Bitcoin’s price fell yesterday by more than $200 following widespread news of a global wave of ransomware attacks affecting up to 100 countries, including Spain, US, Russia, UK, China, Italy, Vietnam and others.
Britain’s national health service was particularly affected with up to 40 hospitals unable to access IT systems or patient data such as medical history, forcing them to go back to pen and paper.
A Cabinet Office Briefing Rooms (Cobra) meeting has been called to be chaired by Home Secretary Amber Rudd. Such meetings are very rare and only held to co-ordinate action in cases of a national crisis.
The perpetrators remain unknown, but experts say the ransomware used exploits stolen from America’s National Security Agency. They were publicly released last month by a group called Shadow Brokers, and have now seemingly been used in this incredibly fast spreading malware.
Reports suggest the spread has been halted for now by a kill switch operated through the registration of a domain name. However, many systems remain down as the hackers are asking for bitcoins to release the data.
A number of addresses have been floating around said to belong to the hackers. One such address currently shows it contain around 5 bitcoins, worth nearly $10,000, with the first transaction made yesterday around mid-day.
Confirmation the above address belongs to the hackers can be found in user shared screenshots of ransomware infected computers, such as the one below:
It’s not clear what happens once payment is made. The address in question has had a total of 21 payments in the last 24 hours, suggesting many infested computers are asked to send $300 to one shared bitcoin address, but there appears to be many such addresses.
It may well be the case the data is released once the address reaches a certain threshold, but how exactly they would be able to do so is not very clear as there are not yet any reports of any computer’s data being released.
According to reports, the malware spreads through Local Area Networks (LAN), generally used in a business or industry setting where computers sort of share same access, such as in university libraries. It may be the case, therefore, that one bitcoin address is being used for one LAN.
That may suggest this isn’t quite targeted at home users who usually operate as individual islands rather than LAN networks which make the business, hospital or university operate as an island.
This attack may, therefore, be by state actors, but since the exploits have been publicly released, it could just be a sophisticated group of hackers.
This is the largest computer related incident in history. There have been no previous events of such scale, affecting so many and in so many countries. NHS was particularly vulnerable according to reports because it continues to use old IT systems which have not been updated.
As UK is currently in the middle of a general election, it is probable this incident will become one of the main talking points, giving labor a strong political attack vector against the conservatives which they accuse of underfunding the NHS.
That’s, however, only part of this story. Considering that so many have been affected, this appears to be systemic, with the real solution probably being legislation which binds intelligence agencies to share digital vulnerabilities so that critical infrastructure is protected.
A collection of these addresses would be useful to stop the flow of funds, so please share below any bitcoin address known to belong to the ransomers, preferably with evidence such as a ransomed computer screenshot.