Cyberattack thwarted by flipping 'kill switch' but experts fear new blitz

The cyberattack hit hundreds of thousands of computers in 99 countries.

ByABC News
May 13, 2017, 7:20 PM

— -- Europe and Russia were left reeling today by a malicious global cyberattack that used leaked NSA tools to exploit a vulnerability in Microsoft Windows and spread ransomware across networks around the world.

Tens of thousands of users from London to St. Petersburg logged on yesterday to find ominous threats to delete their suddenly encrypted computer files, unless they cough up $300 or more in Bitcoin payments to the unknown perpetrators, security experts and intelligence officials told ABC News today.

A message saying “Oops, your important files are encrypted” flashed across screens all over the world. According to The New York Times, experts estimated that before the last affected computers are unlocked, victims could collectively pay more than $1 billion to the attackers.

The attack appears to have been thwarted by private cybersecurity researchers who identified and triggered the malware’s "kill switch," which halted the attacks before it spread throughout U.S. networks, a senior U.S. intelligence official confirmed, but it is unclear whether, the official said, a modified attack will soon be launched.

"That is a huge concern right now," said Darien Huss, a senior security research engineer at Proofpoint who was among the researchers who helped disable the virus, called "WannaCry," told ABC News today. "It would not be very difficult at all to re-release this ransomware attack without a kill switch or without an approved kill switch that only they can activate."

Huss is also worried about copycats, who could "take the exploit code that was used in this attack and implement it into their own virus."

The tally of victims so far includes FedEx in the United States, railroads in Germany and Russia, factories and phone companies across Europe. Among the worst impacted by the historic attack unprecedented in its breadth was Britain's Public Health Service, where more than 45 facilities had to suspend operations and divert patients and surgeries.

"The impact on the U.S. seems to be negligible -- very tiny impact, very few victims," the senior intelligence official told ABC News today, adding that there is "no attribution yet" to any individuals, groups or nation-states behind the attacks reported in more than 100 countries.

"It's impacting overseas among those who have outdated software or pirated software," the senior intelligence official said. "The U.S. government is better suited to react and respond to something like this than some other countries because of years of work between the private sector and the government."

Cybersecurity experts believe the attack was carried out with the help of tools first developed by the U.S. National Security Agency for targeting terrorists and foreign adversaries, which was leaked to the public by a hacker group called The Shadow Brokers in April.

"They lost it, somebody stole the information published it on the internet, and now it's being used against victims in the United States and elsewhere," said John Bambenek of Fidelis Cybersecurity.

While Microsoft broadened access to a security patch on Saturday to thousands of users whose old Windows support agreements have expired, law enforcement and intelligence authorities around the world, led by Britain’s new cybersecurity agency, are working to track down whoever was responsible -- with Russian organized crime considered a leading suspect, some experts said.

"The reason this is hitting so many computers at once is that they discovered a vulnerability in the most popular operating system in the world, in Microsoft windows,” said John Carlin, former assistant attorney general for national security and an ABC News contributor. “And they’re taking advantage of it. It’s one that Microsoft delivered a solution for, but a lot of people haven’t used it.”

As the attack spread to five continents, the damage was contained, for the moment, when a computer programmer in Great Britain says he stumbled upon the kill switch after Huss shared some of his work on social media. The researcher, who uses the pseudonym "MalwareTech" for personal security, registered a domain name buried in the code of the attack and was surprised to discover that it was the kill switch that sent a signal to stop the attacks.

"In this case, when we registered it, it turned out to be a kill switch," Salim Neino, CEO of Kryptos Logic, which employs MalwareTech as a cybersecurity researcher, told ABC News. "We verified it and turned the information over to the FBI."

The researcher behind "Malware Tech" sent the virus down a "sinkhole," preventing it from spreading more widely.

"If malware tech had not sinkhole that domain as quickly as he had, we definitely could have seen many, many more infection that occurred," Huss said. "Potentially hundreds of thousands and into the millions."

While this attack has slowed, experts warn that networks remain vulnerable.

"This was a combination attack, obviously coordinated. We need to take the act of keeping our systems and devices up to date seriously," said Tyler Cohen Wood, a former senior intelligence official involved in cyber operations. "Unfortunately, until this is taken more seriously, this massive wide scale type of attack is only the beginning."

Related Topics