An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

Home » Businesses Brace for Monday as Ransomware Threat Lingers

Businesses Brace for Monday as Ransomware Threat Lingers

SINGAPORE/TORONTO (Reuters) – Technical staff scrambled on Sunday to patch computers and restore infected ones, amid fears that the ransomware worm that stopped car factories, hospitals, shops and schools could wreak fresh havoc on Monday when employees log back on. The spread of the virus dubbed WannaCry – “ransomware” which locked up more than 100,000 […]

14-05-17 11:50
An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

SINGAPORE/TORONTO (Reuters) – Technical staff scrambled on Sunday to patch computers and restore infected ones, amid fears that the ransomware worm that stopped car factories, hospitals, shops and schools could wreak fresh havoc on Monday when employees log back on.

An ambulance waits next to a police car, outside the emergency department, at St Thomas’ Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

The spread of the virus dubbed WannaCry – “ransomware” which locked up more than 100,000 computers – had slowed, cybersecurity experts said, but they warned that the respite may be brief.

New versions of the worm were expected, and the extent of the damage from Friday’s attack was still unclear.

Marin Ivezic, cybersecurity partner at PwC, said that some clients had been “working around the clock since the story broke” to restore systems and install software updates, or patches, or restore systems from backups.

Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.

Code for exploiting that bug, which is known as “Eternal Blue,” was released on the internet in March by a hacking group known as the Shadow Brokers.

The group claimed it was stolen from a repository of National Security Agency hacking tools. The agency has not responded to requests for comment.

Hong Kong-based Ivezic said that the ransomware was forcing some more “mature” clients affected by the worm to abandon their usual cautious testing of patches “to do unscheduled downtime and urgent patching which is causing some inconvenience.”

He declined to identify which clients had been affected.

MONDAY MORNING RUSH?

Monday was expected to be a busy day, especially in Asia which may not have seen the worst of the impact yet, as companies and organisations turned on their computers.

“Expect to hear a lot more about this tomorrow morning when users are back in their offices and might fall for phishing emails” or other as yet unconfirmed ways the worm may propagate, said Christian Karam, a Singapore-based security researcher.

Targets both large and small have been hit.

Renault on Saturday said it had halted manufacturing at plants in Sandouville, France, and Romania to prevent the spread of ransomware in its systems.

Among the other victims is a Nissan manufacturing plant in Sunderland, northeast England.

Hundreds of hospitals and clinics in the British National Health Service were infected on Friday, forcing them to send patients to other facilities.

German rail operator Deutsche Bahn said some electronic signs at stations announcing arrivals and departures were infected.

In Asia, some hospitals, schools, universities and other institutions were affected. International shipper FedEx Corp said some of its Windows computers were also breached.

Telecommunications company Telefonica was among the targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

A Jakarta hospital said on Sunday that the cyber virus had infected 400 computers, disrupting the registration of patients and finding records. The hospital said it expected big queues on Monday when about 500 people were due to register.

In Singapore, a company that supplies digital signage, MediaOnline, was rushing to fix its systems after a technician’s error had led to 12 kiosks being infected in two of the island’s malls. Director Dennis So said the systems were not connected to the malls’ or tenants’ networks.

Symantec, a cybersecurity company, predicted infections so far would cost tens of millions of dollars, mostly from cleaning corporate networks. Ransoms paid amount to tens of thousands of dollars, one analyst said, but he predicted they would rise.

Governments and private security firms on Saturday said that they expected hackers to tweak the malicious code used in Friday’s attack, restoring the ability to self-replicate.

“This particular attack was relatively easy to shut down,” said Bryce Boland, Asia Pacific chief technology officer for FireEye, a cybersecurity company.

But he said it would be straightforward for the existing attackers to launch new releases or for other ransomware authors to start copying the way the malware replicated.

The U.S. government on Saturday issued a technical alert with advice on how to protect against the attacks, asking victims to report attacks to the Federal Bureau of Investigation or Department of Homeland Security.

(Additional reporting by Additional reporting by Neil Jerome Morales, Masayuki Kitano, Kiyoshi Takenaka, Jose Rodriguez, Emmanuel Jarry, Orathai Sriring, Jemima Kelly, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; Editing by Mike Collett-White)

FACTBOX – By Jamillah Knowles

What is WannaCry – also known as WanaCrypt0r 2.0, WannaCry and WCry?

HOW DOES IT WORK?

WannaCry is a form of “ransomware” that locks up the files on your computer and encrypts them in a way that you cannot access them anymore.

HOW DOES IT SPREAD?

Ransomware is a programme that gets into your computer, either by clicking on the wrong thing or downloading the wrong thing, and then it holds something you need to ransom.

In the case of WannaCry, the programme encrypts your files and demands payment in bitcoin in order to regain access.

Security experts warn there is no guarantee that access will be granted after payment. Some ransomware that encrypts files ups the stakes after a few days, demanding more money and threatening to delete files altogether.

There are different variants of what happens: Other forms of ransomware execute programs that can lock your computer entirely, only showing a message to make payment in order to log in again. There are some that create pop-ups that are difficult or impossible to close, rendering the machine difficult or impossible to use.

WHERE HAS IT SPREAD?

British based cyber researcher Chris Doman of AlienVault said the ransomware “looks to be targeting a wide range of countries”, with initial evidence of infections in at least two dozen nations according to experts from three security firms.

The broad based ransomware attack has appeared in at least eight Asian nations, a dozen countries in Europe, Turkey and the United Arab Emirates and Argentina and appears to be sweeping around the globe, researchers said.

WHAT IS SO SPECIAL ABOUT WANNACRY?

WannaCry is not just a ransomware programme, it’s also a worm.

This means that it gets into your computer and looks for other computers to try and spread itself as far and wide as possible.

Ransomware has a habit of mutating and so it changes over time in order to find different ways to access computers or to get around patches (operating system updates that often include security updates). Many security firms are already aware of WannaCry in past forms and most are looking at this one right now to see how it might be stopped.

Several cyber security firms said WannaCry exploits a vulnerability in Microsoft and that Microsoft patched this in March. People don’t always install updates and patches on their computers and so this means vulnerabilities can remain open a lot longer and make things easier for hackers to get in.

It exploited a vulnerability in the Windows operating system believed to have been developed by the National Security Agency, which became public last month. It was among a large number of hacking tools and other files that a group known as the Shadow Brokers released on the Internet. Shadow Brokers said that they obtained it from a secret NSA server.

The identity of Shadow Brokers is unknown though many security experts believe the group that surfaced in 2016 is linked to the Russian government.

The NSA and Microsoft did not immediately respond to requests for comment.

(Additional reporting by Dustin Volz, writing by Guy Faulconbridge; editing by Jim Finkle and Eric Auchard, Ralph Boulton)

How to protect or fix your computer if it has been affected.