Criminals used leaked NSA cyberweapon in crippling ransomware attack, experts say

A leaked cyberweapon believed to have been created by NSA spies was used by criminals on Friday to launch a crippling ransomware attack on hospitals and telecom companies across Europe, security experts say.

The attack which holds access to infected computers ransom in exchange for payment wreaked havoc on patient care in at least 16 organizations within the U.K.'s state-run National Health Service and is believed to have spread to computers in more than 99 countries by Saturday morning, according to security company Avast.

• Dozens of countries affected by ransomware cyberattack
• Attack put patientsat risk, U.K. health-care worker says

Researchers spent much of Friday examining the software used in the attack, and believe it relies on re-purposed code that is said to have originally been written by the NSA.

The supposed NSA code exploited a software vulnerability found in multiple versions of Microsoft's Windows operating system, but was patched in March just weeks before a group of hackers known as the Shadow Brokers leaked a trove of information publicly detailing what they claimed were the U.S. spy agency's secret tools and techniques.

'Weapons-grade exploits'

"These were weapons-grade exploits [and] very trivial to use," said Matthew Hickey, a cybersecurity research and co-founder of the company Hacker House, who previously analyzed the code leaked by the Shadow Brokers. "So what we're seeing is this very run-of-the-mill malware that's being adopting these exploits, adopting these kind of weaponized attacks and using them to spread across networks and demand ransom."

• Deciding when to pay up: How to respond to hackers in ransomware attack

Spain's national computer security incident response team was one of the first organizations to publicly attribute the ransomware's spread to the leaked exploit known by the NSA code name EternalBlue and Microsoft patch number MS17-010 while malware researchers reported similar findings on Twitter.

Costin Raiu, director of global research and analysis at the computer security company Kaspersky, said that his firm had detected more than 45,000 recorded instances of the attack in 74 countries by early Friday afternoon.

"I'm actually genuinely quite surprised that it's taken close to six or seven weeks for the first large-scale incident like this to happen," said Hickey, who is alarmed but unsurprised that people aren't patching as quickly as they should.

A global patching problem

While many ransomware infections require a victim to open an email attachment or click a link, Friday's attack is notable for its worm-like ability to spread in other words, its ability to copy itself between vulnerable machines without user intervention.

The ransomware's rapid spread suggests that many organizations have been slow to update their systems to newer versions of Microsoft's Windows operating system that address the bug, which likely aided the worm's movement.

"I just can't stress it enough: we have a global patch management problem," said Katie Moussouris, CEO and founder of the cybersecurity company Luta Security. "And it's been manifesting for the better part of the last 20years."

• From last year:Carleton University computers infected with ransomware

Software makers have long struggled to convinceusers of the importance of keeping their software up to date especially in the face of bugs deemed as critical as the one that was patched in March.

Some organizations, such as hospitals or factories, might delay patching for fear of disrupting critical systems. Others might lack the technical knowledge or resources to patch quickly, if at all. Software companies have more recentlytried to address the problem by downloading and installing some updates automatically butMoussourisbelievesthere is still more work that needs to be done.

Re-using NSA code

In this case, it's not so much the NSA spy software that criminals are exploiting, but ratherthe software vulnerabilities spies use to deliver their toolsundetected onto targets' machines,re-purposedto deliver ransomware instead.

And while it may soundsurprising to see tools otherwise used for government espionage re-purposed for what amounts to a globalelectronic extortion campaign,Moussourissaid it's long been the practice of criminals to adapt everything from academic research to leaked codefor use in their attacks.

• University of Calgary paid $20K in ransomware attack

"While there's nothing particularly special about this pattern for sure, if there are future leaks you can expect the same patterns to be followed," Moussouris said, stressing theimportance of applying patches as soon as possible once software updates are made available.

What havingNSA tools in the wild doesn't meanis that "we're all going to be spied on by everyone," she said.

"It's not how that works. If you were not a target in the first place, guess what? You're still not a target."