Britain's National Cyber Centre says it is "working round the clock" to counter a fast-moving, global ransomware attack that crippled the National Health Service and hit as many as 74 countries.
The cyberattack, which apparently exploited a flaw exposed in documents leaked from the U.S. National Security Agency, also struck systems — from transport facilities to universities — in Ukraine, Spain, Italy and India. Even Russia's interior ministry said it was hit.
The European Cybercrime Centre, set up four years ago by Europol, the European Union's police agency, said the attack was at an "unprecedented level" and will require a "complex international investigation" to identify the culprits.
British Home Secretary Amber Rudd told the BBC that 45 NHS organizations in England and Scotland were disrupted, but there was no evidence patient data was compromised.
East and North Hertfordshire NHS Trust, which runs four hospitals north of London, postponed all non-urgent work and asked people not to come to the accident and emergency unit. Doctors at some surgeries were forced to use pen and paper to record patient details following the attack.
“We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services," Britain's National Cyber Centre said in a statement.
It said it was “working round the clock with UK and international partners and with private sector experts to lead the response to these cyber attacks."
At its core, the attack is an extortion scheme aimed at forcing hospitals and other organizations to pay a ransom to avoid having their data deleted. Infected computers showed a screen giving the user three days to pay up. After that, the price would be doubled. After seven days the files would be deleted, it threatened.
The hackers behind the ransomware attack, who have not been identified, demanded $300 worth of the online currency Bitcoin per computer to release files from encryption. In Spain, the largest telecommunications company would need to pay close to $550,000 to unlock all the encrypted computers hit on its network.
The attack seems to have first appeared around 2 a.m. ET Friday in Europe, said Kurt Baumgartner, a principal security researcher with Kaspersky Lab in Moscow. Kaspersky reported Friday it recorded more than 45,000 attacks of the so-called "WannaCry" ransomware in 74 countries around the world, with most of the incursions occurring in Russia.
"It's very well-written code and there is no easy way to crack the encrypted files once they're infected," Baumgartner said.
Avast, a Czech security software company headquartered in Prague, recorded over 50,000 attacks globally as of Friday afternoon.
The breadth of the attack indicates the software spread around the globe possibly for weeks but lay dormant when first introduced into a network, said Sean Dillon, a senior security analyst with RiskSense Inc.
“Then the kill switch was pulled and everything went live. You can’t just infect that many computers in a single day,” Dillon said.
The ransomware is believed to be linked to an exploit, computer code that takes advantage of a vulnerability, known to have been used by the Equation Group, which many in the security world believe is connected to the NSA.
That exploit was one of many hacking tools stolen from the NSA and published online by a group that called itself the Shadow Brokers on April 14, according to Avast Software. Shadow Brokers has been leaking pieces of more than a gigabyte worth of older NSA software weapons since August.
Although the culprit has not yet been identified, Kasperksy's Baumgartner said although the ransomware was able to offer "how to pay" documents in dozens of languages, the only language whose writing was perfect was Russian, with the others showing distinct signs that a non-native speaker had written them. "The English is very good, but there are a couple of quirks that would lead me to believe it wasn't written by a native English speaker," he said.
Any network with a web server online that was running an unpatched Windows 10 machine would be vulnerable, and Dillon estimates there may be as many as 2 million such machines out there.
“Once they’re on those machines, they’re past the firewalls, and from there they can just spread the infection,” he said.