An aggressive wave of cyberattacks hit companies and public institutions around the globe Friday, causing international havoc and bringing many services to a standstill. Computers were locked up and users’ files held for ransom when dozens of countries were hit in a cyberextortion attack that targeted hospitals, companies and government agencies.
What is ransomware?
Ransomware is a type of malware that attempts to extort a computer user for money. In some cases, the ransomware encrypts certain files and holds them hostage. In other cases, as happened Friday, it locks a user out of their entire computer system until a ransom is paid. Some ransomware that encrypts files increases the stakes after a few days, demanding more money and threatening to delete files altogether.
Steps of ransomware infection
A ransomware infection usually takes these five steps.
1. The user downloads malware from an infected website or email.
2. The initial malware hijacks the user’s browser and redirects it to a malicious site.
3. Part of the malware, called an exploit kit, looks for vulnerabilities in the user’s system.
4. Once a vulnerability is found, a malicious payload is downloaded onto the victim’s computer.
5. Then the malware calls home with sensitive data from the user’s computer. In the case of ransomware, the malware attempts to extort the user for money.
The ransomware program that spread Friday is not just malware, it is also a worm. This means that the malware gets into a computer and looks for other computers to try and spread itself as far as possible.
Do ransomware attacks generate money for the hackers?
Yes, they can. A hospital system in Los Angeles paid about $17,000 earlier this year following an attack that blocked hospital employees from using email and other forms of electronic communication by using encryption to lock them out of the system. The hackers even set up a help line to answer questions about paying the ransom.
Security industry experts say such attacks are becoming more prevalent, but are rarely made public.
How is the NSA involved?
The hackers appear to have used a technique that was discovered by the National Security Agency and was leaked online in April by a group calling itself the Shadow Brokers.
The malware is exploiting a flaw in Microsoft software. Microsoft created a patch to fix the flaw earlier this year, but not all businesses have updated their operating systems.
Who carried out the attack?
Investigators are pursuing information, but have not said if they have any strong leads. Officials say they believe the attack is the work of criminals and not a foreign government. The original hacking tool was apparently stolen from the NSA and leaked online by the Shadow Brokers, but officials do not know who that group is or whether they carried out this attack.
How to keep your computer safe
Microsoft released a patch in March that fixes the specific vulnerability exploited in this attack. The U.S. Department of Homeland Security is urging people to take three steps.
1. Update your systems to include the latest patches.
2. Do not click on or download unfamiliar links or files in emails.
3. Back up your data to prevent possible loss.