1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Spread of global cyberattack curbed - for now

May 13, 2017

The spread of a global cyberattack appears to have slowed after a researcher accidentally found a "kill switch." The breakthrough won't help fix systems worldwide that are already crippled by ransom-demanding malware.

Symbolbild Hackerangriff
Image: picture alliance/dpa

Governments and companies on Saturday scrambled to respond to a global cyberattack that hit computers in nearly 100 countries. Extortionists on Friday used malicious software to exploit a vulnerability in Windows operating systems to infect thousands of computers with a variant of WannaCry ransomware.

The spread of the ransomware appeared to have stopped on Saturday after a security researcher registered a domain name connected to the malware. 

The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental but that registering the domain name triggered a "kill switch." A young cybersecurity researcher has been credited with the discovery of the kill switch.

Computers already infected by the malware would, however, not be helped by the fix.

Cybersecurity experts said that after the domain was registered the number of new infections dropped. 

"We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain," Vikram Thakur, principal research manager at Symantec, told the Reuters news agency. "The numbers are extremely low and coming down fast."

More attacks likely in future

DW technology correspondent Konstantin Klein warned that the malware can be easily rewritten and relaunched. 

"An attack like this will be launched in future as well," he said, adding that the attack appeared to be run by sophisticated criminal hackers or an individual. 

The attackers may yet tweak the code and restart the cycle, according to Reuters. Researchers said the kind of virus deployed in the latest attack is likely to be used for fresh assaults, not just with ransomware but other malware used to break into firms, seize control of networks and steal data.

The ransomware's mechanism of operation is believed to have originally been exposed in documents leaked from the US National Security Agency (NSA).

One of largest cyberattacks ever

Ransomware locks up computer systems by encrypting files and data, demanding users pay a fee - in this case $300 (275 euros) - in the virtual currency Bitcoin to recover the files. Payment is demanded in three days or the price is doubled. After seven days, it threatens to delete all files.

"This is one of the largest global ransomware attacks the cyber community has ever seen," Rich Barger, director of threat research with Splunk, told Reuters.

The security firm and others have linked WannaCry to a NSA hacking code known as "Eternal Blue" that was leaked last month by hacking group Shadow Brokers. It is unclear who led the ransomware attack or from which country.

Computer security firm Kaspersky Labs meanwhile said it was trying to determine whether it could develop a tool to decrypt data locked in the attack. 

Cybersecurity software company Avast said it had detected 57,000 infections in 99 countries, with Russia, Britain, Ukraine and Taiwan being the hardest hit.

NHS, Deutsche Bahn, Renault and Nissan among those hit

Friday's wave of attacks hit several high-profile organizations, including Britain's National Health Service (NHS), Russia's Interior Ministry, French carmaker Renault, Spanish telecommunications giant Telefonica, international shipper FedEx and German rail operator Deutsche Bahn. 

The attack on NHS wreaked havoc on the British health care system, with a number of hospitals and clinics turning away patients and forcing ambulances to divert to neighboring hospitals. The Health Service Journal reported that X-ray imaging systems, pathology test results and patient administration systems were all hit. About 30 health service organizations were affected in total in England and Scotland, Britain's Press Association reported.

"We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services," said Ciaran Martin, who is head of Britain's National Cyber Security Centre.

Nissan's manufacturing plant in Sunderland, northeast England, has also been affected by the cyberattack, a spokesman for the Japanese carmaker said.

"Like many organizations around the world, some Nissan entities were recently targeted by a ransomware attack. Our teams are responding accordingly and there has been no major impact on our business," he said in a statement.

Meanwhile, Russia's Interior Ministry reported that roughly 1,000 of its computers had been infected, but that the ministry's servers had not been impacted. The central bank said it was also targeted, but that its systems were not compromised. 

Deutsche Bahn said destination boards at several train stations had been infected but that transportation had not been impacted. The attack also affected the rail operator's video surveillance technology.


Deutschland Weltweite Cyber-Attacke - Hauptbahnhof Chemnitz
Deutsche Bahn departure displays were hit by the ransomwareImage: picture-alliance/dpa/P. Götzelt

Britain's National Cyber Security Centre and Spain's National Center for the Protection of Critical Infrastructure said they were working with companies hit or potentially targeted by the attack. The US Department of Homeland Security said it has shared information with domestic and international partners. 

Microsoft has released Windows updates to defend against WannaCry. It issued a patch in March to protect against Eternal Blue.

cw,ss/rc (AFP, dpa, Reuters)

Skip next section Explore more
Skip next section DW's Top Story

DW's Top Story

A bombed out building in Mariupol
Skip next section More stories from DW
Go to homepage