Trending Science: Cyber attack locks up more than 200 000 computers across 150 countries

Operations were cancelled at several major hospitals in the UK as IT experts tried to regain control of the Health Service’s network of computers; Renault in France sent 3 500 staff home as they worked to limit the damage at a key factory and over 30 000 computers were attacked in China alone as attacks continued on Monday 15 May.

The attack, which first hit computers on Friday, continued to cause havoc when people returned to work on Monday. While technicians around the world struggled to secure their networks, the finger pointing had already begun. The attack hit Microsoft operating systems and the company blamed the US government’s National Security Agency (NSA) for developing an exploit that led to the hack.

A crowbar to break into systems – there’s no such thing as a tame exploit

The US is alleged to have created the ‘EternalBlue’ exploit as a tool to gain access to computers running Microsoft’s operating system, Windows. Described as a ‘crowbar’ by one security expert, it is believed the tool was then leaked online and harnessed by cyber criminals to hijack vulnerable computers world-wide. They then demanded their targets pay 300 dollars'' worth of bitcoins, a virtual currency used online, to ransom their data.

Speaking to the UK''s Daily Telegraph, Sean Sullivan, security adviser to F-Secure, a cyber security company, said, ‘Shadow Brokers obtained the NSA tools that exposed a vulnerability in Microsoft’s operating systems. They dumped the instructions detailing how to get in. The exploit is the ‘crowbar’ to open the door and the ransomware is the ‘hand grenade’ you lob in once the door is open.’

Keep your security patches up to date, if you can

While the sequence of actions leading up to the worldwide hack are still obscure, it is maintained that the NSA warned Microsoft its hacking tool had been stolen and the company issued a patch in March. But operating systems from 2009 and earlier, such as the still frequently used Windows XP, were not covered. And even when available, many users simply didn’t download the patch. Cyber security experts said the malware could spread through computers running unpatched versions of Microsoft Windows. They have urged users to only run their computers in safe mode until they have checked that the update blocking the ransomware is installed.

A computer security expert, known only as MalwareTech on Twitter, has been credited with stopping the spread of the ransomware, temporarily at least, by activating a digital ‘kill switch’. The researcher, a 22-year-old from south-west England who works for LA-based threat intelligence company Kryptos logic, has been praised by the head of Europol’s European cybercrime centre, Steven Wilson. ‘He made a significant step in slowing the advance of this malware,’ explained Mr Wilson. MalwareTech tweeted that hackers could upgrade the virus. ‘Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw,’ he said on Twitter. ‘You’re only safe if you patch ASAP.’

Microsoft took the unusual step of issuing a fix for older versions of Windows on Friday so now even those still running XP, for which support was stopped in 2014, can be covered. This will, if downloaded and installed, help the owners of an estimated 70 million computers worldwide who are still running XP. The fix is also designed for Windows 8 and Windows Server 2003.

A global problem and a wake-up call

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1 000 computers have been affected. Security researchers with Kaspersky Lab have recorded more than 45 000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected.

Microsoft has called on governments to consider the attacks as a wake-up call. The company’s president and chief legal officer Brad Smith wrote, ‘We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.’ Mr Smith is reported by the BBC as saying, ‘As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.’

The EU’s response to gobal cyber threats

The EU is investing heavily in research into cyber security: EUR 334 million in funding was awarded under FP7, between 2007 and 2013. A further EUR 160 million has been allocated in the first wave of Horizon 2020 and EUR 450 million will be invested under the contractual public-private partnership on cybersecurity for the period 2017-2020.

For a closer look at what EU-funded projects are doing in the domain of cyber security, take a look at our detailed Results Pack on Securing cyberspace: Delivering concrete results through EU research and innovation.