guaranteed you'd have people yapping about how the attack had to have come from Mongolia or somewhere.  Meanwhile, I'm sitting in a coffee shop in an American city sipping a latte and counting my bitcoin on some exchange in Chile.

I don't think most people get how the networked world even works yet.  Physical location matters less than nothing.

chosen's picture

The interesting part is the English is perfect except for the one sentence I pointed out.  Sounds like one of the hacker creeps decided to add that on his own, after they went through a fair amount of trouble getting the English pretty much perfect.

Mr Perspective's picture

Right. Hasn't anyone learned anything from Wikileaks?
they're goddamn trolls I tell ya

OverTheHedge's picture

Or fonestar, or anyone from Cornwall, or the Appalachians  Or just smeone trying to spread some disinformation. Probably Nigerian, though.

chosen's picture

Yeah, that's right, the hackers were from Appalachia or Cornwall. (sarc)

Piranha's picture

cant wait for Obama to come out to the hackers, you didnt build that lol

Cruel Joke's picture

And he would be right, this time. 

syzygysus's picture

All your Coinbase are belong to us?


I hedge my technology, some Parrot Linux, some Windows, a bit of MacOS, some old stuff.  So no matter what, something will work until the EMP.

Jacksons Ghost's picture

Clearly Bit Coin and large denomination bills are the real problem.  Gov't knows what to do.

joego1's picture

Not good for Bitcoin futures, great exuse for Gov. to crack down on "evil" money.

daveO's picture

"Excuse" = false flag.

hooligan2009's picture

maybe it was/is a global attack across the entire WWW.

defintion of irony "nsa tools used to make the world insecure"

you can't make this shit up

Dg4884's picture

I just updated my windows spyware definitions, so I'm safe.


whatamaroon's picture

The windows based fix was supposeldy released in March. >keepin fingers crossed<.

GreatUncle's picture

You mean you installed the latest NSA spying tools /S

The NSA is good to go, us plebs not so good.

PN7's picture

My Coinbase account is getting tons and tons of $300 deposits.  You think there's any connection?

Mr Perspective's picture

Well gee, have they tried to reboot their computer?