- Thousands of computers in China and Japan hit by WannaCry virus
- Putin says Russia had ‘nothing to do’ with global ransomware outbreak
- Microsoft attacks US government over developing ‘EternalBlue’ exploit that led to hack
- New strains of virus reported but having little effect
- Jeremy Hunt says there has been no second wave of attacks
Vladimir Putin has blamed the US for the global cyber attack that has crippled computer systems around the world since Friday.
The cyber attack, which wreaked havoc at dozens of NHS trusts on Friday, has continued to spread, hitting thousands of computers in China and Japan.
Putin said Russia had “nothing to do” with the attack and blamed the US for creating the hacking software that affects Microsoft computers.
“Malware created by intelligence agencies can backfire on its creators,” said Putin, speaking to media in Beijing. He added that global leaders needed to discuss cyber security at a “serious political level” and said the US has backed away from signing a cyber security agreement with Russia. Authorities fear a second wave of the “WannaCry” ransomware could hit systems as people return to work and switch on their computers on Monday morning. Japanese computer experts said around 2,000 PCs had been affected while the Chinese news agency Xinhua reported that almost 30,000 had been hit.
Authorities had warned of a day of chaos ahead of Monday, with the National Cyber Security Centre saying that existing infections could spread through computer systems.
NHS systems appeared to be largely up and running on Monday, although seven out of the 47 trusts hit by last week’s attack are still seeking emergency support, according to NHS Digital.
The WannaCry ransomware, which locks computer systems and demands $300 (£230) in Bitcoin, hit over 200,000 computers on Friday and the impact continued to be felt across the weekend. Around £33,000 in ransoms have been paid to date, according to analysis of Bitcoin wallets.
On Sunday night, Microsoft slammed the US spy agency that had originally developed software that allowed the ransomware attack to infect computers. The “Eternal Blue” tool developed by the National Security Agency had been dumped onto the public internet by a hacking group known as the Shadow Brokers.
About | Ransomware
What is ransomware?Malicious software that locks a device, such as a computer, tablet or smartphone and then demands a ransom to unlock it
Where did ransomware originate?The first documented case appeared in 2005 in the United States, but quickly spread around the world
How does it affect a computer?The software is normally contained within an attachment to an email that masquerades as something innocent. Once opened it encrypts the hard drive, making it impossible to access or retrieve anything stored on there – such as photographs, documents or music
How can you protect yourself?Anti-virus software can protect your machine, although cybercriminals are constantly working on new ways to override such protection
How much are victims expected to pay?The ransom demanded varies. Victims of a 2014 attack in the UK were charged £500. However, there’s no guarantee that paying will get your data back
It was then used by the still-anonymous cyber criminals to infect PCs with Friday’s ransomware.
“The governments of the world should treat this attack as a wake-up call,” In a statement, Microsoft president Brad Smith said. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
Microsoft released a patch over the weekend for the Eternal Blue vulnerability that defends against it even with older versions of Windows.
National Crime Agency ‘identifying patterns’ in attacks
The National Crime Agency has said it will “take time” to investigate who is behind the attacks, but said it has started “identifying patterns” in the swathes of data it has access to.
It said there is currently no indication that there will be a second wave of attacks in the UK, but warned people to still be careful.
Lynne Owens, director general of the NCA, said:
As things stand, there is no indication of a second surge of cases here in the UK.
But that doesn’t mean there won’t be one.
We’re trawling through huge amounts of data associated with the attack and identifying patterns.
The NCA is leading the criminal investigation into the attack, but for operational reasons we cannot give a running commentary.
Because of the quantity of data involved and the complexity of these kinds of enquiries we need to be clear that this is an investigation which will take time.
But I want to reassure the public that investigators are working round the clock to secure evidence and have begun to forensically analyse a number of infected computers.
Specialist cyber-crime officers from the NCA and our partner regional organised crime units are speaking directly with victims.
That includes visiting NHS sites to help protect victims and secure and preserve evidence. Those visits are continuing.
More than 150 countries have been affected, and we’re in constant communication with international partners, including Europol, Interpol and the FBI and the collaboration has been strong and effective.
The agency advised:
- Make sure your security software patches are up-to-date
- Make sure that you are running anti-virus software
- Back-up your data in multiple locations, including offline
- Avoid opening unknown email attachments or clicking on links in spam emails
- Victims of fraud should report it to Action Fraud
- We encourage the public not to pay any ransom demand
Jeremy Hunt: No second wave of attacks
The Health Secretary has made his first public statement since last Friday’s attack.
He told BBC News:
I have this morning been briefed by GCHQ and the National Cyber Security Centre. According to our latest intelligence we have not seen a second wave of attacks and the level of criminal activity is at the lower end of what we had anticipated.
But the message is very clear, not just for organisations like the NHS but for private individuals and businesses: although we have never seen anything on this scale with regards ransomware attacks they are relatively common and there are things that you can do, all of us can do to protect ourselves against them.
In particular making sure data is properly backed up and making sure that we are using the software and antivirus patches that are sent out by manufacturers. These are things we can all do to reduce the impact of what we have seen in the last 48 hours.
Are new strains of WannaCry emerging?
The original ransomware was effectively neutered on Friday night after a British security expert bought the domain name that acted as a “kill switch”
However, new strains of the virus appear to have emerged over the weekend, with other cyber criminals seeking to make money by exploiting vulnerable systems.
Matthieu Suiche dealt with the first by registering a new killswitch address.
— Matthieu Suiche (@msuiche) May 15, 2017
However, the second, found by security company Kaspersky, does not have a killswitch at all, making it difficult to disable.
This second version does not seem to work, but it suggests hackers are trying to create a strain that cannot be so easily disabled.
NHS trusts ignored warning last month to upgrade systems
Dozens of NHS trusts fell victim to ransomware after failing to upgrade their systems despite a warning from NHS Digital, Sky News reports.
NHS Digital has said it told NHS trusts to upgrade their systems last month or risk falling victim to a cyber attack. The warning came after hackers leaked details of a Microsoft vulnerability stolen from the NSA.
The security patch could have prevented the ransomware attack from spreading across NHS computer systems.
Renault shuts one of largest factories
Henry Samuel, our correspondent in Paris, says Renault has shut one of its largest factories in France as a “preventative measure”. Here’s his full dispatch:
One of carmaker Renault’s biggest factories in France remained closed on Monday as a “preventative” measure in the wake of the global cyberattack.
Renault had to temporarily lay off 3,500 staff at their Douai factory in northern France, giving them a collective holiday on Monday while they try and limit damage to the factory’s computers, which run into hundreds of terminals.
Unions were warned on Sunday.
The company gave no details on the degree to which the plant was affected by the malware.
“Our IT teams are working at the site today, along with logistics to maintain supply, and they will do everything possible to secure the site so that work can start up again tomorrow,” said a spokesman.
The work is “essentially preventative but requires great vigilance,” he said.
The Douai factory employs 5,500 staff and produces Talisman, Scenic and Espace vehicles.
A spokesman for Renault told AFP that production would start up again on Tuesday and that 90 per cent of the group’s factories were running as normal worldwide in the wake of the attack.
Two unspecified sites were not currently running abroad, he added.
The carmaker had earlier halted production at sites in France and Romania to prevent the spread of ransomware.
Theresa May says Government warned the NHS about possible attack
Theresa May has denied accusations that the Government failed to alert the NHS about a possible cyber attack despite warnings from security experts.
“Clear warnings were given to hospital trusts,” said May, speaking at an event in Oxfordshire. “But this is not something that focused on attacking the NHS here in the UK.”
Vladimir Putin blames US for hack
Vladimir Putin has blamed the US for causing the global cyber attack. He said Russia had “nothing to do” with the cyber attack, adding that the US had indirectly caused it by creating the Microsoft hack in the first place.
“Malware created by intelligence agencies can backfire on its creators,” said Putin, speaking to media in Beijing.
He added that the attack didn’t cause any significant damage to Russia. Russian security firm Kaspersky said hospitals, police and railroad transport had been affected in the country. Another report suggested Russia was one of the worst hit locations.
— Odisseus (@_odisseus) May 12, 2017
As regards the source of these threats, I believe that the leadership of Microsoft have announced this plainly, that the initial source of the virus is the intelligence services of the United States.
Once they’re let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators.
So this question should be discussed immediately on a serious political level and a defence needs to be worked out from such phenomena.
Health Secretary refuses to answer questions on NHS negligence
Jeremy Hunt was asked whether he had ignored warnings about NHS IT security as he left his house this morning.
The Health Secretary, who has been criticised over his lack of public statements over the attack, declined to answer any questions.
Universities, police and petrol stations hit in China
Here’s a dispatch from Neil Connor in Beijing:
More than 4,000 educational organisations were among the 30,000 ‘institutions’ to have been paralysed by the global cyberattack, which is known as Wanna Decryptor ransomware, or WannaCry, Qihu 360, an anti-virus software firm said.
Reports in China said more than 20,000 petrol stations operated by China National Petroleum Cooperation could only process cash payments because of Internet issues over the weekend.
The National Business Daily reported on Monday that the company’s computers went down at 1pm on Saturday, with 80 percent of the systems returning to normal by midday on Sunday.
“Petro China has taken emergency measures to cope with WannaCry ransomware attacks,” a company official told the media outlet.
Chinese media also cited university students complaining about pop-ups appearing on their computers which demanded ransom payments, or else they would lose all their documents.
Wu Xingyong, an official from Yunnan Agricultural University, in south-west China, told thepaper.cn that eight students had been hit by the attack.
Other reports said breaches had occurred at Hangzhou Normal University, Shandong University and Jiangsu University in eastern China.
Beijing’s Tsinghua and Peking Universities, and Guilin University Of Electronic Technology were also affected.
Police officers in Shandong province were forced to unplug all of their computers when the cyber attack struck, reports said.
A Chinese expert criticised the United States over the breach, following suggestions by researchers that it used hacking tools developed by the US National Security Agency.
Qin An, director of the China Institute of Cyberspace Strategy, told the Global Times newspaper that the attack “again reminds the world of the great harm the US’ network hegemony and its network weapons can bring about.”
Cybersecurity is one of the most contentious issues between the US and China.
— Rick Kelsey (@RickKelsey) May 15, 2017
‘Significant delays’ at A&E
The Royal London Hospital in Whitechapel is continuing to report “significant delays” due to IT problems.
Boris weighs in
From the Press Association:
Arriving in Brussels for a meeting of EU foreign ministers, Foreign Secretary Boris Johnson said: “Cyber-security is a huge issue for all of us in all our countries.
“It’s not specifically on the agenda today, but a huge amount of work goes on between the UK Government and all our friends and partners around Europe, and indeed in the United States, where they are now stepping up their precautions against cyber attacks of these kinds.”
Hackers have made £33,000
Bitcoin, the digital currency that the ransomware hackers demanded payments in, is anonymous but not quite untraceable. We are able to follow transactions into the online wallets set up by the hackers.
This Twitter bot is tweeting live updates on the payments. At present, they total 24.75 bitcoins, or £33,600.
22-year-old cyber hero revealed
The spread of the “WannaCry” ransomware was limited over the weekend after a quick-thinking IT expert registered the “kill switch” web domain found deep in the software’s code.
22-year-old Marcus Hutchins now says he is working with GCHQ to try and fend off another attack.
Jeremy Hunt spotted
The Health Secretary Jeremy Hunt was mysteriously silent over the weekend, with the Home Secretary Amber Rudd left to field questions about Friday’s attack and the NHS’s security.
Here’s Mr Hunt’s last tweet, for example:
Thanks for warm welcome and delicious coffee at the excellent Little Barn cafe in Elstead – great asset for community pic.twitter.com/W578SsI8wT
— Jeremy Hunt (@Jeremy_Hunt) May 8, 2017
Mr Hunt was accused of ignoring warnings over NHS security, with many trusts running unpatched systems or continuing on Windows XP.
The Health Secretary has now been spotted leaving for work on his bicycle.
Microsoft: ‘This is a wake-up call’
Embarrassingly for the US government, Friday’s attack can trace its way back to the US spy agency. The National Security Agency’s “Eternal Blue” tool, built to spy on enemy computers, helped spread the WannaCry ransomware tool by exploiting a flaw in Windows systems that had not been patched, including the obsolete Windows XP.
Microsoft had released a patch in March, but many organisations had not updated, and it was not until Saturday that a patch for XP was released.
Microsoft attacked the US government on Sunday for building the Eternal Blue tool.
This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.
An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.
NCSC warns of further ransomware attacks
Here’s the latest from the National Cyber Security Centre:
Since the global coordinated ransomware attack on thousands of private and public sector organisations across dozens of countries on Friday, there have been no sustained new attacks of that kind. But it is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks.
— NCSC UK (@ncsc) May 14, 2017
Surgeries face ‘Monday meltdown’
Good morning. Patients are being warned this morning not to visit their GPs amid fears that the fallout from the NHS cyber attack could continue.
Official advice from the health service says that patients should continue to visit surgeries if they have an appointment, but warns that services should be slower than usual and urged to seek other options if possible.
Seven out of the 47 trusts hit by last week’s attack are still seeking emergency support, NHS Digital has said.
The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack
Early Friday morning the world experienced the year’s latest cyberattack. Starting first in the United Kingdom and Spain, the malicious “WannaCrypt” software quickly spread globally, blocking customers from their data unless they paid a ransom using Bitcoin. The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.
All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack. Unfortunately, consumers and business leaders have become familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.
At the same time, it’s already apparent that there will be broader and important lessons from the “WannaCrypt” attack we’ll need to consider to avoid these types of attacks in the future. I see three areas where this event provides an opportunity for Microsoft and the industry to improve.
As a technology company, we at Microsoft have the first responsibility to address these issues. We increasingly are among the first responders to attacks on the internet. We have more than 3,500 security engineers at the company, and we’re working comprehensively to address cybersecurity threats. This includes new security functionality across our entire software platform, including constant updates to our Advanced Threat Protection service to detect and disrupt new cyberattacks. In this instance, this included the development and release of the patch in March, a prompt update on Friday to Windows Defender to detect the WannaCrypt attack, and work by our customer support personnel to help customers afflicted by the attack.
But as this attack demonstrates, there is no cause for celebration. We’ll assess this attack, ask what lessons we can learn, and apply these to strengthen our capabilities. Working through our Microsoft Threat Intelligence Center (MSTIC) and Digital Crimes Unit, we’ll also share what we learn with law enforcement agencies, governments, and other customers around the world.
Second, this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.
At the same time, we have a clear understanding of the complexity and diversity of today’s IT infrastructure, and how updates can be a formidable practical challenge for many customers. Today, we use robust testing and analytics to enable rapid updates into IT infrastructure, and we are dedicated to developing further steps to help ensure security updates are applied immediately to all IT environments.
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.
We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part.