New gloval cyber attacks on the scale of the one on Friday will happen more and more often, experts are warning.
Meanwhile, an international manhunt is under way to find those responsible for a massive global cyberattack that hit as many as 100 countries. Researchers with the security software maker Avast said they had observed more than 126,000 ransomware infections, with 60 % of infected computers located in Russia, followed by Ukraine and Taiwan.
The global cyber attack that is now receding forced a European carmaker to halt some production lines, hit Russian computers with more than half of suspected infections, struck schools in China and hospitals in Indonesia, though it appeared to be dying down on Saturday.
The cyber assault, launched on Friday, has infected tens of thousands of computers in 104 countries, with Britain’s health system suffering the worst known disruptions.
In Asia, some hospitals, schools, universities and other institutions were affected, though the full extent of the damage is not yet known.
The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.
Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that seemed to contain invoices, job offers, security warnings and other seemingly legitimate files.
Once inside the targeted network, so-called ransomware made use of recently revealed spy tools to silently infect other out-of-date machines without any human intervention. This, security experts said, marked an unprecedented escalation in the risk of fresh attacks spreading in the coming days and weeks.
The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Researchers observed some victims paying via the digital currency bitcoin, though no one knows how much may have been transferred to extortionists because of the largely anonymous nature of such transactions.
The hackers, who have not come forward to claim responsibility or otherwise been identified, took advantage of a worm, or self-spreading malware, by exploiting a piece of NSA spy code known as “Eternal Blue” that was released last month by a hackers group known as the Shadow Brokers, according to researchers with several private cyber security firms.
Renault said it had halted auto production at several sites including Sandouville in northwestern France and plants of Renault-owned Dacia of Romania on Saturday to prevent the spread of ransomware in its systems.
Nissan’s manufacturing plant in Sunderland, northeast England, was also affected by the cyber assault though “there has been no major impact on our business”, a spokesman for the Japanese carmaker said.German rail operator Deutsche Bahn said some electronic signs at stations announcing arrivals and departures were infected, with travelers posting pictures showing some bearing a message demanding a cash payment to restore access.
Europol’s European Cybercrime Centre said it was working closely with country investigators and private security firms to combat the threat and help victims. “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” it said in a statement.