(Bloomberg) -- The cyber-attack that spread rapidly around the globe was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to return as many computers remain at risk.
Hackers can still gain easy access to personal computers that lack a security update issued in March by Microsoft Corp. to fix the vulnerability in its Windows operating system. The company had labeled the patch as “critical.”
The malware, using a technique purportedly stolen from the U.S. National Security Agency, stopped care in hospitals across the U.K., affected Russia’s Ministry of Interior and infected company computer systems in countries from Eastern Europe to the U.S. and Asia. While most organizations won’t suffer as much as the U.K. health-care facilities, the incident renewed the debate about the risk of governments stockpiling flaws in commercial technology and using them for hacking attacks.
In the U.K., sixteen organizations in the National Health Service were infected, and hospitals in London, North West England and Central England urged people with non-emergency conditions to stay away as technicians tried to stop the spread of the malicious software.
Health-care organizations are notoriously slow to apply security fixes, in part because of the disruption caused by taking critical systems offline. That has made them a reliable victim of ransomware attacks, such as that on Friday in which hackers encrypted data on infected computers and demanded $300 in bitcoin to unlock it. Many security professionals and even some in law enforcement recommend paying the ransom in such cases as the fastest way to get the data back.
Last year an acute-care hospital in Hollywood paid $17,000 in bitcoin to an extortionist who hijacked its computer systems and forced doctors and staff to revert to pen and paper for record-keeping.
Hospitals are also fertile ground for identity thieves because of their often-lax security policies. Bloomberg Businessweek wrote in 2015 about a spate of malware infections at hospitals where radiological machines, blood-gas analyzers and other devices were compromised and used to siphon off the personal data of patients.
Other victims of the hack were most likely small and medium-sized businesses. Some larger organizations, such as Spain’s Telefonica SA and FedEx Corp. were also infected. A spokesman for Telefonica said the hack affected some employees at its headquarters, but the Spanish phone company is attacked frequently and the impact of Friday’s incident wasn’t major. FedEx said it was “experiencing interference,” according to an Associated Press report.
While any sized company could be vulnerable, many large organizations with robust security departments would have prioritized the update that Microsoft released in March and wouldn’t be vulnerable to Friday’s attack.
Ransomware is a particularly stubborn problem because victims are often tricked into allowing the malicious software to run on their computers, and the encryption happens too fast for security software to catch it. Some security expects calculate that ransomware may bring in as much as $1 billion a year in revenue for the attackers.
More than 75,000 computers in 99 countries were compromised in Friday’s attack, with a heavy concentration of infections in Russia and Ukraine, according to Dutch security company Avast Software BV. Russia’s Interior Ministry, with oversees the country’s police forces, said “around 1,000 computers were infected,” which it described as less than 1 percent of the total, the New York Times reported. The ministry said technicians had stopped the attack and were updating the department’s “antivirus defense systems,” according to the Times.
Microsoft cited its March security update and said it had added detection and protection against the new malware after it was reported. “We are working with customers to provide additional assistance,” the company said.
The attack was apparently halted in the afternoon in the U.K. when a researcher took control of an Internet domain that acted as a kill switch for the worm’s propagation, according to Ars Technica.
“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” wrote the researcher, who uses the Twitter name @MalwareTechBlog. “So long as the domain isn’t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.”
There is a high-probability that Russian-language cyber-criminals were behind the attack, said Aleks Gostev, chief cybersecurity expert for Kaspersky Labs.
“Ransomware is traditionally their topic,” he said. “The geography of attacks that hit post-Soviet Union most also suggests that.”