Ransomware attacks spread worldwide

Updated: Ransomware infections reported across at least 74 countries, thanks to ransomware which have been supercharged by using Eternal Blue exploit.
Written by Steve Ranger, Global News Director

Ransomware: Everything you ever wanted to know

The ransomware attacks that forced hospitals across the UK to turn away patients are apparently part of a larger wave of ransomware infections worldwide.

Prime Minister Theresa May said: "This is not targeted at the NHS, it's an international attack and a number of countries and organisations have been affected," according to the BBC.

As well as the UK, where the ransomware infections have resulted in NHS trusts cancelling operations, the fallout is being felt around the globe.

Security company Kaspersky Lab said it has recorded more than 45,000 attacks of the particular ransomware in 74 countries around the world, with most infections occuring in Russia.

"It's important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher," it warned.

The tool was designed to address users of multiple countries, with translated messages in different languages, the company said.

The impact of the ransomware continues to be felt globally. Spanish communications giant Telefonica said that a cybersecurity incident had affected the PCs of some employees on the company's internal corporate network.

According to Spanish newspaper El Pais other firms in the country have also been affected.

Spain's national CERT warned of a "massive attack of ransomware" and said the ransomware's potency resulted from it exploiting a known software flaw called EternalBlue.

This is a Windows flaw that was part of an hoard of software vulnerabilities apparently collected by the NSA - but leaked by the so-called Shadow Brokers. The NSA would hold onto such vulnerabilities in order to help hack into surveillance targets around world, although critics have long warned that this risks serious flaws going unpatched.

This particular vulnerability was patched in March by Microsoft. Spain's CERT said that PCs should be patched to protect them from the vulnerability or isolated from the network.

Malware researchers have been plotting the spread of the ransomware, which apparently appeared today, reporting a number of incidents across Europe and further.

Also: Ransomware: These four industries are the most frequently attacked | Windows 10 tip: Keep unwanted software off PCs you support | Will your business be next? Customizable ransomware makes it easy for criminals to target organisations

Allan Liska, senior solutions architect at security company Recorded Future said this ransomware first appeared on 31 March but the version that is rapidly spreading has some significant changes, using the vulnerability outlined in Microsoft Security Bulletin (MS17-010), also known as EternalBlue.

"This means that once the ransomware gets into a network it can spread quickly through any computers that do not have that patch applied. The worm-like capabilities are the new feature added to this ransomware," he saidl

"Given the relative ineffectiveness of the first version of WanaCypt0r, it is likely the author did not expect this type of success from the new campaign, which could cause problems for any organisation that attempts to pay the ransom."

Editorial standards