A massive ransomware attack spread across the globe today (May 12), with reports of computer systems being locked up in Russia, Western Europe, East Asia and North America. British hospitals and a Spanish telecom were the most visible victims, but the largest number of attacks seemed to be in Russia.

A WanaCrypt ransom screen, as captured by French malware hunter Kafeine. Credit: Kafeine

What you need to do: If you’ve not installed the March, April or May Windows Update bundles, do so immediately. It’s worth shutting down your system for a few minutes if it gives you a chance to avoid this. If you’re still using Windows XP, you’re out of luck, but the March and April update bundles should be available to Windows Vista.

The ransomware, variably called WanaCryptor 2.0, WannaCry, WCry or WCrypt, seemed to be using an exploit that was developed years ago by the U.S. National Security Agency (NSA) and revealed publicly in a WikiLeaks data dump last month. Microsoft secretly patched Windows against the attack in March, but many systems in large organizations had apparently not been updated.

MORE: What Is Ransomware and How Can I Protect Myself?

Global impact

Several hospital systems in England reported that their computer screens displayed a message demanding $300 in Bitcoin. The Spanish telecommunications giant Telefonica had its systems brought down by ransomware that showed a ransom screen nearly identical to those hitting English hospitals, according to a report by the newspaper El Mundo.

A live interactive map posted on the British tech blog MalwareTech showed infections in the United States, Canada, Mexico, and most countries in South America and East Asia. But Europe, including Russia, appeared to have the densest concentration.

ZDNet reported that at least 16 National Health Service (NHS) hospital systems in England had been hit by the ransomware, and that the infections had appeared in Scotland as well. The BBC raised that number to 25 hospital systems, and said that Prime Minister Theresa May was being kept informed of the situation. English and Scottish hospitals were reportedly postponing appointments and directing patients to unaffected facilities.

Russian antivirus firm Kaspersky Lab said it had detected more than 45,000 infections in 74 countries, the vast majority of them in Russia. The Czech antivirus firm Avast detected 57,000, with the worst-affected countries being Russia, Ukraine and Taiwan. England’s NHS and Spain’s computer emergency response team each issued public warnings.

A Twitter feed purportedly belonging to a hacktivist group calling itself SpamTech claimed responsibility for the attack, stating that “The ‘WannaCry/WCRY’ was created by one of our members. We’ve taken over NHS computers and major engineering operation components.” The group didn’t offer any proof to verify its claim.

Spreads on its own

The ransomware appears to be “wormable.” In other words, it’s spreading from system to system by itself as a computer worm, rather than relying on human interaction as a Trojan horse, or infecting desktop applications like a traditional computer virus.

“Something like this is incredibly significant,” tweeted the blogger behind MalwareTech. “We’ve not seen P2P” — malware jumping from one “peer” computer to another — “spreading on PC via exploits at this scale in nearly a decade.”

Other experts compared today’s infection to the Conficker worm, which continues to attack computer systems around the world despite the fact that the security flaw it exploits was patched in 2008.

However, Conficker does no immediate damage and hides so that it can use infected computers as part of a “botnet” to send out spam and fake antivirus software. The worm spreading today immediately alerts the user to its presence, displaying two countdown clocks: the first tied to a deadline when the ransom amount will increase, the second to when all encrypted files will be deleted.

MORE: Best Identity-Protection Services

The $300 ransom demand — in some instances, $600 — indicates that hospitals and other large organizations do not appear to have been selected as targets, but rather infected randomly. In previous ransomware attacks against large institutions, cybercriminals running the malware have raised ransom demands into tens of thousands of dollars once they’ve realized the value of the infected systems.

Image, movie, email, database and Microsoft Office files were among those targeted for encryption, as were files containing encryption keys.

Some of the victims seemed to be paying up, with two of the Bitcoin wallets — here and here — specified as recipients by the ransomware screens reporting 16 payments today totaling about $4,675.

“One thing is for sure,” said Rich Barger, director of cyber research at database-software maker Splunk, in a statement. “Somebody is going to get very rich, or spend a very long amount of time in jail.”

Ties to the NSA

At least two reports said the WanaCryptor ransomware was using an NSA exploit called ETERNALBLUE that was revealed in a cache of files posted online by WikiLeaks on April 14. Encrypted files are given the file suffix “.wncry”.

ETERNALBLUE exploits a previously unknown flaw in Microsoft’s Server Message Block (SMB) protocol. (SMB lets machines on the same network share access to printers, files, network ports and other objects) ETERNALBLUE and several other exploits were purportedly given to WikiLeaks by a group calling itself ShadowBrokers, which last summer tried and failed to auction off a large amount of information the group said had been stolen from the NSA.

The public disclosure of ETERNALBLUE’s code by WikiLeaks caused a moderate amount of panic in the information-security world, until Microsoft revealed the day after the WikiLeaks dump that it had quietly patched the SMB flaw — and several others mentioned in the WikiLeaks dump — a month earlier, with the March “Patch Tuesday” security updates.

See Also : 25 Things You Didn’t Know Could Be Hacked