A leaked cyberweapon believed to have been created by NSA spies was used by criminals on Friday to launch a crippling ransomware attack on hospitals and telecom companies across Europe, security experts say.
The attack — which holds access to infected computers ransom in exchange for payment — wreaked havoc on patient care in at least 16 organizations within the U.K.’s state-run National Health Service and is believed to have spread to computers in more than 74 countries, according to security company Kaspersky.
Researchers spent much of Friday examining the software used in the attack, and believe it relies on re-purposed code that is said to have originally been written by the NSA.
The supposed NSA code exploited a software vulnerability found in multiple versions of Microsoft’s Windows operating system, but was patched in March just weeks before a group of hackers known as the Shadow Brokers leaked a trove of information publicly detailing what they claimed were the U.S. spy agency’s secret tools and techniques.
“These were weapons-grade exploits [and] very trivial to use,” said Matthew Hickey, a cybersecurity research and co-founder of the company Hacker House, who previously analyzed the code leaked by the Shadow Brokers. “So what we’re seeing is this very run-of-the-mill malware that’s being adopting these exploits, adopting these kind of weaponized attacks and using them to spread across networks and demand ransom.”
Spain’s national computer security incident response team was one of the first organizations to publicly attribute the ransomware’s spread to the leaked exploit — known by the NSA code name EternalBlue and Microsoft patch number MS17-010 — while malware researchers reported similar findings on Twitter.
Costin Raiu, director of global research and analysis at the computer security company Kaspersky, said that his firm had detected more than 45,000 recorded instances of the attack in 74 countries by early Friday afternoon.
“I’m actually genuinely quite surprised that it’s taken close to six or seven weeks for the first large-scale incident like this to happen,” said Hickey, who is alarmed — but unsurprised — that people aren’t patching as quickly as they should.
A global patching problem
While many ransomware infections require a victim to open an email attachment or click a link, Friday’s attack is notable for its worm-like ability to spread — in other words, its ability to copy itself between vulnerable machines without user intervention.
The ransomware’s rapid spread suggests that many organizations have been slow to update their systems to newer versions of Microsoft’s Windows operating system that address the bug, which likely aided the worm’s movement.
“I just can’t stress it enough: we have a global patch management problem,” said Katie Moussouris, CEO and founder of the cybersecurity company Luta Security. “And it’s been manifesting for the better part of the…