24 Hours Later: "Unprecedented" Fallout From "Biggest Ransomware Attack In History"

Tyler Durden's picture

24 hours after it first emerged, it has been called the first global, coordinated ransomware attack using hacking tools developed by the NSA, crippling over a dozen hospitals across the UK, mass transit around Europe, car factories in France and the UK, universities in China, corporations in the US, banks in Russia and countless other mission-critical businesses and infrastructure.

According to experts, "this could be one of the worst-ever recorded attacks of its kind." The security researcher who tweets and blogs as MalwareTech told The Intercept, “I’ve never seen anything like this with ransomware,” and “the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over 9 million computers in nearly 200 countries.

The fallout, according to cyber-specialists, has been "unprecedented": it has left unprepared governments, companies and security experts from China to the United Kingdom on Saturday reeling, and racing to contain the damage from the audacious cyberattack that spread quickly across the globe, raising fears that people would not be able to meet ransom demands before their data are destroyed.

As reported yesterday, the global efforts come less than a day after malicious software, transmitted via email and stolen from the National Security Agency, exposed vulnerabilities in computer systems in almost 100 countries in one of the largest “ransomware” attacks on record. The cyberattackers took over the computers, encrypted the information on them and then demanded payment of $300 or more from users in the form of bitcoin to unlock the devices.

The ransomware was subsequently identified as a new variant of "WannaCry" that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft's Windows operating system.

The ransomware has been identifed as WannaCry

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a "worm", or self spreading malware, by exploiting a piece of NSA code known as "Eternal Blue" that was released last month by a group known as the Shadow Brokers (see "Hacker Group Releases Password To NSA's "Top Secret Arsenal" In Protest Of Trump Betrayal") , researchers with several private cyber security firms said.

"This is one of the largest global ransomware attacks the cyber community has ever seen," said Rich Barger, director of threat research with Splunk. The extremely well coordinated attack first emerged in the United Kingdom around noon on Friday and spread like wildefire around the globe. According to the Times "it has set off fears that the effects of the continuing threat will be felt for months, if not years" and raised questions about the intentions of the hackers: Did they carry out the attack for mere financial gain or for other unknown reasons?

The animated map below shows the speed and scale of the global infestation which took just a few hours to cover the globe:

Meanwhile, some of the world’s largest institutions and government agencies have been affected, including the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service. As people fretted over whether to pay the digital ransom or lose data from their computers, experts said the attackers might pocket more than $1 billion worldwide before the deadline ran out to unlock the machines.

Across Asia, several universities and organizations said they had been affected. In China, the virus hit the computer networks of both companies and universities, according to the state-run news media. News about the attack began trending on Chinese social media on Saturday, though most attention was focused on university networks, where there were concerns about students losing access to their academic work. The attack, however, focused on the UK and Europe where in addition to the British healthcare system, companies like Deutsche Bahn, the German transport giant; Telefónica, a Spanish telecommunications firm; and Renault, the French automaker, said some of their systems had been affected.

"Seeing a large telco like Telefonica get hit is going to get everybody worried," said Chris Wysopal, chief technology officer with cyber security firm Veracode.

The British National Health Service said that 45 of its hospitals, doctors’ offices and ambulance companies had been crippled — making it perhaps one of the largest institutions affected worldwide. Surgical procedures were canceled and some hospital operations shut down as government officials struggled to respond to the attack.

“We are not able to tell you who is behind that attack,” Amber Rudd, Britain’s home secretary, told the British Broadcasting Corporation on Saturday. “That work is still ongoing.”

Things only got worse on Saturday as auto production facilities across Europe have been shuttered, including car plants in the UK and France, in the aftermath of the cyberattack.

In total, more than 75,000 computers in 99 countries were compromised in Friday’s attack, with a heavy concentration of infections in Russia and Ukraine, according to Dutch security company Avast Software BV. Russia’s Interior Ministry, with oversees the country’s police forces, said “around 1,000 computers were infected,” which it described as less than 1 percent of the total, the New York Times reported. The ministry said technicians had stopped the attack and were updating the department’s “antivirus defense systems,” according to the Times. Russia's RIA reported that the central bank said on Saturday it had detected "massive" cyber attacks on domestic banks, which successfully thwarted them.

* * *

There has been some good news: an ingenious discovery appears to have halted the spread of the virus for now. 

As part of the digital attack, the hackers included a way of disabling the malware in case they wanted to shut down their activities, Ars Technica reported. To do so, the assailants included code in the ransomware that would stop it from spreading if the virus sent an online request to a website created by the attackers. The kill switch would stop the malware from spreading as soon as the website went online and communicated with the spreading digital virus.

A British-based researcher, who declined to give his name, registered a
domain that he noticed the malware was trying to connect to, limiting
the worm's spread. When the 22-year-old British researcher, whose Twitter handle is @MalwareTechBlog, confirmed his involvement but insisted on anonymity because he did not want the public scrutiny, saw that the kill switch’s domain name — a long and complicated set of letters — had yet to be registered, he bought it himself. By making the site go live, the researcher shut down the hacking attack before it could fully spread to the United States.

However, this temporary workaround will only last for a few days if not hours.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” wrote the @MalwareTechBlog researcher. “So long as the domain isn’t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.

“The kill switch is why the U.S. hasn’t been touched so far,” said Matthieu Suiche, founder of Comae Technologies, a cybersecurity company in the United Arab Emirates. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”

Adds Reuters: "We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain," said Vikram Thakur, principal research manager at Symantec.

"The numbers are extremely low and coming down fast." But the attackers may yet tweak the code and restart the cycle. The British-based researcher who may have foiled the ransomware's spread told Reuters he had not seen any such tweaks yet, "but they will."

* * *

Meanwhile, questions are mounting why code created by the NSA. has i) fallen in the wrong hands and ii) is being used to hold the world hostage. As the NYT notes, the ability of the cyberattack to spread so quickly was partly because of its high level of sophistication.

The malware, experts said, was based on a method that the N.S.A. is believed to have developed as part of its arsenal of cyberweapons. Last summer, a group calling itself the “Shadow Brokers” posted online digital tools that it had stolen from the United States government’s stockpile of hacking weapons.  The connection to the N.S.A. is likely to draw further criticism from privacy advocates who have repeatedly called for a clampdown on how the agency collects information online.

Brian Lord, a former deputy director for intelligence and cyber operations at Government Communications Headquarters, Britain’s equivalent to the N.S.A., said that any investigation, which would include the F.B.I. and the National Crime Agency of Britain, would take months to name the potential attackers, if it ever does. And by focusing the attacks on large institutions with a track record of not keeping their technology systems up-to-date, global criminal organizations were cherry-picking easy targets that were highly susceptible to such hacks, according to Mr. Lord.


“Serious organized crime is looking to these new technologies to the maximum effect,” Mr. Lord said. “With cybercrime, you can operate globally without leaving where you already are.”


He added of this attack: “It was well thought-out, well timed and well coordinated. But, fundamentally, there is nothing unusual about its delivery. It is still fundamentally robbery and extortion.”

For now, the victims - both actual and potential - may have bought themselves some time. As part of the efforts to combat the attack, Microsoft, whose Windows software lies at the heart of the potential hacking vulnerability, released a software update available to those affected by the attack and others who could be potential targets. Microsoft took the “highly unusual” step of securing early operating systems in the wake of a massive ransomware attack that wreaked havoc on global computer networks, including the UK’s National Health Service. Overnight, Microsoft XP received the new security patch three years after the computer giant discontinued support for the OS.

“Seeing businesses and individuals affected by cyberattacks, such as the ones reported today [Friday], was painful,” a Microsoft statement read. “We are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.”

Security experts however said the upgrade came too late for many of the tens of thousands of machines that were locked out and whose data could be erased if people did not pay the ransom. Earlier this year, Microsoft created a patch called MS17-010 to guard against the virus. But older, unsupported operating systems were not included in the update.

Making matters worse, government officials and industry watchers also warned on Saturday that other hackers might now try to use the global ransomware attack for their own means, potentially tweaking the code and developing their own targets for new cyberattacks.

* * *

Finally, there is the question who is behind this coordinated global attack. Not surprisingly, Russia has been named. There is a high-probability that Russian-language cyber-criminals were behind the attack, said Aleks Gostev, chief cybersecurity expert for Kaspersky Labs. “Ransomware is traditionally their topic,” he said cited by Bloomberg. “The geography of attacks that hit post-Soviet Union most also suggests that.”

Whoever is the responsible party behind this first, global, coordinated ransomware attack, the have demonstrated one thing: the world is thoroughly unprepared for cyberwar.

“As with everything in cyber, we’re now waiting for the next type of attack,” Paul Bantick, a cyber security expert at Beazley, a global insurance underwriter, told the NYT.

“Ransomware like this has been on the rise over the last 18 months,” he added. “This represents the next step that people were expecting.”

As such, it is only a matter of time now before an even greater, more destructive cyberattack is unleashed on the world.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
TahoeBilly2012's picture

Putin did it, sending the profits to Trump. Just ask-

Adam "Schiff"

Diane "Feinstein"

Chuck "Schumer"

Ect. ect. such nice Germans these people.



Laddie's picture

That is the old story and one has to wonder if anyone really believes that any longer.

Why America Losing Its Cyberwar Stockpile is Good for America March 10, 2017

AlaricBalth's picture

There is a group out there right now looking to lock up so called smart phones for ransom. When it happens, and it will, I will discard my phone and live an analog life. The constant calls, texts and emails have not made my life more efficient. They have just created more havoc and clutter. It is past time to start implementing a plan for alternative means of communication. Go out and find an old style rotary dial phone. It may come in handy.

Troy Ounce's picture


Please please stop this. We need internet oversight, regulation, NSA on top of this.

Please FBI, read my emails, listen to my phone.

Criminals, paedophiles AAAAAaaargggghhhh

Chupacabra-322's picture

The "Spoofing" or Digital Finger Print & Parallel Construction tools that can be used against Governments, Individuals, enemies & adversaries are Chilling.

The CIA can not only hack into anything -- they can download any "evidence" they want onto your phone or computer.  Child pornography, national secrets, you name it.  Then they can blackmail you, threatening prosecution for whatever crap they have planted, then "found" on your computer.    They can also "spoof" the source of such downloads -- for instance, if they want to "prove" that something on your computer (or Donald Trump's computer) came from a "Russian source"  -- they can spoof the IP address of a Russian source.

The take-away:  no digital evidence the CIA or NSA produces on any subject whatsoever can be trusted.  No digital evidence should be acceptable in any case where the government has an interest, because they have the complete ability to fabricate and implant any evidence on any iphone or computer.  And worse:  they have intentionally created these digital vulnerabilities and pushed them onto the whole world via Microsoft and Google. Government has long been at war with liberty, claiming that we need to give up liberty to be secure.  Now we learn that they have been deliberately sabotaging our security, in order to augment their own power.  Time to shut down the CIA and all the other spy agencies.  They're not keeping us free OR secure, and they're doing it deliberately.  Their main function nowadays seems to be lying us into wars against countries that never attacked us, and had no plans to do so.

The Echelon Computer System Catch Everything
The Flagging goes to Notify the Appropriate Alphabet,,,...Key Words Phrases...Algorithms,...It all gets sucked up and chewed on and spat out to the surmised computed correct departments...That simple.

Effective immediately defund, Eliminate & Supeona it's Agents, Officials & Dept. Heads in regard to the Mass Surveillance, Global Espionage Spying network & monitoring of a President Elect by aforementioned Agencies & former President Obama, AG Lynch & DIA James Clapper.

BaBaBouy's picture

After The Fallout...
Bitcoinz Will Be Toast ...

Oracle of Kypseli's picture

Time to outlaw bitcoin then? 

in4mayshun's picture

This whole deal could very well be a false flag with the intent of showing that Bitcoin is a currency for outlaws and therefore should be illegal.

fockewulf190's picture

"This whole deal could very well be a false flag with the intent of showing that Bitcoin is a currency for outlaws and therefore should be illegal".

I am convinced it is, but it encompasses ALL of the crypto currencies, not just Bitcoin. The globalists have gained MASSIVE political capital to enact controls on the crypto exchanges in exchange for negligible capital damage. With this one coordinated global attack, they have managed to empower every government on Earth with the excuse they need to act. The globalists have pulled off a stunning success.

Mr 9x19's picture

can't wait for auto pilot cars, plane, and so long.

AltRight Girl's picture

all thank to the "professional" NSA that lost their tools and then kept mum about it, even when news appeared in the press last month. they could have given a heads up to Microsoft and other targets.

NSA “Trained Virus Community to Do Significant Damage” with Malware Tools

sleepingbeauty's picture

Assange even offered to work with the major manufacturers and OS's to fix the zero days but they all declined.

Placerville's picture

You can still buy on Local BitCoins even if the exchanges are shut down. It will just raise the price even more. Ask anyone in a country where they are devaluing the currency, they're better off in Crypto currency than government funny money.

Did anyone else notice that the crypto markets took a dive just as NY markets were about to close on Friday afternoon?


Hobbleknee's picture

Of course the story is fake. Where did they get all these fake numbers over night from around the world?

flash338's picture

I'd cheer more if this fucker hit the comex 

mrtoad's picture

what about the other 731 crypto currencies???  Bitcoin is 1 of 731.   http://coinmarketcap.com/


Oracle of Kypseli's picture

So then, Weiner's computer full of Hilary's emails is an NSA job?

I wonder if these hackers can render the US modern weaponry ineffective and absolete. Drones will now be flying upside down and shoot at the moon?

Just wondering! 

espirit's picture

Carlos Danger's puter never got the update.

... and it's gone... !!!

OverTheHedge's picture

"Finally, there is the question who is behind this coordinated global attack"

Well, logic would dictate that the people who originally wrote the code would be the most likely suspects? Occam's Razor, and all that.

Can we assume that this year's poppy crop isn't looking good, and a new income stream was needed? If this is the case, either no-one will be named, or the Russians will be blamed repeatedly, because “Ransomware is traditionally their topic,” apparently.

PT's picture

Makes Vault 7 sound like an exercise in Plausible Deniability.

OverTheHedge's picture

Woohoo! I got a down vote! And who says the NSA doesn't read zerohedge?

Actually, feel free to point out the error of my comment above. Go ahead, I want to learn.

11b40's picture

Riddles inside riddles, preferably delivered wrapped in a conundrum. Impossible to "know" with certainty.

cheech_wizard's picture

>The CIA can not only hack into anything

But they still can't crack Kryptos... https://en.wikipedia.org/wiki/Kryptos

>Registering the domain was the killswitch...

...and yet, The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who lives with his parents and works for Kryptos logic, an LA-based threat intelligence company.

Standard Disclaimer: Go figure... just another strange coincidence of a butterfly flapping it's wings.

East Indian's picture

You are an anti-malware techie, you work for an anti-malware company, and you stop a malware from spreading into America. Imagine how much free publicity and advertisement you would get. Imagine the sale of your product shooting up overnight. And yet you don't want to reveal your identity?


Deep State stooge. And the purpose is to discredit Bitcoins as the money of the criminals.

IndyPat's picture


The idea is was Russian hackers is also laughable. Sure, ransom has been their MO for a while, but I'm pretty fucking sure they have a 'sheer, don't slaughter' policy. Something this massive is way more attention than they'd ever want. It also threatens their very mode of recieving the ransom.

That Microsoft is being painted the victim in this makes me want to vomit.
They left the doors wide open. In full collusion of Deep State. They should be sued six ways to Sunday.

3.7.77's picture

So if this is a NSA tool, is the American tax payer on the hook for lost revenue of businesses affected?

Cloud9.5's picture

Guess this is how Hillary gets of

Bigern's picture

Lesson learned, don't own a PC, laptop, or internet capable device.

waterwitch's picture

That's why all my machines run on Linux (Ubuntu 16.04)

zippedydoodah's picture

The NSA should be sent the bill for the entire cleanup cost.

zippedydoodah's picture

The NSA should be sent the bill for the entire cleanup cost.

11b40's picture

When was the Patriot Act passed? How about 'Homeland Security'?
By all means, I am not defending Obummer, but let's all try to remove heads form asses and pay attention to action & results instead of rhetoric & empty promises that somehow never materialize.

Laddie's picture

The old Nokia is going to be made again in Finland. And it will cost about $65, that is one to get.

Arnold's picture

My Samsung does everything.
Phone, text, answering machine, amber alerts.
Ten dollars a month, eleven dollar purchase price.
And works the same on 2G.

aurum4040's picture

This is the second of such Bitcoin related attacks within a few weeks. I think this could be a false flag, with the intention of taking out Bitcoin or at least regulating it heavily. And or perhaps pushing Ether as the crypto of choice as the banks and large corporations are singifacntly involved in Ethereum and Ether. 

revjimbeam's picture

I think we're reading too much into this, from cia funding plot( who i dont think would rip their hand for 20k) to the elimination of bitcoin(which is alot easier to use and mych less visible than say 4billion on a pallet at an iranian airport)

Perhaps the simplest answer is: because we can.

The obvious beneficiaries/perpetrators would be:

1) microsoft (finally get everyone to 'upgrade')

2)An antivirus outfit who as luck would have it already has the fix

Or 3- because my tinfoil is a bit snug, my choice- nsa/cia/etc

They just got a real time infection rate on a mass scale, as well as-soon to come-greater surveillance to catch 'leakers', unlimited funding etc etc and, what i believe to be the main reason, basically the ability to shut down communications worldwide without a fingerprint

Just my initial impression, but this doesnt seem to pass the smell test

cheech_wizard's picture

Obviously not AT&T. They killed off their 2G network. (And replaced my decent flip phone with a piece of shit...)

Standard Disclaimer: Dear dedicated CIA reader of ZH, please let AT&T know they suck donkey balls.

emersonreturn's picture

i have an old motorola in a drawer.  were they back doored as well?

Winston Churchill's picture

Good thought.

My sephamore signals and morse code need refreshing.

I do remember elephants in straw hats,ten miles off, but like anything use it or lose it.

emersonreturn's picture

my rotary dial phone works fine---often it's the only line out in a power outage.  disadvantage remains...redial is a drag.

Citxmech's picture

Can't we at least get analog phones with buttons?  Rotaries were a PITA.

Urban Roman's picture

They should also work when the power is out.

They have a couple transistors in them, but the voltage on an analog phone line is sufficient to power them.

Deplorable's picture

Can't wait to see what will happens when hackers attack the new smartphones that will be embedded in peoples skulls.

HardAssets's picture

What's a rotary dial phone ?

kochevnik's picture

You put your finger in a hole, and make little circles