A ransomware cyber-attack that may have originated from the theft of “cyber weapons” linked to the US government has hobbled hospitals in England and spread to countries across the world.

Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 99 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected.

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.

Markus Jakobsson, chief scientist with security firm Agari, said that the attack was “scattershot” rather than targeted.

“It’s a very broad spread,” Jakobsson said, noting that the ransom demand is “relatively small”.

“This is not an attack that was meant for large institutions. It was meant for anyone who got it.”

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA). At the time, there was skepticism about whether the group was exaggerating the scale of its hack.

On Twitter, whistleblower Edward Snowden blamed the NSA.



“If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,” he said.

“It’s very easy for someone to say that, but the reality is the US government isn’t the only one that has a stockpile of exploits they are leveraging to protect the nation,” said Jay Kaplan, CEO of Synack, who formerly worked at the NSA.



“It’s this constant tug of war. Do you let intelligence agencies continue to take advantage of vulnerabilities to fight terrorists or do you give it to the vendors and fix them?”

The NSA is among many government agencies around the world to collect cyber weapons and vulnerabilities in popular operating systems and software so they can use them to carry out intelligence gathering or engage in cyberwarfare. The agency did not immediately respond to a request for comment.

Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack used malicious software called “WanaCrypt0r 2.0” or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.

“This was eminently predictable in lots of ways,” said Ryan Kalember from cybersecurity firm Proofpoint. “As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”

The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the “payment will be raised” after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.

“Attacks with language support show a progressive increase of the threat level,” Jakobsson said.

The attack hit England’s National Health Service (NHS) on Friday, locking staff out of their computers and forcing some hospitals to divert patients.

“The attack against the NHS demonstrates that cyber-attacks can quite literally have life and death consequences,” said Mike Viscuso, chief techology officer of security firm Carbon Black. “When patients’ lives are at stake, there is no time for finger pointing but this attack serves as an additional clarion call that healthcare organizations must make cybersecurity a priority, lest they encounter a scenario where lives are risked.”

Ransomware attacks are on the rise. Security company SonicWall, which studies cyberthreats, saw ransomware attacks rise 167 times in 2016 compared to 2015.

“Ransomware attacks everyone, but industry verticals that rely on legacy systems are especially vulnerable,” said Dmitriy Ayrapetov, executive director at SonicWall.

A Los Angeles hospital paid $17,000 in bitcoin to ransomware hackers last year, after a cyber-attack locked doctors and nurses out of their computer system for days.

Jakobsson said that the concentration of the attack in Russia suggested that the attack originated in Russia. Since the malware spreads by email, the level of penetration in Russia could be a sign that the criminals had access to a large database of Russian email addresses.

However, Jakobsson warned that the origin of the attack remains unconfirmed.