Teams of technicians worked “round the clock” Saturday to restore hospital computer systems in Britain and check bank or transport services in other nations after a global cyberattack hit dozens of countries and crippled the U.K.’s health system.
The worldwide attack was so unprecedented that Microsoft quickly changed its policy and announced that it will make security fixes available for free for older Windows systems, which are still used by millions of individuals and smaller businesses.
In Russia, where a wide array of systems came under attack, officials said services had been restored or the virus contained.
The extortion attack, which locked up computers and held users’ files for ransom, is believed to be the biggest of its kind ever recorded, disrupting services in nations as diverse as the U.S., Russia, Ukraine, Spain and India.
Europol, the European Union’s police agency, said the onslaught was at “an unprecedented level and will require a complex international investigation to identify the culprits.”
Lakeridge Health in Durham Region also reported having intermittent problems with its IT system on Friday.
Lakeridge director Paul McGary didn’t say what was causing the issues or if they were similar to those that locked up computers and held users’ files for ransom at a multitude of hospitals, companies and government agencies around the world.
McGary said the hospital network has a contingency plan for tech problems and it was “business as usual.”
The ransomware appeared to exploit a vulnerability in Microsoft Windows that was purportedly identified by the U.S. National Security Agency for its own intelligence-gathering purposes and was later leaked to the internet.
Before Friday’s attack, Microsoft had made fixes for older systems, such as 2001’s Windows XP, available only to mostly larger organizations that paid extra for extended technical support. Microsoft says now it will make the fixes free for everyone.
It was not yet known who perpetrated Friday’s attacks. Two security firms – Kaspersky Lab and Avast – said they had identified the malicious software behind the attack in over 70 countries, although both said the attack had hit Russia the hardest.
The Guardian newspaper reported Saturday that a 22-year-old Britain-based researcher had been credited with helping to halt the spread of the ransomware by accidentally activating a so-called “kill switch” in the malicious software.
Identified online only as MalwareTech, the individual found that the software’s spread could be stopped by registering a garbled domain name.
The paper quoted the researcher as saying: “This is not over. The attackers will realize how we stopped it, they’ll change the code and then they’ll start again.”
A cybersecurity expert warned this attack is going to be dwarfed by the next big ransomware attack.
Ori Eisen of the firm Trusona says the attack Friday appears to be “low-level” stuff, given the ransom demands.
But he says the same thing could be done to crucial infrastructure, like nuclear power plants, dams or railway systems.
Eisen says “this is child’s play, what happened. This is not the serious stuff yet. What if the same thing happened to 10 nuclear power plants, and they would shut down all the electricity to the grid? What if the same exact thing happened to a water dam or to a bridge?”
Eisen says the internet itself is diseased and these attacks will continue until some serious restructuring is done.
He says “today, it happened to 10,000 computers … there’s no barrier to do it tomorrow to 100 million computers.”
In Britain, the National Cyber Security Center said it is “working round the clock” with experts to restore vital health services.
British Home Secretary Amber Rudd – who was chairing a government emergency security meeting Saturday in response to the attack – said 45 public health organizations were hit, though she stressed that no patient data had been stolen. The attack froze computers at hospitals across the country, with some cancelling all routine procedures. Patients were asked not to go to hospitals unless it was an emergency and even some key services like chemotherapy were cancelled.
Security officials in Britain urged organizations to protect themselves from ransomware by updating their security software fixes, running anti-virus software and backing up data elsewhere.
The Russian Interior Ministry, which runs the country’s police, confirmed it was among those that fell victim to the ransomware, which typically flashes a message demanding a payment to release the user’s own data.
Ministry spokeswoman Irina Volk was quoted by the Interfax news agency Saturday as saying the problem had been “localized” and that no information was compromised. But the ministry’s website still carried a banner on Saturday afternoon saying that technical work was continuing.
A spokesman for the Russian Health Ministry, Nikita Odintsov, said on Twitter that the cyberattacks on his ministry were “effectively repelled.”
“When we say that the health ministry was attacked you should understand that it wasn’t the main server, it was local computers … actually nothing serious or deadly happened yet,” German Klimenko, a presidential adviser, said on Russian state television.
Russian cellular phone operators Megafon and MTS said some of their computers were hit and the Russian national railway system said although it was attacked, rail operations were unaffected.
Russia’s central bank said Saturday that no incidents had “compromising the data resources” of Russian banks, state news agency Tass reported.
French carmaker Renault’s assembly plant in Slovenia halted production after it was targeted in the global cyberattack. Radio Slovenia said Saturday the Revoz factory in the southeastern town of Novo Mesto stopped working Friday evening to stop the malware from spreading – and was working with the central office in France to resolve the problem.
Krishna Chinthapalli, a doctor at Britain’s National Hospital for Neurology & Neurosurgery who wrote a paper on cybersecurity for the British Medical Journal, said many British hospitals still use Windows XP software, introduced in 2001.
Security experts said the attack appeared to be caused by a self-replicating piece of software that enters companies when employees click on email attachments, then spreads quickly internally from computer to computer when employees share documents.
The security holes it exploits were disclosed several weeks ago by TheShadowBrokers, a mysterious group that has published what it says are hacking tools used by the NSA. Shortly after that disclosure, Microsoft announced that it had already issued software “patches,” or fixes, for those holes – but many users haven’t yet installed the fixes or are using older versions of Windows.
In the U.S., FedEx Corp. reported that its Windows computers were “experiencing interference” from malware, but wouldn’t say if it had been hit by ransomware.
Elsewhere in Europe, the attack hit companies including Spain’s Telefonica, a global broadband and telecommunications company.
Germany’s national railway said Saturday departure and arrival display screens at its train stations were affected, but there was no impact on actual train services. Deutsche Bahn said it deployed extra staff to busy stations to help customers, and recommended that they check its website or app for information on their connections.
Other European organizations hit by the massive cyberattack included soccer clubs in Norway and Sweden, with IF Odd, a 132-year-old Norwegian soccer club, saying its online ticketing facility was down.