From Britain to India, massive ransomware attack creates havoc
Britain’s National Cyber Security Centre said teams are working “round the clock” to restore hospital computer systems after a global cyberattack that hit dozens of countries forced British hospitals to cancel and delay treatment for patients.india Updated: May 14, 2017 13:58 IST
A day after a massive ransomeware attack hit nearly 100 countries, including India, terrifying details were slowly emerging on Saturday as computers from hospitals in Britain to police stations in Andhra Pradesh were hacked into, keeping cyber security experts on tenterhooks.
In India, a section of computers at Andhra Pradesh’s police departments were hacked. Computers in 18 police units in Chittoor, Krishna, Guntur, Visakhatpatnam and Srikakulam districts were affected.
According to Director General of Police N Sambasiva Rao, systems using the Windows operating system were hit by the cyber attack. The police chief’s computer with Apple’s operating system was safe.
R Jaya Lakshmi, superintendent of police, Tirupati Urban, said the ‘ransomware’ encrypted data in some police stations, adding that they were not able to access data and hackers were demanding ransom in digital currency bitcoin to restore access.
“The impact is minimal as we also keep offline record of FIRs and other documents,” Lakshmi added.
Among the government agencies and companies affected globally were Britain’s National Health Service (NHS), the Russian Interior Ministry, Spain’s communications giant Telefonica, power firm Iberdrola, utility provider Gas Natural and FedEx in the US.
According to media reports, teams were working round the clock in response to the attack, which resulted in operations being cancelled, ambulances being diverted and documents such as patient records made unavailable in England and Scotland.
After denying reports that its computers had been targeted, the Russian Interior Ministry later confirmed that “around 1,000 computers were infected”. The ministry said the technicians had contained the attack.
Moscow-based Kaspersky Lab detected that variants of a malware called “WannaCry” were used that encrypted the files.
“Once inside the system, the attackers install a rootkit, which enables them to download the software to encrypt the data. The malware encrypts the files. A request for $600 in Bitcoin is displayed along with the wallet -- and the ransom demand increases over time,” Altaf Halde, Managing Director Kaspersky Lab (South Asia), told IANS.
Kaspersky Lab confirmed that the company’s protection subsystems detected at least 45,000 infection attempts in 74 countries, mostly in Russia.
“This is big and set to get bigger. We haven’t seen anything like this since Conficker in 2008,” Amit Nath, Head of Asia Pacific-Corporate Business at cyber security firm F-Secure Corporation, told IANS.
Another cybersecurity firm Avast said it had seen 75,000 cases of the ransomware around the world.
Europol also warned a “complex international investigation” was required “to identify the culprits”.
Rail passengers in Germany were confronted with the ransom message when looking up train information at stations after Berlin-based railway company Deutsche Bahn was targeted.
Carmaker Renault was France’s first company to be affected by the ransomware while Portugal Telecom and a local authority in Sweden also faced a similar fate.
The ransomware infects victims by exploiting a Microsoft Windows vulnerability described and fixed in “Microsoft Security Bulletin MS17-010”.
Microsoft also said it would roll out the update to users of older operating systems “that no longer receive mainstream support”, such as Windows XP, Windows 8 and Windows Server 2003.
The seeds of the massive cyber attack were sown by a mysterious hacking group “Shadow Brokers” in April when it leaked a hacking tool called “Eternal Blue” developed by the US National Security Agency (NSA).
Interestingly, the same tool is believed to have been used by another anonymous hacking group to gain remote access to computers, that brought parts of the NHS to a standstill.
“It’s likely that regular online criminals simply used the information that the ‘Shadow Brokers’ put on the internet and thought ‘how can we monetise this’,” telegraph.co.uk quoted Graham Cluley, a computer security expert, as saying on Saturday.
The attack was the latest in the growing menace of ransomware in which hackers deliver files to computers that automatically encrypt their data, making it unusable until a ransom is paid.
“This is not targeted at the NHS,” British Prime Minister Theresa May was quoted as saying in BBC. “It’s an international attack, and a number of countries and organisations have been affected.”
Hacking group or groups were yet to claim responsibility for the attack.
The Chinese online security company Qihoo 360 issued a warning about the virus, saying that many networks there had been hit and that some computers used to mine Bitcoin in China were among those infected.
The US Department of Homeland Security, in a statement, encouraged people to update their operating systems, CNN reported.
“We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally,” the department said.
Meanwhile, the Group of Seven (G7) nations, which were holding a two-day meeting (May 12-13) of Finance Ministers and central bankers in Italy, released a draft statement committing to join forces to fight the rising threat of cyber attacks.