"Worst-Ever Recorded" Ransomware Attack Strikes Over 57,000 Users Worldwide, Using NSA-Leaked Tools

Tyler Durden's picture

The ransomware has been identifed as WannaCry

* * *

Update 4: According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept “I’ve never seen anything like this with ransomware," and "the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over nine million computers in nearly 200 countries. As The Intercept details,

Today’s WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency’s hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance.


Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up.


As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”

Update 3: Microsoft  has issued a statement, confirming the status the vulnerability:

Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt.


In March, we provided a security update which provides additional protections against this potential attack.


Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.

Update 2: Security firm Kaspersky Lab has recorded more than 45,000 attacks in 74 countries in the past 10 hours. Seventy-four countries around the globe have been affected, with the number of victims still growing, according to Kaspersky Lab. According to Avast, over 57,000 attacks have been detected worldwide, the company said, adding that it "quickly escalated into a massive spreading."

According to Avast, the ransomware has also targeted Russia, Ukraine and Taiwan. The virus is apparently the upgraded version of the ransomware that first appeared in February. Believed to be affecting only Windows operated computers, it changes the affected file extension names to ".WNCRY." It then drops ransom notes to a user in a text file, demanding $300 worth of bitcoins to be paid to unlock the infected files within a certain period of time.

While the victim's wallpaper is being changed, affected users also see a countdown timer to remind them of the limited time they have to pay the ransom. If they fail to pay, their data will be deleted, cybercriminals warn. According to the New York Times, citing security experts, the ransomware exploits a "vulnerability that was discovered and developed by the National Security Agency (NSA)." The hacking tool was leaked by a group calling itself the Shadow Brokers, the report said, adding, that it has been distributing the stolen NSA hacking tools online since last year.

Predictably, Edward Snowden - who has been warning about just such an eventuality - chimed in on Twitter, saying "Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients."

*  *  *

Update 1: In a shocking revelation, The FT reports that hackers responsible for the wave of cyber attacks that struck organisations across the globe used tools stolen from the US National Security Agency.

A hacking tool known as “eternal blue”, developed by US spies has been weaponised by the hackers to super-charge an existing form of ransomware known as WannaCry, three senior cyber security analysts said. Their reading of events was confirmed by western security officials who are still scrambling to contain the spread of the attack. The NSA’s eternal blue exploit allows the malware to spread through file-sharing protocols set up across organisations, many of which span the globe.

As Sam Coates summed up...

*  *  *

We earlier reported in the disturbing fact that hospitals across the United Kingdom had gone dark due to a massive cyber-attack...

Hospitals across the UK have been hit by what appears to be a major, nationwide cyber-attack, resulting in the loss of phonelines and computers, with many hospitals going "dark" and some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled, the BBC reports.


The UK National Health Service said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” It added that trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire have been affected and are reporting IT failures, in some cases meaning there is no way of operating phones or computers.


At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack.


NHS England says it is aware of the issue and is looking into it.

UK Prime Minister Theresa May confirms today's massive cyber hit on NHS is part of wider international attack and there is no evidence patient data has been compromised.

The situation has got significantly worse as The BBC reports the ransomware attack has gone global.


Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.

It is not yet clear whether the attacks are all connected. One cyber-security researcher tweeted that he had detected 36,000 instances of the ransomware, called WannaCry and variants of that name.

"This is huge," he said.

There have been reports of infections in the UK, US, China, Russia, Spain, Italy, Vietnam, Taiwan and others.

The BBB details a number of Spanish firms were among the apparent victims elsewhere in Europe.

Telecoms giant Telefonica said in a statement that it was aware of a "cybersecurity incident" but that clients and services had not been affected.


Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.


There were reports that staff at the firms were told to turn off their computers.

In Italy, one user shared images appearing to show a university computer lab with machines locked by the same program.

Bitcoin wallets seemingly associated with the ransomware were reported to have already started filling up with cash.

"This is a major cyber attack, impacting organisations across Europe at a scale I've never seen before," said security architect Kevin Beaumont.

According to security firm Check Point, the version of the ransomware that appeared today is a new variant.

"Even so, it's spreading fast," said Aatish Pattni, head of threat prevention for northern Europe.

Several experts monitoring the situation have linked the attacks to vulnerabilities released by a group known as The Shadow Brokers, which recently claimed to have dumped hacking tools stolen from the NSA.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
East Indian's picture

Get rid of your Bitcoins, they are going to ban it.


This is a deep state attempt to discredit Bitcoins; these hackers will demand the ransom in bitcoins; "look, bitcoins are used only by criminals. come, let us ban it!"

stitch-rock's picture

No: more likely its to tank the price and get a good buying op before the real moonshot.
Think Blythe Masters...

Bunga Bunga's picture

"Look, NSA is used by criminals, let's ban it"

pine_marten's picture

They don't need to take the power grid down. That's too messy anyway.  Just throw a big wrench into the transfering of data.

ToSoft4Truth's picture

I may have overlooked this but...  where do we download the tools from?

barysenter's picture

This is great. Obamacare looks more like an application designed to extract tribute from all nations than anything to do with "healthcare". This is like a lightning bolt through every artery from the IMF to every detail of our lives. Do you see it now? Who runs Bartertown?

Mr Perspective's picture

">Update: In a shocking revelation, The FT reports that hackers responsible for the wave of cyber attacks that struck organisations across the globe used tools stolen from the US National Security Agency."

Why doesn't this line suggest that it was the NSA that did this? Come on, it's time people start to realize most of these "hacks" are done by one of the alphabet agencies. They are in reality ops, not hacks.

ToSoft4Truth's picture

There are no 'hacks'.  Hacks are are government initialized "Data Dumps". 



LA_Goldbug's picture

It's going to be a fun World for Millennials as more and more personal data is being stored in "The Cloud". Of course Putin is hacking away as we speak to get it.


Mr Perspective's picture

Isn't the cloud just that big NSA data center they built in Utah? 

/s or not. you decide

BadDog's picture

I love old Twilight Zone eposides.

johnjkiii's picture

Not to worry, just a bunch of crazy cut ups (or the World Bank) trying out their zany method to destroy Bitcoin. Wait 'til the world gov'ts decide to make it an illegal form of currency under the laundering degs. Sell yer Bits or be the last one out.

Mr Perspective's picture

It's just another pump and dump....

RougeUnderwriter's picture

This is a Trump and Putin conspiracy. Comney was getting close so he got axed. Mr Robot and F Society are also involved.

silverer's picture

It was a Bush conspiracy. They passed the law right in front of everyone's face. It was called the "Patriot Act". Nothing to sniff out. Their middle finger has been in everyone's face for quite some time on this.

Auburn's picture

Perhaps a techie can explain - if bitcoin or any distributed ledger technology maintains a permanent record of all transactions in it's history, how can a payment not be traced to the recipient?

seek's picture

You have to connect the recipient's identity to a specific transaction to unmask them.

Hundred dollar bills have serial numbers, but unless you have something that connects Carlos to a specific bill, he's pretty safe.

That said, bitcoin can be laundered -- there's specific online tools call mixers to do this -- or it can be exchanged into a different currency and either of these will pretty much guarantee anonymity. A mixer effectively disconnects the ledger entry from the input coin and gives you another unconnected coin in exchange for a few percent.

Given enough resources (e.g. state-level actors) one could unmask a large operation, but small operations are effectively anonymous with a few added steps. This one is big enough if they're not laundering the BTC as fast as it comes in they'll have some exposure risk, but it can probably be creatively managed.

LA_Goldbug's picture

Maybe that is something that these huge data centers being built by NSA are for, store all transactions and keep a permanent record history.

Jack's Raging Bile Duct's picture

Don't coins that have been through a "tumbler" carry a signature of that activity though? Is there no market stigma for that kind of behavior?

seek's picture

Like dollars and gold, bitcoin is fungible.

The $20 in your pocket is tainted by cocaine or meth residue, doesn't stop you or the store from taking it. Likewise for gold that was melted by Nazis and put into circulation.

While in theory one could blacklist certain chains if you got 50% of the bitcoin nodes to play along, that pretty much goes against everything bitcoin stands for, and won't happen specifically because it would impair fungibility and is against the interests of the people running the nodes.

WillyGroper's picture

"Hundred dollar bills have serial numbers"

those new ones with the stripe have a chip that can be tracked globally.

Big Twinkie's picture

This is just a cynical attempt by the bankers to demonize crypto currencies.

Bemused Observer's picture

That would be pretty short-sighted. Demonizing crypto currencies would necessarily mean calling into question the safety of the system itself. And at a time when more and more people are asking how safe this 'digital economy' actually IS.


If they were smart, they'd embrace one of them, and use it to show people how a cashless economy would actually work. By showing folks how it DOESN'T work, then asking everyone to ditch their cash and go 'digital', does not seem to me to be a winning strategy.

smacker's picture

Maybe not crypto currencies as a concept, but to demonize Bitcoin in particular.

Blaquehart's picture

I was just about to post the same thing. They use the same plays playbook the same levels of hysteria. This story is to promote one thing and It is how bitcoin is aiding in criminal behavior , while excusing the corrupt agencies that built them .

seek's picture

This is exactly what netsec people have been warning about as far as the risks to having back doors. The NSA's old charter was to shut back doors, making the US safer. The new charter is to put the entire world at risk so they can watch your kid's snapchats.


silverer's picture

"Used NSA Hacking Tools..."
Hey, wait a minute! Aren't the KGB's hacking tools better?

shovelhead's picture

Nope, sorry.

When it comes to destroying everything in the world, we're still #1.

abgary1's picture

The internet has become totally  unsecure and just a reminder that all of Google products are meant to track everything you do.

The question is why.

Bemused Observer's picture

I have a question, it may sound dumb, but here goes...


Is it possible to set something up so that if you WERE hacked by someone, your system would put something onto their system to muck up their stuff? It seems like establishing a connection to YOUR computer would also establish one to THEIR computer, and all roads go two ways, so...


I'm sure the big hackers would have some protections, but as a 'thing', how do-able is this? We can't stop them from trying, but perhaps something can be done to make it more risky and painful for them to just barge into people's accounts and stuff at will.


Maybe that's a better angle for approaching computer security. Not to stop them from entering, but to exploit the connection if they do, and send them a little 'gift' in return for their visit.

Jack's Raging Bile Duct's picture

It's simple enough to make a script to load XYZ file onto anything it connects with, but that would be a very dangerous and reckless thing to do. Like keeping your indiscriminately savage junkyard dog inside of your home. It would also have to mask its traffic and still make it past their firewalls & antivirus. I haven't been in the field for over a decade, so I'm not an authority anymore. Besides, you'd have to detect the intrusion to make such counter-measures useful--at which point it would be much better to simply end the intrusion.

Bemused Observer's picture

Ahh, I see your point...it couldn't be indiscriminate, but to 'aim' it properly, you'd have to be there when it happened...


Hmmm....is there no way to target a particular source, like anything emanating from say, .gov or something like that? These big-time hackers aren't just using their Yahoo email on their home computers, they must have their own set-ups. Or when the program tries to execute something it oughtn't be doing, is there no way to spot that and shut the attempt down?


If its a case of routing through somewhere else to hide the source, then there'd have to be a way of spotting that too, as the computer itself has to be able to tell the difference between something coming direct, and something that has been redirected. People can bullshit each other, but tech operates on principles that are not flexible, and can't be if it is to function. So, every message has to have a message path, or it couldn't have been delivered.


I wish I understood these things better...so many things seem to me to be common sense, but in 'tech-land' its different...*sigh!*

Mr Perspective's picture

Ya know? It's actually pretty fucking stupid to ask for Bitcoin as ransome. Most people haven't the faintest idea where to get Bitcoins from. They are, after all, dumb enough to click on some link that they know nothing about and they surely won't read the instructions.

Jugs Fan's picture

Not a good sign for bitcoin that criminals prefer it.  Government will ban it soon.

Dr. Acula's picture

My understanding is that the transaction cost for transferring a bit coin is $0.35.

It gets worse and worse every time the blockchain grows.

It sounds like a self-banning currency.

runnymede's picture

Unintended consequences 101

When developing a weapon, it might be advisable to consider how, and by whom it might be used in the future unless you can completely control its distribution.

Oh--- we're talking about .gov here. My bad.

Jack's Raging Bile Duct's picture

NSA backdoor into Windows OS? This isn't exactly new information. My buddy and I knew about that as teenagers in the late 90s. It was referred to as the "NSA Key". Just another one of those "conspiracy theories", but c'mon. At least now there is tangible and irrefutable evidence that these kind of criminal organization--I mean, agencies, don't actually make anyone safer.

Son of Captain Nemo's picture

Well... At least I still got my Au!!!

DEMIZEN's picture

i run my front computer on 16.4 ubuntu. i am posting from it. do not fool yourself into thinking that linux is safe from hacking per se, without a blend of hardware and software firewalls. It is stable and well suited for basic office productivity. it just does what is intended for.  nothing more. it is not a magic spyware proof machine. aamf it is easier to breach semiskilled ubuntu user than a windows machine.

Dr. Acula's picture

I wouldn't use Ubuntu either!

"Ubuntu ‘Spyware’ Will Be Disabled In Ubuntu 16.04 LTS" - http://www.omgubuntu.co.uk/2016/01/ubuntu-online-search-feature-disabled...


Yttrium Gold Nitrogen's picture

Make sure you have the MS17-010 patch installed. If you have automatic updates turned on, then your computer is safe, as the patch was released two months ago.

Dr. Acula's picture

"Regulators from seven countries are concerned that even after the announced changes, “Microsoft does not comply with fundamental privacy rules.”"