“The number of infected computers has not increased as expected, which is a success,” European law enforcement agency Europol said Monday.
Analysts had feared that the attack, which started spreading on Friday, could accelerate as workers returned to their desks after the weekend and turned on compromised machines.
But the aftershocks have so far been mild. “People may have updated their security systems over the last hours,” Europol said.
- World’s biggest cyberattack hits 150 countries and the threat is ‘escalating’
- Who got hurt by the ransomware attack
- Massive ransomware attack hits 74 countries
Europol estimates that the attack has hit at least 150 countries and infected 200,000 machines. Hospitals, universities, manufacturers and government agencies in Britain, China, Russia, Germany and Spain have all been affected.
The “Wannacry” virus locks users out of their computers and demands hundreds of dollars from victims hoping to regain control of their documents and data. Europol said Monday that “very few” people have paid the ransom.
The ransomware exploits a vulnerability in outdated versions of Microsoft Windows that is particularly problematic for corporations that don’t automatically update their systems. The exploit was leaked last month as part of a trove of U.S. spy tools.
“We will get a decryption tool eventually, but for the moment, it’s still a live threat and we’re still in disaster recovery mode,” Europol director Rob Wainwright told CNN on Sunday.
Wainwright said the agency is analyzing the virus and has yet to identify who is responsible for the attack.
The blame game has already started. Brad Smith, Microsoft’s president and top lawyer, said Sunday that the company has the “first responsibility” to address the problem. But he also said the incident was a “wake-up call” for governments.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” he said. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
At least one strain of the ransomware has proven especially vicious. Once it infects one computer within a network, it can spread to all the computers in that network “within seconds,” said Israel Levy, the CEO of the cybersecurity firm Bufferzone.
For example, if an office worker opens an infected PDF attached to an email, soon everyone in the office could be under attack. That was “unheard of six months ago,” Levy said. Previous attacks targeted one machine at time.
“Friday’s attack is a loud and clear wake-up call,” said Michael Kaiser, executive director of the nonprofit National Cyber Security Alliance in Washington D.C. “The attack was global in reach, and its impact was significant. When we see whole systems like the National Health System in the United Kingdom directly targeted, it reinforces how dependent we have become on our data-driven networks. It is of utmost importance that cybersecurity of those networks be a top priority of businesses and organizations large and small.”
There are defenses that can help to prevent ransomware infections according to the National Cyber Security Alliance:
- Keep clean machines: Prevent infections by updating critical software as soon as patches or new operating system versions are available. This includes mobile and other internet-connected devices.
- Lock Down Your Login: Strong authentication — requiring more than a username and password to access accounts — should be deployed on critical networks to prevent access through stolen or hacked credentials.
- Conduct regular backups of systems: Systems can be restored in cases of ransomware and having current backup of all data speeds the recovery process.
- Make better passwords: In cases where passwords are still used, require long, strong and unique passwords to better harden accounts against intrusions.
The list of institutions affected has grown as more become aware of hacks and variants of the virus spread.
FedEx: The company said it was “experiencing interference with some of our Windows-based systems caused by malware” and was trying to fix the problems as quickly as possible.
Nissan: The carmaker said in a statement that “some Nissan entities were recently targeted” but “there has been no major impact on our business.”
Colleges: Internet security firm Qihoo360 issued a “red alert” over the weekend, saying a large number of colleges and students in China had been hit by the ransomware attack.
Gas stations: State-run media in China reported that some gas stations saw their digital payment systems shut down, forcing customers to bring cash.
Deutsche Bahn: The German railway company told CNNMoney that due to the attack “passenger information displays in some stations were inoperative” as were “some ticket machines.”
Hitachi: The Japanese electronics firm said Monday that its computer systems have been experiencing problems since the weekend, including not being able to send and receive emails or open attached files. It said it believed the difficulties are linked to the global cyberattack but they haven’t so far harmed its business operations.
Russian Central Bank: State media agency Tass reported the bank discovered malware bulk emails to banks but detected no compromise of resources. The central bank reportedly said those monitoring the cyberattacks found “no incidents compromising data resources of banking institutions.”
Russian Railways: State media said a virus attacked the IT system of Russian Railways, but it did not affect operations due to a prompt response. The company said the virus has been localized and “technical work is underway to destroy it and update the antivirus protection.”
Interior Ministry: The Russian Interior Ministry acknowledged a ransomware attack on its computers, adding that less than 1% of computers were affected. The statement said antivirus systems are working to destroy it.
Megafon: A spokesperson for Russian telecommunications company Megafon told CNN that the cyberattack affected call centers but not the company’s networks. He said the situation was under control.
Telefónica: Spanish authorities confirmed the Spanish telecom company Telefónica was one of the targets, though the attack affected only some computers and did not compromise the security of clients’ information.
National Health Service: At least sixteen NHS organizations have been hit, according to NHS Digital. “At this stage, we do not have any evidence that patient data has been accessed. We will continue to work with affected (organizations) to confirm this,” the agency said. The NHS has said hospitals have had to cancel some outpatient appointments because of the attack.
The UK government called a meeting of its crisis response committee, known as Cobra, to discuss how to handle the situation. The British Home Secretary said most of the NHS systems were back to normal by midday Saturday.