British hospitals, Telefonica hit by ransomware with NSA exploit

A huge cyber attack leveraging hacking tools widely believed to have been developed by the NSA brought disruption to Britain's health system on Friday and infected dozens of other countries around the world, security researchers said.

Source: Paul Urmiston/Twitter.

Hospitals and doctors' surgeries in parts of England were forced to turn away patients and cancel appointments after they were infected with the ransomware, which scrambled data on computers and demanded payments of US$300 to US$600 (A$406 - A$812) to restore access to the systems.

People in affected areas were being advised to seek medical care only in emergencies.

"We are experiencing a major IT disruption and there are delays at all of our hospitals," said the Barts Health group, which manages major London hospitals.

Routine appointments had been canceled and ambulances were being diverted to neighboring hospitals.

Telecommunications giant Telefonica was among many targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services.

A Telefonica spokesman said a window appeared on screens of infected computers that demanded payment with the digital currency bitcoin in order to regain access to files.

Rich Barger, director of threat research at US-based security research company Splunk, said: "This is one of the largest global ransomware attacks the cyber community has ever seen."

Officials and experts identified the type of malware as 'Wanna Cry', also known as 'Wanna Decryptor'.

The malware exploits a vulnerability in Microsoft's Windows operating system that allows it to automatically spread across networks, which gives it the ability to quickly infect large numbers of machines at the same organisation.

It is the first piece of self-spreading ransomware, said Adam Meyers, a research with cyber security firm CrowdStrike.

"Once it gets in and starts moving across the infrastructure, there is no way to stop it," Meyers said.

The Wanna Cry malware exploits a vulnerability widely believed by security researchers to have been developed by the National Security Agency that was released on the Internet last month by a group known as the Shadow Brokers.

Shadow Brokers said at the time that they obtained it from a secret trove of NSA tools and files that are part of the spy agency’s hacking program.

Microsoft issued a patch on March 14 described as critical to users of Windows to fix that vulnerability, which CrowdStrike and Splunk said should protect users from getting infected by Wanna Cry.

Organisations or individual users who failed to apply that patch to Windows machines could remain vulnerable to Wanna Cry.

The NSA and Microsoft did not immediately respond to requests for comment.

Andrea Zapparoli Manzoni, a senior manager in the Information Risk Management division of KPMG Advisory in Italy, said: "The ransomware attack is happening in a haphazard fashion and is hitting every country in the world, including Italy.

"This particular ransomware contains a vulnerability, called Eternal Blue, which was developed in US intelligence circles and was then stolen.

"That gives you an idea about why the level is risk is particularly high. The aim isn't to hit any specific country but to strike as widely as possible to make money."

Hospitals were a prime target, Manzoni said, because "they are very vulnerable to cyber attacks and ready to pay because they cannot afford any shutdowns."

Further reports say that a Swedish local government organisation has also been hit by Wanna Decryptor, along with Scottish health boards, and Russia's interior ministry.

Bad timing

The chaos in Britain's health system came less than four weeks before a parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

"This was not targeted at the NHS, it's an international attack and a number of countries and organisations have been affected," Prime Minister Theresa May said.

"We're aware that a number of NHS organisations have reported that they've suffered from a ransomware attack," May said.

"We're not aware of any evidence that patient data has been compromised."

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement.

The news prompted security teams at large financial services firms and businesses around the world to review their plans for defending against ransomware attacks, according to executives with private cyber security firms.

A spokeswoman for Portugal Telecom said: "We were the target of an attack, like what is happening in all of Europe, a large scale-attack, but none of our services was affected."

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

"Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations," Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations.

And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain's National Cryptology Centre of "a massive ransomware attack."

Iberdrola and Gas Natural, along with Vodafone's unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

The ransomware worm has rampaged through global computer systems, with the UK and Russia the worst affected.

It has also hit two major Indonesian hospitals, German rail operator Deutsche Bahn, and French car maker Renault, among many others across 150 countries.