Stolen NSA Tool Suspected in Global Ransomware Attack

A widespread cyberattack disrupted business and health systems in at least a dozen countries on Friday, including at least 16 hospitals across England that were crippled by a large-scale ransomware attack.

Doctors, administrators, and other NHS workers were locked out of their computers, and instead saw a pop-up message demanding ransom in exchange for access to the system, according to several reports. NHS England didn’t immediately respond to questions about whether any ransom was paid, the amount of the requested ransom, or whether the system was fully operational again. “The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” the NHS said in a statement emailed to The Atlantic. “This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors.”

The attack seemed to exploit a common vulnerability that was discovered and developed by the National Security Agency, The New York Times reported:

The hacking tool was leaked by a group calling itself the Shadow Brokers, which has been dumping stolen N.S.A. hacking tools online beginning last year. Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets — particularly hospitals — had yet to update their systems.

Some hospitals affected by the attack were diverting ambulances to other centers, and asked people to stay away from emergency rooms unless they needed urgent care, Reuters reported.

At the same time, Spain’s government warned on Friday of a large-scale ransomware attack in its country. Telefonica, the nation’s biggest telecommunications firm, was one of the targets. It wasn’t immediately clear whether the cyberattack in Spain was connected to the cyberattack on the NHS.

The attacks are alarming, but not entirely unexpected. Ransomware attacks are on the rise—particularly against vulnerable targets like hospitals, where access to electronic medical records and other computer-run systems have tremendous implications for patient safety. Police stations and emergency call centers are similarly vulnerable targets.

“The worst [scenario] we can imagine is if some malicious actor wants to undertake an act of terrorism and hamper the local response to that [attack]—disrupting 9-1-1 communications entirely,” Trey Forgety, a cybersecurity expert and the director of government affairs for the National Emergency Number Association told me in March.

There were several ransomware attacks in the United States last year—including against hospitals and libraries. The cybersecurity firm Kaspersky Lab reported last year that ransomware attacks had increased by more than 500 percent compared with the year before. The firm described ransomware—often sent via a malicious email disguised as routine correspondence—as the greatest security threat online today.

One in 131 emails sent last year were malicious, according to an annual security report by Symantec, the highest rate in five years.

These sorts of attacks are so common now—and so potentially lucrative for attackers—that there’s even a cottage industry of ransomware as a service, in which cybercriminals pay a fee for someone else to carry out an attack, with the attacker taking a cut of the ransom collected.

Along with hospitals and other emergency centers, at-risk targets include banks, school districts, public transportation systems, and local governments.

“The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation,” the FBI wrote in a warning it issued last year. “Ransomware attacks are not only proliferating, they’re becoming more sophisticated.”

Attackers are also targeting more overall devices, as well as a wider array of devices, and demanding more money from victims. The average ransom demand was $1,077 last year, according to Symantec, up from $294 the year before. Friday’s NHS attackers requested at least $300 from each person who found themselves locked out of their devices, according to the BBC.

Officials caution against paying ransoms, in part because giving an attacker money doesn’t guarantee data recovery. “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity,” the FBI said.