Home / Archive / Global Bitcoin Extorting Ransomware Campaign Hits as Many as 74 Countries

Global Bitcoin Extorting Ransomware Campaign Hits as Many as 74 Countries

Last Updated March 4, 2021 4:56 PM
Francisco Memoria
Last Updated March 4, 2021 4:56 PM

Several major companies all over the world, including telecommunications companies and England’s National Health Service (NHS), are currently being targeted by a massive ransomware campaign that has already caused chaos in the affected organizations. Security researchers have allegedly identified the ransomware strain WannaCry, even though the attack’s origin is still unknown.

According to reports, the first company to identify the attack was Telefónica, a Spanish multinational broadband and telecommunications provider. Telefónica’s computers had their monitors turn blue, as some reported seeing a ransomware message demanding $300 in bitcoin appear.

By then, cybersecurity expert Jakub Kroustek tweeted out that 36,000 WannaCry instances had already been detected, mainly in Russia, Ukraine and Taiwan.

Even though the Spanish company’s clients are safe, other companies including utility provider Gas Natural and power firm Iberdrola have also suffered from the attack. An image of what victims see on their computers, which sees the text translated according to the country, has been circulating the web:

According to Business Insider, as many as 74 different countries have been attacked , even though most reports are coming in from countries in Europe. The Telegraph has pointed out that Romania’s intelligence service has managed to intercept  an attempted cyberattack on a government institution. The attack, according to the source, allegedly came from cybercriminal group APT28, a group that is also known as Fancy Bear.

Attack’s effects in Portugal

Several organizations in Portugal, one of the first countries to report the attack, have been affected. These include financial institutions such as Caixa Geral de Depósitos and Banco Português de Investimento (BPI), as well as telecommunications companies such as Portugal Telecom (PT) and NOS.

Employees at PT have reportedly received an internal message, that reads:

“An international cyberattack has been detected, with impact in several countries, namely Portugal, affecting different companies. For security reasons, power-off your Windows PC and disconnect it from the network. Wait for new directions”

The company has also alerted its clients that dangerous malware is currently circulating the web. Energy provider EDP has reportedly cut off internet access  in order to secure its systems from the attack, after talking to the country’s cybersecurity authority, Centro Nacional de Cibersegurança (CNCS) and the Judicial Police . A translated statement reads:

“Taking into account the massive attack that has been occurring to major organizations in the Iberian Peninsula, EDP […] decided to cut off internet access in its network, as a preventive measure, and hasn’t yet recorded incidents in its system”

Searching for a possible cause, the CNCS has pointed out a Microsoft update, from May 8, in which the company fixed a vulnerability in the Microsoft Malware Protection Engine (MSMpEng), the core of several Microsoft security tools such as Windows Defender and Microsoft Endpoint Protection, that had been discovered by two security experts at Google.

Reportedly, the vulnerability Microsoft took care of could be exploited  without the need for user interaction and was present by default in every Windows machine, exposing millions of PC’s to remote hacking. Reading Microsoft’s security advisory 4022344  has been recommended.

UK’s NHS severely hit by the campaign

According to Business Insider, the UK’s NHS has been severely affected , so much so that hospitals are being closed, and operations are being cancelled throughout the country. Some NHS organizations are even asking people to only use the A&E in case of emergency. The attack has forced doctors to use pen and paper, as the hospitals’ systems are down. The UK’s Prime Minister, Theresa May, has already reacted  to the situation.

It is well-known that health care facilities are primary targets for ransomware, as patient care cannot be delayed and thus these facilities are often forced to pay extortionists. Several cybersecurity companies have warned that medical records are worth a lot on the deep web, as this type of information can be used in malicious ways.

ActionFraud, Britain’s fraud and cyber reporting center has confirmed the NHS has been hit and that the extortionists are currently demanding $300 in bitcoin. It is currently working with the NCA’s National Cyber Crime Unit (NCUU) on a solution.

How the massive attack came to be

According to reports , a hacking tool developed and used by the U.S. National Security Agency (NSA) known as DoublePulsar might have been used in the campaign.

DoublePulsar is essentially a malware downloader that helps potent malware reach infected computers. The tool was designed not to persist on a user’s computer and has recently been revealed by the hacking group Shadow Brokers.

Microsoft had already patched the flaw  that allowed DoublePulsar to function. However, a security researcher has come forward with a tool  that helps users see if they are, or not, infected- according to his tool, the number of infected computers may be as high as 100,000.

All affected organizations are reportedly working with authorities in order to mitigate the threat and investigate its cause.

Featured image from Shutterstock.