The clock is ticking for a weeklong cyberattack that has crippled hospitals and schools, as it looks for a way to use victims’ personal data.
The WannaCry worm, which has infected at least 200,000 computers in 150 countries, encrypts users’ files and demands money to release them. It’s so deadly that the United Kingdom’s National Health Service this week said that, as of Friday, 250 of its computer systems were down.
Digital-security experts say the update to the operating system infected each computer with a “kill switch,” stopping WannaCry from spreading. But to get around that, the hackers are now taking control of infected computers by offering to update the machines — but instead demanding ransom payments in bitcoin.
WannaCry is believed to be the work of a group called the Shadow Brokers, which stole secret versions of the secure Microsoft Windows operating system last month.
Microsoft said it had fixed the vulnerability that the hackers exploited, and released a patch for the flaw in March.
“While we appreciate the continued help and cooperation from customers and partners, customers affected by this attack still have not been able to fully restore their systems,” the company said.
Computer hackers do their homework. They were already taking advantage of so-called zero-day security vulnerabilities — unpatched flaws that are known but not yet patched — in Britain’s GCHQ spy agency in 2015 and Microsoft in March.
Federal security experts say that even well-known companies can be compromised by malicious hackers. There are plenty of other ways for criminals to steal information. For example, they could hack into the company’s employee databases to take employee information.
With the nation focusing on security threats from Russian hackers during the election and the new administration focusing on hacking threats from foreign countries and companies, we may be seeing a wave of bad news.
But it doesn’t have to be that way. “Just as bad news is out there, so is good news — and there are alternatives to the traditional reactive approaches to security,” said Christian Wegner, chief technology officer at AWS, a cloud-computing company.
Wegner, who is based in California, pointed to several companies that are looking to take over the cybersecurity industry. While we want to keep high-profile companies that are identified with security in public charge of their own cybersecurity, security shouldn’t just be left to big companies with software development or consulting services. Many major computer companies and financial institutions rely on smaller startups with different perspectives on security, he said.
To fix security problems, companies need to hire experts — in addition to their developers and programmers. They may also need to abandon the corporate structure they’ve had for decades and learn to depend on one or two leaders from outside the company who have unique perspectives and have proven their mastery in security.
Often times, the idea is starting to come true.
Facebook recently broke into digital cybersecurity with the acquisition of HackerOne, a security company that has been working with top companies such as Google, Twitter and Facebook. Another of its clients is online-search engine Google.
HackerOne’s newest clients — a company that can test critical hacks on computers — announced Friday that it had raised $60 million in venture funding to help defend companies against cyberattacks.
Security is “not a one-person job,” HackerOne’s founder, Thijs Valter, said in a statement. “We need to create more inclusive ways to train and certify the next generation of cyber experts.”
As for WannaCry, the hackers say they are behind the attack but haven’t yet claimed responsibility. A note circulating on the internet said the attack was associated with the hacking group Lazarus, which is believed to be behind the 2014 theft of $81 million from the Bangladesh central bank.
Earlier this year, the FBI connected a data breach that occurred at the U.S. Office of Personnel Management to the Lazarus Group. In the OPM hack, hackers stole background-check information about current and former government employees.
“The hackers are not saying anything but we are,” said Alan Paller, director of research at the SANS Institute, a cybersecurity training group.
There is no indication the hacks and attacks that have occurred in recent months are connected to WannaCry, Paller said. But it’s too early to rule anything out.