Governments, companies and security experts from China to Britain raced on Saturday to contain the fallout from an audacious global cyberattack amid fears that if they did not succeed, companies would lose their data unless they met ransom demands.
The global efforts came less than a day after malicious software, transmitted via email and stolen from the National Security Agency, targeted vulnerabilities in computer systems in almost 100 countries in one of the largest “ransomware” attacks on record.
The cyberattackers took over the computers, encrypted the information on them and then demanded payment of $300 or more from users to unlock the devices. Some of the world’s largest institutions and government agencies were affected, including the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.
In Romania on Saturday, the carmaker Dacia, owned by the French carmaker Renault, sent home some employees at a large factory complex in the city of Mioveni because the attack had disrupted its systems.
Governments, companies and security experts from China to Britain raced on Saturday to contain the fallout from an audacious global cyberattack amid fears that if they did not succeed, companies would lose their data unless they met ransom demands.
The global efforts came less than a day after malicious software, transmitted via email and stolen from the National Security Agency, targeted vulnerabilities in computer systems in almost 100 countries in one of the largest “ransomware” attacks on record.
The cyberattackers took over the computers, encrypted the information on them and then demanded payment of $300 or more from users to unlock the devices. Some of the world’s largest institutions and government agencies were affected, including the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.
In Romania on Saturday, the carmaker Dacia, owned by the French carmaker Renault, sent home some employees at a large factory complex in the city of Mioveni because the attack had disrupted its systems.
As people fretted over whether to pay the digital ransom or lose data, experts said the attackers might eventually pocket more than $1 billion worldwide before the deadline ran out to unlock the computers.
But as of Saturday afternoon, the money raised by the attackers, who demanded payment using the virtual currency Bitcoin, was much lower. Funds totaling the equivalent of about $33,000 were deposited into several Bitcoin accounts associated with the ransomware, according to Elliptic, a company that tracks online financial transactions involving virtual currencies.
That figure is likely to increase as deadlines approach for payment, security researchers said. Victims may also start digging into their wallets as others publicly confirm that paying the ransom actually unlocks their files.
“There’s no guarantee of service even if they do pay,” said Becky Pinkard, vice president for service delivery and intelligence operations at Digital Shadows, a cybersecurity firm. “No one on Twitter is going to care about your complaint on this one.”
The coordinated attack was first reported in Britain on Friday and spread globally. It has set off fears that the effects of the continuing threat will be felt for months, if not years. It also raised questions about the intentions of the hackers: Are they acting for mere financial gain or for other unknown reasons?
“Ransomware attacks happen every day — but what makes this different is the size and boldness of the attack,” said Robert Pritchard, a cybersecurity expert at the Royal United Services Institute, a research organization in London. “Despite people’s best efforts, this vulnerability still exists, and people will look to exploit it.”
While most cyberattacks are inherently global, this one, experts say, is more virulent than most. Security firms said it had spread to all corners of the globe, with Russia hit the worst, followed by Ukraine, India and Taiwan, said Kaspersky Lab, a Russian cybersecurity firm.
The attack is believed to be the first in which such a cyberweapon developed by the N.S.A. has been used by cybercriminals against computer users around the globe.
While American companies like FedEx said they had also been hit, experts said that computer users in the United States had so far been less affected than others because a British cybersecurity researcher inadvertently stopped the ransomware from spreading.
The hackers, who have yet to be identified, included a way of disabling the malware in case they wanted to shut down the attack. They included code in the ransomware that would stop it from spreading if the virus sent an online request to a website created by the attackers.
The 22-year-old British researcher, whose Twitter handle is @MalwareTechBlog and who confirmed his involvement but insisted on anonymity because he did not want the public scrutiny, found the kill switch’s domain name — a long and complicated set of letters. Realizing that the name was not yet registered, he bought it himself. When the site went live, the attack stopped spreading, much to the researcher’s surprise.
“The kill switch is why the U.S. hasn’t been touched so far,” said Matthieu Suiche, founder of Comae Technologies, a cybersecurity company in the United Arab Emirates. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”
OPEN Graphic Across Asia, universities, companies and other organizations said they had been affected.
In Taiwan, threads soon began popping up on the popular online message board PTT with users’ tales of how their computers had been infected and tips on how to avoid the virus.
In China, the virus hit the computer networks of both companies and universities, according to the state-run news media. News about the attack began trending on Chinese social media on Saturday. Most attention was focused on university networks, where there were concerns about students losing access to their work.
Newsletter Sign Up
Thank you for subscribing.
An error has occurred. Please try again later.
You are already subscribed to this email.
View all New York Times newsletters.
The attack spread like wildfire in Europe, including to companies like Deutsche Bahn, the German transport giant, and Telefónica, a Spanish telecommunications firm, though no major service problems had been reported across the region’s transportation or telecommunications networks.
Nissan, the Japanese auto giant, said its manufacturing center in Sunderland in the north of England had been affected. A spokesman declined to comment on whether production had stopped.
In Britain, the National Health Service may be one of the largest institutions affected worldwide. It said that 45 of its hospitals, doctors’ offices and ambulance companies had been crippled. Surgical procedures were canceled and some hospital operations shut down as government officials struggled to respond to the attack.
“We are not able to tell you who is behind that attack,” Amber Rudd, Britain’s home secretary, told the BBC on Saturday. “That work is still ongoing.”
In Russia, Leonid Levin, the chairman of the parliamentary committee on information policy, said the attack showed the need for the country to add to legislation protecting “critical information infrastructure.” That body of laws has drawn criticism in recent years from rights groups for blocking the free flow of information into and out of Russia.
On Saturday, Russian news reports detailed attacks against computers used by the country’s traffic police to deliver new drivers’ licenses. The report followed confirmation that more than 1,000 computers using the Windows operating system had been affected at the country’s Interior Ministry.
The cyberattack was able to spread so quickly in part because of its high level of sophistication. The malware, experts said, was based on a method that the N.S.A. is believed to have developed as part of its arsenal of cyberweapons. Last summer, a group calling itself the “Shadow Brokers” posted online digital tools that it had stolen from the United States government’s stockpile of hacking weapons.
The connection to the N.S.A. is likely to draw further criticism from privacy advocates who have repeatedly called for a clampdown on how the agency collects information online.
Industry officials said law enforcement officials would find it difficult to catch the ringleaders, mostly because such cyberattacks are borderless crimes in which the attackers hide behind complex technologies that mask their identities. And national legal systems were not created to handle such global crimes.
Brian Lord, a former deputy director for intelligence and cyberoperations at Government Communications Headquarters, Britain’s equivalent to the N.S.A., said that any investigation, which would include the F.B.I. and the National Crime Agency of Britain, would take months to identify the attackers, if it ever does.
By focusing on large institutions with a trackrecord of not keeping their technology systems up-to-date, global criminal organizations can cherry-pick easy targets that are highly susceptible to such hacks, Mr. Lord said.
“It was well thought-out, well timed and well coordinated,” he said of the current attack. “But, fundamentally, there is nothing unusual about its delivery. It is still fundamentally robbery and extortion.”
Microsoft took the unusual step of releasing free security patches for older versions of Windows, including Windows XP, that it no longer routinely updates. It said the patches could help protect users from attacks, which have not targeted Windows 10, the latest edition of the software.
“Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful,” Phillip Misner, principal security group manager at Microsoft’s security response center, wrote in a blog post.
Yet security experts said the software upgrade, while laudable, came too late for many of the tens of thousands of machines that were locked and whose data could be erased.
We’re interested in your feedback on this page. Tell us what you think.
