Global cyberattack could get worse, experts say
Intelligence expert warns businesses to brace for fresh wave of attacks that could impact North America.

thestar.com
By SEWELL CHAN and MARK SCOTT
May 14, 2017

Security experts are warning that the global cyberattack that began on Friday will probably be magnified in the new workweek as users return to their offices and turn on their computers.

Many workers, particularly in Asia, had logged off on Friday before the malicious software, stolen from the U.S. government, began proliferating across computer systems around the world. So the true effect of the attack may emerge on Monday as employees return and log in.

Moreover, copycat variants of the malicious software behind the attacks have begun to spread, according to experts. “We are in the second wave,” said Matthieu Suiche of Comae Technologies, a cybersecurity company based in the United Arab Emirates. “As expected, the attackers have released new variants of the malware. We can surely expect more.”

Britain’s National Cyber Security Centre said Sunday that it had seen “no sustained new attacks” but warned that compromised computers might not have been detected yet and that the malware could further spread within networks.

So far, the main targets of the ransomware attack have been outside North America. It is not assumed that this will continue to be the case.

Monday could bring a wave of attacks to North America, warned Caleb Barlow, vice-president of threat intelligence for IBM. “How the infections spread across Asia, then Europe overnight will be telling for businesses here in the United States,” he said.

The cyberattack hit 200,000 computers in more than 150 countries, according to Rob Wainwright, executive director of Europol, the European Union’s police agency.

Among the organizations hit were FedEx in the United States, the Spanish telecom giant Telefonica, the French automaker Renault, universities in China, Germany’s federal railway system and Russia’s Interior Ministry. The most disruptive attacks infected Britain’s public health system.

The cyberattack could have been worse, it appears. It was stemmed by a young British researcher and an inexpensive domain registration, with help from another 20-something security engineer in the U.S.

National Cyber Security Centre in the U.K. and others were hailing the cybersecurity researcher, a 22-year-old identified online only as MalwareTech, who - unintentionally at first - discovered a “kill switch” that halted the unprecedented outbreak.

By then, the “ransomware” attack had hobbled Britain’s hospital network and computer systems in several countries, in an effort to extort money from computer users. But the researcher’s actions may have saved companies and governments millions of dollars and slowed the outbreak before computers in North America were more widely affected.

MalwareTech said in a blog post Saturday that he had returned from lunch with a friend on Friday and learned that networks across Britain’s health system had been hit by ransomware, tipping him off that “this was something big.”

He began analyzing a sample of the malicious software and noticed its code included a hidden web address that wasn’t registered. He said he “promptly” registered the domain, something he regularly does to try to discover ways to track or stop malicious software.

Across an ocean, Darien Huss, a 28-year-old research engineer for the cybersecurity firm Proofpoint, was doing his own analysis. The Michigan resident said he noticed the authors of the malware had left in a feature known as a kill switch. Huss took a screen shot of his discovery and shared it on Twitter.

MalwareTech and Huss are part of a large global cybersecurity community of people, working independently or for security companies, who are constantly watching for attacks and working together to stop or prevent them, often sharing information via Twitter. It’s not uncommon for them to use aliases, either to protect themselves from retaliatory attacks or for privacy.

Soon Huss and MalwareTech were communicating about what they’d found: That registering the domain name and redirecting the attacks to the server of Kryptos Logic, the security firm Malware Tech worked for, had activated the kill switch, halting the ransomware’s infections - creating what’s called a “sinkhole.”

Who perpetrated this wave of attacks remains unknown.

Huss and others were calling MalwareTech a hero on Saturday, with Huss adding that the global cybersecurity community was working “as a team” to stop the infections from spreading.

“I think the security industry as a whole should be considered heroes,” he said.