Hospitals Gain Control After Ransom Hack, More Attacks May Come

(Bloomberg) -- Most U.K. health facilities whose computer systems were crippled in a global cyber-attack are back to normal operation, Home Secretary Amber Rudd said, even as experts warned that hackers would probably launch a new round of attacks with many computers still vulnerable.

About 97 percent of facilities and doctors affected are able to work normally, Rudd said Saturday after a U.K. government meeting. At the height of the attack Friday and early Saturday, 48 organizations in the National Health Service were affected, and hospitals in London, North West England and Central England urged people with non-emergency conditions to stay away as technicians tried to stop the spread of the malicious software.

“There will be lessons to learn from what appears to be the biggest criminal cyber-attack in history,” Rudd said in response to a letter from Jonathan Ashworth, the shadow secretary of state for health.

The malware, using a technique purportedly stolen from the U.S. National Security Agency, also affected Russia’s Ministry of Interior, Germany’s Deutsche Bahn rail system, automakers Nissan Motor Co. and Renault SA, logistics giant FedEx Corp., and other company and hospital computer systems in countries from Eastern Europe to the U.S. and Asia. More than 75,000 computers in 99 countries were compromised, with a heavy concentration of infections in Russia and Ukraine, according to Dutch security company Avast Software BV.

The hackers used the tool to encrypt files within affected computers, making them inaccessible, and demanded ransom -- typically $300 in bitcoin.

The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft Corp. operating systems couldn’t or didn’t download a security patch released in March that Microsoft had labeled “critical.”

Microsoft said in a blog post Saturday that it was taking the “highly unusual“ step of providing the patch for older versions of Windows it was otherwise no longer supporting, including Windows XP and Windows Server 2003.

The Good Guys Can Have the Upper Hand on Cybersecurity

Victims have paid about $30,000 in ransom so far, with the total expected to rise substantially next week, said Tom Robinson, chief operating officer and co-founder of Elliptic Enterprises Ltd., a ransomware consultant that works with banks and companies in the U.K., U.S. and Europe. Robinson, in an interview by email, said he calculated the total based on payments tracked to Bitcoin addresses specified in the ransom demands.

Last year an acute-care hospital in Hollywood paid $17,000 in bitcoin to an extortionist who hijacked its computer systems and forced doctors and staff to revert to pen and paper for record-keeping.

Hospitals are also fertile ground for identity thieves because of their often-lax security policies. Bloomberg Businessweek wrote in 2015 about a spate of malware infections at hospitals where radiological machines, blood-gas analyzers and other devices were compromised and used to siphon off the personal data of patients.

Business Targets

A spokesman for Spain’s Telefonica SA said the hack affected some employees at its headquarters, but the phone company is attacked frequently and the impact of Friday’s incident wasn’t major. FedEx said it was “experiencing interference,” the Associated Press reported.

Renault halted production at some factories to stop the virus from spreading, a spokesman said Saturday, while Nissan’s U.K. car plant in Sunderland, in northeast England, was affected without causing any major impact on business, an official said.

In Germany, Deutsche Bahn faced “technical disruptions” on electronic displays at train stations, but travel was unaffected, the company said in a statement on its website. Newspaper reports showed images of a ransomware message on display screens blocking train information.

Russia’s Interior Ministry, with oversight of the police forces, said about “1,000 computers were infected,” which it described as less than 1 percent of the total, according to its website.

While any sized company could be vulnerable, many large organizations with robust security departments would have prioritized the update that Microsoft released in March and wouldn’t be vulnerable to Friday’s attack.

Users Tricked

Ransomware is a particularly stubborn problem because victims are often tricked into allowing the malicious software to run on their computers, and the encryption happens too fast for security software to catch it. Some security expects calculate that ransomware may bring in as much as $1 billion a year in revenue for the attackers.

The attack was apparently halted in the afternoon in the U.K. when a researcher took control of an Internet domain that acted as a kill switch for the worm’s propagation, according to Ars Technica.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” wrote the researcher, who uses the Twitter name @MalwareTechBlog. “So long as the domain isn’t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.”

There is a high-probability that Russian-language cybercriminals were behind the attack, said Aleks Gostev, chief cybersecurity expert for Kaspersky Labs.

“Ransomware is traditionally their topic,” he said. “The geography of attacks that hit post-Soviet Union most also suggests that.”

--With assistance from Stepan Kravchenko Ksenia Galouchko Robert Hutton Jack Sidders and Adam Satariano

To contact the reporter on this story: Jordan Robertson in Washington at jrobertson40@bloomberg.net.

To contact the editors responsible for this story: Tom Giles at tgiles5@bloomberg.net, Bernard Kohn, Will Wade