LONDON - As many as 74 countries have been hit by a huge, fast-moving and global ransomware attack that locks computers and demands the digital equivalent of $300 per computer, Kaspersky Lab, a Russian-based cybersecurity company, said Friday.
The infections have disabled more than a dozen hospitals in the United Kingdom, Spain's largest telecom company and universities in Italy as well as some FedEx computers. The payment was demanded per computer, to be paid in Bitcoin, an untraceable digital currency.
Infected computers showed a screen giving the user three days to pay the ransom. After that, the price would be doubled. After seven days the files would be deleted, it threatened.
In Spain, the largest telecommunications company reportedly would have had to pay close to $550,000 to unlock all the encrypted computers hit on its network.
The ransomware code is named WanaCrypt and has been in use by criminals since at least February. It is available in at least 28 languages, including Bulgarian and Vietnamese, according to Avast, a Czech security company that is following the fast-moving attack.
However, a new variant dubbed WannaCry was created that makes use of a vulnerability in the Windows operating system that was patched by Microsoft on March 14. Computers that have not installed the patch are potentially vulnerable to the malicious code, according to a Kaspersky Lab blog post on Friday.
The ransomware is believed to be linked to an exploit, computer code that takes advantage of a computer vulnerability, known to have been used by the Equation Group, which many in the security world believe is connected to the National Security Agency (NSA).
That exploit was one of many hacking tools stolen from the NSA and later published online by a group that called itself the Shadow Brokers, according to Avast.
That group has been leaking pieces of more than a gigabyte worth of older NSA software weapons since August.
Avast has recorded over 50,000 attacks globally as of Friday afternoon. The majority are targeted at Russia, the Ukraine and Taiwan but have also hit multiple other countries. Russia’s Interior Ministry said Friday it had come under cyberattack.
Services in London, the central city of Nottingham, and the counties of Hertfordshire and Cumbria were affected, according to the BBC. The National Health Service (NHS) said 16 of its organizations reported they were victims.
The hackers behind the "ransomware" attack were demanding $300 worth of the online currency Bitcoin to release files from encryption, the Mirror and Telegraph reported.
In a statement, the NHS said: "A number of NHS organizations have reported to NHS Digital that they have been affected by a ransomware attack which is affecting a number of different organizations. The investigation is at an early stage but we believe the malware variant is Wanna Decryptor."
"At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organizations to confirm this."
The NHS said the attack was not specifically targeted at the NHS and was affecting other organizations. It said it was working to resolve the problem.
Hackers behind the Wanna Decryptor virus, a type of malware, often ask users for money to retrieve access to files they have encrypted.
NHS Merseyside, which operates a number of hospitals in northwestern England, tweeted, “we are taking all precautionary measures possible to protect our local NHS systems and services.” The NHS Merseyside website was down Friday afternoon local time.
East and North Hertfordshire NHS Trust, which runs four hospitals north of London, said in a statement: "Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls.”
It said it was postponing all non-urgent work and asked people not to come to the accident and emergency unit.
Doctors at some surgeries were forced to use pen and paper to record patient details following the attack, local media reported.
John Caldwell, a doctor in Liverpool, told the Guardian he had “no access to record systems or results."
Chris Mimnagh, another doctor in Liverpool, told the Guardian: “Unable to access our clinical system – as a precaution our area has severed links to the wider NHS, which means no access to our national systems, no computers means no records, no prescriptions, no results. We are dealing with urgent problems only. Our patients are being very understanding so far.”
NHS Million, a campaign which supports NHS staff and is separate from the NHS, tweeted: "We just don't understand the mentality of some people. The only people suffering are people that need emergency care. #nhscyberattack"