Cyber Security Experts Say Malware Used In Friday's Attack Is Especially Malicious

Cybersecurity professionals from more than 100 countries are working to restore computer systems that were paralyzed by Friday's unprecedented global ransomware attack.

MARY LOUISE KELLY, HOST:

We begin with that huge cyberattack that hit tens of thousands of computers all over the world. In a moment, we'll hear from a former Pentagon official who had to defend the U.S. from attacks like this. But first, NPR's Jim Kane reports on the effort to restore computer systems that were paralyzed by Friday's attack.

JIM KANE, BYLINE: Europol, the European Union's police agency, said the attack was at an unprecedented level, requiring a complex investigation. It began in Spain when screens at a telecom company began to display a pop-up message announcing your files have been encrypted and demanding a bitcoin payment of $300 to save the files from being deleted.

And then the attack began to spread to other computers, other organizations, other countries - more than 100 countries in all - including Russia, China, India, the U.S. and England's National Health Service, where 16 hospitals were affected. Cybersecurity experts say this piece of malware had an especially malicious quality. Mark Nunnikhoven is vice president of cloud research at the security software company Trend Micro.

MARK NUNNIKHOVEN: The initial infection is done because of an action that the user has been tricked into taking, but subsequent infections on the same network are done without any user interaction at all. And that's why we're seeing this massive explosion of infections.

KANE: Where did the ransomware originate? While experts don't know who sent it, many believe it was stolen from the National Security Agency. Nunnikhoven says it appears whoever sent the malware got it from hacking tools released online last month.

NUNNIKHOVEN: This underground group, The Shadow Brokers, released a number of tools that they claimed came from the NSA. And, of course, very difficult to verify whether that's correct or not, but that's generally the common belief.

KANE: Whatever its source, the malware contained a flaw. It was designed to look for a certain domain name, and as long as it didn't find an active website with that name it would continue to spread. A British cybersecurity researcher noticed that, bought the domain name and activated it. And that slowed the spread of the attack. But not for long. Matt Suiche is the founder of the cybersecurity company Comae Technologies.

MATT SUICHE: This is only temporary. I'm sure the attacker will provide a fix to the malware very quickly if they didn't already.

KANE: While the malware may have originated with the NSA, cyber experts say it doesn't appear that any government is behind this attack. Mark Nunnikhoven says this appears to be a simple case of ransom for money.

NUNNIKHOVEN: They went for the biggest return on their investment they could by hitting as many people as quickly as possible so that everybody was scrambling to defend.

KANE: For computers that haven't been attacked, Microsoft has sent out software patches even for older operating systems it doesn't support anymore, like Windows XP. Companies, governments and individuals are installing that patch and taking a hard look at their cybersecurity systems with an eye toward the next attack. Jim Kane, NPR News.

Copyright © 2017 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.