Worst of global cyberattack may be yet to come, law enforcement official says
The virus has hit more than 200,000 organizations in 150 countries
— -- Law enforcement and intelligence agencies say the number of reported cyberattacks using the "WannaCry" virus continues to grow, and the head of the joint European law enforcement agency, Europol, tells ABC News the worst may be yet to come.
"It might be sitting on many computers in sectors, in companies over the weekend and when they're switched on again Monday morning we might see the infection rates going back up," Europol Director Rob Wainwright said.
The unprecedented global ransomware attack that started Friday has hit more than 200,000 companies, hospitals, government agencies and other organizations in 150 countries, the European Union's law enforcement agency said.
The attackers are believed to have used tools developed by the National Security Agency that were leaked to the public by the hacker group The Shadow Brokers in April to exploit a vulnerability in Microsoft Windows, the world’s most popular operating system.
“It’s one of the most significant cyberattacks that we’ve seen,” Wainwright said. “We’ve never seen anything in this scale …It’s a wakeup call, I think, to many sectors around the need to take cyber security absolutely seriously as a top line strategic priority.”
Tens of thousands of users from London to St. Petersburg logged on Friday to find ominous threats to delete their suddenly encrypted computer files, unless they cough up $300 or more in Bitcoin payments to the unknown perpetrators, security experts and intelligence officials told ABC News on Saturday. A message saying "Oops, your important files are encrypted," flashed across screens all over the world.
While The New York Times reported that experts initially estimated that the cybercriminals could collect more than $1 billion, so far the number of targets to pay up is remarkably low, Wainwright says.
“I think 20, 30 thousand dollars’ worth of dollars only,” Wainwright said. “I would never recommend you pay a ransom because you’re dealing with a bunch of crooks. You never know that they’re going to do what they promise anyway.”
The spread of the attack appears to have been thwarted by private cybersecurity researchers who identified and triggered the malware's "kill switch," which halted the attacks before it spread throughout U.S. networks, a senior U.S. intelligence official confirmed, but it is unclear whether, the official said, a modified attack will soon be launched.
"That is a huge concern right now," Darien Huss, a senior security research engineer at Proofpoint who was among the researchers who helped disable the "WannaCry" virus, told ABC News Saturday. "It would not be very difficult at all to re-release this ransomware attack without a kill switch or without an approved kill switch that only they can activate."
Huss is also worried about copycats, who could "take the exploit code that was used in this attack and implement it into their own virus."
The tally of victims so far includes FedEx in the United States, railroads in Germany and Russia, factories and phone companies across Europe. Among the worst impacted by the historic attack unprecedented in its breadth was Britain's National Health Service, where more than 45 facilities had to suspend operations and divert patients and surgeries.
"The impact on the U.S. seems to be negligible -- very tiny impact, very few victims," the senior intelligence official told ABC News on Saturday. "The U.S. government is better suited to react and respond to something like this than some other countries because of years of work between the private sector and the government."
Cybersecurity experts believe the attack was carried out with the help of tools first developed by the U.S. National Security Agency for targeting terrorists and foreign adversaries, which was leaked to the public by a hacker group called The Shadow Brokers in April.
"They lost it, somebody stole the information published it on the internet, and now it's being used against victims in the United States and elsewhere," said John Bambenek of Fidelis Cybersecurity.
While Microsoft broadened access to a security patch on Saturday to thousands of users whose old Windows support agreements have expired, law enforcement and intelligence authorities around the world, led by Britain’s new cybersecurity agency, are working to track down whoever was responsible -- with Russian organized crime considered a leading suspect, some experts said.
"The reason this is hitting so many computers at once is that they discovered a vulnerability in the most popular operating system in the world, in Microsoft windows,” said John Carlin, former assistant attorney general for national security and an ABC News contributor. “And they’re taking advantage of it. It’s one that Microsoft delivered a solution for, but a lot of people haven’t used it.”
As the attack spread to five continents, the damage was contained, for the moment, when a computer programmer in Great Britain says he stumbled upon the kill switch after Huss shared some of his work on social media. The researcher, who uses the pseudonym "MalwareTech" for personal security, registered a domain name buried in the code of the attack and was surprised to discover that it was the kill switch that sent a signal to stop the attacks.
"In this case, when we registered it, it turned out to be a kill switch," Salim Neino, CEO of Kryptos Logic, which employs MalwareTech as a cybersecurity researcher, told ABC News. "We verified it and turned the information over to the FBI."
The researcher behind "Malware Tech" sent the virus down a "sinkhole," preventing it from spreading more widely.
"If Malware Tech had not sinkholed that domain as quickly as he had, we definitely could have seen many, many more infection that occurred," Huss said. "Potentially hundreds of thousands and into the millions."
While this attack has slowed, experts warn that networks remain vulnerable.
"This was a combination attack, obviously coordinated. We need to take the act of keeping our systems and devices up to date seriously," said Tyler Cohen Wood, a former senior intelligence official involved in cyber operations. "Unfortunately, until this is taken more seriously, this massive wide-scale type of attack is only the beginning."
The Associated Press contributed to this story.