Science

'We haven't fully dodged this bullet': Cyberattack havoc could grow as work week begins

An unprecedented "ransomware" cyberattack that has already hit tens of thousands of victims in 150 countries could wreak even more havoc Monday as people return to their desks and power up their computers at the start of the work week.

Cybersecurity expert tells CBC News some Canadian organizations have been affected

A window announcing the encryption of data including a requirement to pay appears on an electronic timetable display at the railway station in Chemnitz, Germany, on Friday. Officials are urging companies to update their operating systems immediately. (P. Goetzelt/AFP/Getty Images)

An unprecedented "ransomware" cyberattack that has already hit tens of thousands of victims in 150 countries could wreak even more havoc Monday as people return to their desks and power up their computers at the start of the work week.

Officials and experts on Sunday urged organizations and companies to update their operating systems immediately to ensure they aren't vulnerable to a second, more powerful version of the malicious software, dubbed WannaCry. The cyberattack paralyzed computers that run Britain's hospital network, Germany's national railway and scores of other companies and government agencies worldwide.

Researchers discovered at least two variants of the rapidly replicating worm Sunday and one did not include the so-called kill switch that allowed them to interrupt its spread Friday by diverting it to a dead end on the internet.

Ryan Kalember, senior vice-president at Proofpoint Inc., said the version with no kill switch was able to spread but it contained a flaw that wouldn't allow it to take over a computer and demand ransom to unlock files. However, he said it's only a matter of time before such a version exists.

"I still expect another to pop up and be fully operational," Kalember said. "We haven't fully dodged this bullet at all until
we're patched against the vulnerability itself."

The 200,000 victims included more than 100,000 organizations, Europol spokesman Jan Op Gen Oorth told The Associated Press. He said it was too early to say who was behind the onslaught and what their motivation was, aside from the obvious demand for money. So far, he said, not many people have paid the ransom demanded by the malware.

The British hospital system was among the first to be hit by the global 'ransomware' cyberattack on Friday. (Stefan Wermuth/Reuters)

Account addresses hard-coded into the malicious WannaCry software code appear to show the attackers had received just under $32,500 US in anonymous bitcoin currency as of 7 a.m. on Sunday.

The effects were felt across the globe, with Britain's National Health Service, Russia's Interior Ministry and companies including Spain's Telefonica, FedEx Corp. in the U.S. and French carmaker Renault all reporting disruptions.

Canada affected, expert says

Matthew Tait, a cybersecurity expert and founder of U.K.-based Capital Alpha Security, told CBC News Network that "a number of" organizations and individuals in Canada have been affected, but that many of them haven't been forthcoming with that information.

This is a global attack. This has affected all countries and Canada is no exception there- Matthew Tait, cybersecurity expert

"This is a global attack," Tait said. "This has affected all countries and Canada is no exception there."

Lakeridge Health, a hospital in Oshawa, Ont., said it appeared the ransomware threatened its computer system, but a spokesman said the facility's system was able to deflect the attack.

Canada's Communications Security Establishment said the federal government is "well placed to defend against these global attacks. ‎There is no indication that any information, personal or otherwise, was compromised" in Government of Canada systems. 

A spokesperson for Public Safety Minister Ralph Goodale said the government doesn't comment on specific threats, but that the Canadian Cyber Incident Response Centre is focused on protecting vital systems outside the government, including hospitals. 

British researcher slowed attack

Had it not been for a young British cybersecurity researcher's accidental discovery of a so-called "kill switch," the malicious software likely would have spread much farther and faster.

The 22-year-old researcher known as "MalwareTech," who wanted to remain anonymous, said he spotted a hidden web address in the "WannaCry" code and made it official by registering its domain name. That move, which cost just $10.69, redirected the attacks to the server of Kryptos Logic, the security company where he works. The server operates as a "sinkhole" to collect information about malware — and in Friday's case kept the malware from escaping.

Security officials urged organizations to protect themselves by installing security fixes right away, running antivirus software and backing up data elsewhere.

"Just patch their systems as soon as possible," MalwareTech said. "It won't be too late as long as they're not infected. It should just be a case of making sure installing updates is enabled, installing the updates, and reboot."

Self-replicates like a virus

The ransomware appeared to exploit a vulnerability in Microsoft Windows that was purportedly identified by the U.S. National Security Agency for its own intelligence-gathering purposes. The NSA tools were stolen by hackers and dumped on the internet.

Experts say this vulnerability has been understood among experts for months, yet too many groups failed to take it seriously. Microsoft had "patched," or fixed it, in updates of recent versions of Windows since March, but many users did not apply the software fix.

Worse, the malware was able to create so much chaos because it was designed to self-replicate like a virus, spreading quickly once inside university, business and government networks.

Microsoft was quick to change its policy, announcing free security patches to fix this vulnerability in the older Windows systems still used by millions of individuals and smaller businesses. Before Friday's attack, Microsoft had made fixes for older systems, such as 2001's Windows XP, available only to those who paid extra for extended technical support.

The governments of the world should treat this attack as a wake-up call.- Brad Smith, Microsoft

The attack is the latest example of why the stockpiling of vulnerabilities by governments is such a problem, Microsoft president and chief legal officer Brad Smith said in a blog post.

"The governments of the world should treat this attack as a wake-up call," Smith wrote. "We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

U.S. President Donald Trump on Friday night ordered his homeland security adviser, Tom Bossert, to convene an "emergency meeting" to assess the threat posed by the global attack, a senior administration official told Reuters.

Senior U.S. security officials held another in the White House Situation Room on Saturday, and the FBI and the National Security Agency were working to help mitigate damage and identify the perpetrators of the massive cyberattack, said the official, who spoke on condition of anonymity to discuss internal deliberations.

Pay or lose files

"The problem is the larger organizations are still running on old, no-longer-supported operating systems," said Lawrence Abrams, a New York-based blogger who runs BleepingComputer.com. "So they no longer get the security updates they should."

Short of paying, options for those already infected are usually limited to recovering data files from a backup, if available, or living without them.

The cyberextortion attack exploited a known and highly dangerous security hole in Microsoft Windows. (Michel Euler/Associated Press)

British cybersecurity expert Graham Cluley doesn't want to blame the NSA for the attack, though he said they have a duty to citizens who "are living an online life."

"Obviously, they want those tools in order to spy on people of interest, on other countries, to conduct surveillance," Cluley said. "It's a handy thing to have, but it's a dangerous thing to have. Because they can be used against you. And that's what's happening right now."

With files from CBC News and Reuters