New Zealand's spy agency is "taking steps" to strengthen the cyber security of government departments, critical infrastructure and big business as a ransomware attack sweeps the globe.

The Government Communications Security Bureau says it has not received any reports of the "WannaCry" malware infection affecting computers in New Zealand.

But a spokesman for the GCSB said its specialist cyber arm - the National Cyber Security Centre - is working with a newly formed government taskforce, the National Computer Emergency Response Team, to protect New Zealand's interests.

"The NCSC is taking steps to help increase the resilience of New Zealand's nationally significant systems. These steps include technical measures and provision of mitigation advice."

Advertisement

According to the GCSB website, "nationally significant systems" include government departments, "key economic generators, niche exporters, research institutions and operators of critical national infrastructure".
The police have also briefed the Ministry of Health as a precaution.

The message that appears after the attack. Photo / Twitter
The message that appears after the attack. Photo / Twitter

The WannaCry attack uses malware to encrypt victims data and demands victims pay a ransom to have their data restored.

"The NCSC is aware that the ransomware exploits a known vulnerability in Windows operating systems and has previously provided advice to it's customers on addressing this vulnerability," the GCSB said in a statement.

"We are also working with CERT NZ to provide information on how individuals, small businesses and operators of larger systems can reduce their vulnerability to ransomware attacks."

A specialist in cyber threats says it's highly likely the ransomware bug WannaCry is already in New Zealand.

Ransom demands have been reported from more than 70 countries so far.

Auckland University's Lech Janczewski says there's nothing random about the targets.

The malicious software - called "ransomware" because it encrypts systems and threatens to destroy data if a $300 Bitcoin (NZ$430) ransom is not paid - is spreading among computers that have not been patched, experts said.

The reports of the malware spread began in Britain, where the National Health Service (NHS) described serious problems throughout Friday. But government officials and cybersecurity experts later described a far more extensive problem growing across the internet, with tens of thousands of computers in dozens of nations. Europe, Asia and Latin America were especially hard hit.

"This is not targeted at the [National Health Service]," British Prime Minister Theresa May said in a statement released by Downing Street. "It's an international attack, and a number of countries and organisations have been affected."

In Moscow, the Russian Interior Ministry reported on Friday that it, too, was under attack. The ministry, which administers the country's police, told the Interfax news agency that about 1000 of its computers were blocked.

Cybersecurity experts said the malicious software works by exploiting a flaw in Microsoft software that was described in NSA documents stolen from the agency and leaked publicly in April by a criminal group called Shadow Brokers.

Microsoft released a "critical" patch fixing the flaw in March, before the NSA documents were publicly released, but the patch was apparently applied inconsistently, with many computers continuing to be unprotected. The malicious software - called "ransomware" because it encrypts systems and threatens to destroy data if a ransom is not paid - is spreading among computers that have not been patched, experts said.

The NSA did not respond to requests for comment.

The BBC's tech expert Chris Foxx explains the situation affecting the NHS and other businesses

So-called "phishing" attacks are delivering the malicious software by tricking email recipients to open misleading links that take over computers. Such attacks have become increasingly common in recent years because they are simple to execute and lucrative for attackers.

But the speed and scale of the spread of the malicious software startled experts.

"It's one of the first times we've seen a large international global campaign," said Chris Camacho, chief strategy officer for Flashpoint, a cyber-intelligence company.

This ransomware program has hit companies including FedEx and the Spanish telecommunications giant Telefonica.

"Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers," FedEx said in a statement on Friday.

A representative of the Russian Interior Ministry said that although computers were blocked, the attack has been "contained". An unidentified source cited by Interfax, which is regularly used as a clearing house for news from Russian law enforcement agencies, said there was "no leak of information". That report could not immediately be confirmed.

The Moscow-based internet security company Kaspersky Lab said on Friday evening that its security software has "detected and successfully blocked a large number of ransomware attacks around the world" in which the data is encrypted using the extension .WCRY in the file names.

The company said it detected "more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia". Kaspersky noted that the actual number of attacks may be far higher. WannaCry is shorthand for the ransomware's name.

The ransomware, once opened by a single user on a computer network, is able to spread to many other machines on that network, vastly expanding the reach of the attack.

The program is called Wanna Decrypt0r 2.0 and appears to support 28 different languages, underscoring the global ambitions of its creators.

The ransomware locks computers and then launches a ransom note in a text file, according to researchers at the Avast security software company in the Czech Republic. The note says that "you need to pay service fees for the decryption" and asks for $300 worth of bitcoin to be sent electronically to an address.

It was not clear who would receive the funds, nor the group or individual behind the attack.

A sum of $300 is a fairly low ransom when compared with some previous attacks, such as last June at the University of Calgary, which agreed to pay nearly $16,000 in bitcoin currency to an unknown group of hackers.

The WannaCry ransom note also says, dryly: "Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users."

The main entrance of St Bartholomew's Hospital, in London, one of the hospitals whose computer systems were affected. Photo / AP
The main entrance of St Bartholomew's Hospital, in London, one of the hospitals whose computer systems were affected. Photo / AP

Massey University's Andrew Colarik says when Wikileaks released US National Security Agency files they laid bare all the vulnerabilities of all the systems we use.

He says as a result, all of our systems are the same as everybody else's.

Colarik says we're extremely exposed until these vulnerabilities are effectively closed.

In a statement on Friday, Microsoft said: "Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows Update enabled, are protected. We are working with customers to provide additional assistance."

A group cryptically calling itself Shadow Brokers began in August to release virtually NSA's entire library of powerful hacking tools. The releases continued throughout autumn and into spring.

The US government reportedly has still not developed full confidence on the identity of the hackers. Suspicion has fallen on the Russian government, but in October the FBI arrested a Maryland man who worked for Booz Allen Hamilton and had previously worked at the NSA's Tailored Access Operations, a unit that carries out hacking operations around the world to obtain foreign intelligence on spies, terrorists and other targets.

The firm's former employee, Harold T Martin III, has been charged with theft of government property and violating the Espionage Act by retaining classified material. He pleaded not guilty in February and awaits trial.

Though the software vulnerability used by the ransomware attack relies on a computer flaw discovered by the NSA, some experts said responsibility for the wide spread of Friday's problems lies with the failure of many institutions to keep their computers updated.

Peter Eckersley, technology projects director for the Electronic Frontier Foundation, a San Francisco-based civil liberties group that has sharply criticized the NSA for its aggressive surveillance, said, "In this case, it's a little unfair to blame the NSA. They could have been following the best possible defensive practices, and this probably would have gone down the same way."

The ACLU, another frequent NSA critic, however, said in a statement, "These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world."

In Britain, the BBC broadcast a screen shot of a message apparently sent to National Health Service medical facilities demanding payments for unlocking computer files that had been "encrypted" by the attack.

Officials made no public comment on the possible source of the hack, which touched off havoc and confusion across the state-run health system. Operations were cancelled, emergency room services were scaled down, and medical personnel went back to using handwritten notes.

Health officials offered no indication of when services might return to normal, or whether patient records could be permanently lost to the attack.

"The most exploitable industry in the world is the healthcare sector," said Tom Kellerman, chief executive of Strategic Cyber Ventures. He said the industry is chronically hobbled by regulation and insufficient investment in computer security.

A statement from NHS Digital - the computer services arm of the health service - said at least 16 hospitals or doctor's offices were directly affected by the attack. Officials later acknowledged the number was rising, though they did not give a precise figure.

Other healthcare centres, meanwhile, turned off their computers to avoid potential infiltration. NHS Digital said it did "not have any evidence that patient data has been accessed".

There also was no immediate evidence to suggest disruptions to medical procedures that use high-tech tools. But the basic business of hospitals was being thrown into turmoil.

The style of attack that appeared to be on display has become increasingly common in recent years, said Cornell University computer science professor Emin Gun Sirer. The attackers typically demand payment be made in bitcoins because "there are no take-backs. Once a transfer has been made, it's final".

Sirer said ransomware has become a lucrative business for criminal syndicates that can make millions of dollars a day from such attacks. Once a victim has been successfully attacked, their choices are limited.

"Undoing the hack is going to be just about impossible," he said. "The only options are to wipe the machines and move on or to pay the ransom."

Nigel Inkster, former director of operations and intelligence for MI6, told Sky News that one of the reasons the NHS in particular was vulnerable was its outdated software system.

"A lot of hospital trusts in the UK - 40-plus last time I checked - are running their systems on Windows XP software, which hasn't been supported by Microsoft for two or three years," he said. "In other words, Microsoft is no longer looking for and seeking to repair vulnerabilities in the system."

Attacks on healthcare systems can also be especially high-stakes, creating potential life-or-death situations and raising the chances that the victim will ultimately pay.
Signs hung on the door at the emergency ward at the Royal London Hospital Friday afternoon read: "The emergency department has no IT facilities".

Across England on Friday, as well as at a handful of facilities in Scotland, internal tech systems were down in hospitals ranging from the centre of London to rural parts of the country's south and north.

The attack affected emergency services in some locations, and patients were urged to avoid visits to the emergency room unless absolutely necessary.

NHS Digital said it would be working with Britain's National Cyber Security Center in efforts to resolve the outage. It soon became clear that the assault extended far beyond Britain's health service.

The attack came as Spain's National Cryptologic Center announced a "massive ransomware attack" against Spanish companies. The statement said the attackers were demanding a ransom payment in bitcoins.

The attack in Britain had immediate impacts in hospitals across the country.

Richard Harvey, 50, was just about to undergo surgery Friday afternoon on his leg following a motorcycle accident when a nurse told him that the procedure had been canceled due to a cyberattack.

"I'm a bit of a nervous person and had to get settled about the operation, which I was. Now I had to go through that again," said Harvey, a former hospital porter who had been fasting since the previous evening in preparation for the operation at Royal London Hospital in east London. "A cyberattack? That doesn't happen every day."

Stephen Hirst, a doctor in the northern English town of Preston, told the BBC that the first sign of the infiltration was an error message warning that "we'd have to pay money to unlock the computer because it's been encrypted.

"It's compromising having to open files and complete prescriptions. It's interfering with day-to-day functioning," Hirst said.

Doctors were using pen and paper as the National Health Service struggled to get computers back online. Routine appointments were being cancelled.

A report issued on Wednesday by the European Commission called for greater attention to cyberthreats as the world becomes "more vulnerable to cyberattacks, with security breaches causing significant damage." It said the commission plans a full review of European Union cybersecurity measures by September.

What we know so far

How, exactly, does this ransomware work?

As its name implies, ransomware works like a hostage-taker.

Once your computer is infected, the attack can do a couple of things. One common approach: Your files will be encrypted or converted into a different language for which only the hacker has the cipher. Often, you won't even know you've been targeted until you try to open a file.

Another, more damaging version is what happened Friday: The ransomware locks you out of your entire system.

During the attack in England, computer screens showed a message demanding $300 in bitcoin in exchange for the decryption key that would unlock the files.

Victims had three days to pay before the fee was doubled.

Something very similar happened to a hospital system in Los Angeles a couple of months ago. The hospital ended up paying about $17,000. The hackers even set up a help line to answer questions about paying the ransom.

This attack relies on something called the Wanna Decryptor, also known as WannaCry or WCRY.

These kinds of attacks are particularly hard to spot, especially because hackers are always tweaking them. The Wanna Decryptor being used is just weeks old, and it was just updated.

How do computers get infected?

Lots of ways.

Hackers can get ransomware on your system if you download an infected piece of software or a PDF. They can also use a phishing email to direct you to an infected website.

In this case, hackers sent a zip file attachment in an email. When victims clicked on it, their computers were infected. But the attack didn't stop there. The ransomware spread through the hospitals' and businesses' computer networks. "Once you get a foothold in the system, other users will start to run those pieces of software," explained Clifford Neuman, who directs the University of Southern California's Center for Computer Systems Security.

What's Edward Snowden got to do with it?

Though we don't know for sure, it looks like the hackers exploited a vulnerability in the Windows operating system. Microsoft knew about this many months ago and put together a patch, but many businesses are slow to update their operating systems because they have to evaluate the updates' impact on other software. (Or, like most of us, they just keep running old versions of software forever).

Microsoft knew about this vulnerability because it was exposed by former National Security Agency contractor Edward Snowden: Apparently the US surveillance agency had been exploiting it for its own use.

Who's behind the attack?

Investigators are pursuing a lot of leads, but so far they have very little concrete evidence. They do think it's the work of criminals, not a foreign power.

They know the original hacking tool was leaked by a group called the Shadow Brokers, which dumps stolen NSA tools online. But they don't know who the Shadow Brokers hackers are or whether they perpetrated the attack.


Who's been hit so far?

Britain's National Health Service (NHS) was a major victim. More than 40 hospitals and health facilities across England were affected, and many staff members were locked out of their computers, unable to access patient medical records, appointment schedules and internal emails.

It was so bad that officials warned people to stay home unless they were having a medical emergency. Hospitals in Scotland and Wales were affected, too.

But investigators quickly discovered that the NHS was not the only, or even the intended, victim. The attack was wide-ranging and affected organisations across the country.

Meanwhile, Spain's National Cryptologic Center, part of that country's intelligence agency, reported a "massive ransomware attack" against Spanish organisations.

At Telefonica, in Madrid, security department officials ordered employees to switch off their computers and disconnect from Wi-Fi.

This is much bigger than that, though. According to Britain's Independent newspaper, these attacks may stretch around the globe, from Portugal to Turkey, Indonesia, Vietnam, Japan, Germany and Russia. It "is much larger than just the NHS" Travis Farral, director of security strategy for cybersecurity firm Anomali Labs, told The Independent. "It appears to be a giant campaign that has hit Spain and Russia the hardest." (Here's a live map tracking the malware.)

Friday afternoon, FedEx disclosed that its systems also were victims of the hack.

What are investigators trying to do to catch the attackers?

It can be hard to track down the perpetrators in attacks like this, but it's not impossible.

One method: follow the money. It's possible to trace where a bitcoin payment ends up. "Despite what people tend to think, it's highly traceable," said Neuman, of USC. "You can see the flow of funds through the bitcoin system."

That doesn't mean, however, that you'll know who actually ends up with the money, especially once it's pulled out of the system. Hackers are able to hide that in lots of different ways.

Experts will also be searching the code itself for clues. Hackers each write codes in different ways, leaving identifiable traces of their work, like a signature.

What can I do to stay safe?

First, back up your hard drive. You should be keeping frequent backups anyway, in case your computer dies on its own. But if your computer gets hacked, you'll be able to retrieve your data without paying a ransom.

If you run a business, back up every computer in your office and have a plan for what to do if your system goes down for a while. Be smart about setting up your network, so that most users don't have complete access to the system.

This makes it harder for a ransomware attack to infect everything. And make sure your users are educated about the common kinds of attacks.

Avi Rubin, a Johns Hopkins University professor who studies computer hacking, has one other piece of advice: If you or your business get attacked, don't pay.

"You're funding the bad guys and giving more incentive," he said. "You also don't know whether your files will really be restored".