Asia takes cyber hit; no 2nd wave arises

Posted: May 16, 2017 at 4:30 a.m.

A patient takes a nap in her wheelchair as she waits Monday with others at the registration desk at Dharmais Cancer Hospital in Jakarta, Indonesia, after the hospital’s information system was affected by the global cyberattack.

HONG KONG -- A global cyberattack spread to thousands of additional computers Monday as workers logged in at the start of a new workweek.

Universities, hospitals, businesses and daily life were disrupted, but no catastrophic breakdowns were reported. In Europe, where the cyberattack first emerged, officials said it appeared that a much-feared second wave -- based on copycat variants of the original malicious software -- had not yet materialized.

The new disruptions were most apparent in Asia, where many workers had already left for the day Friday when the attack broke out.

China alone reported disruptions at nearly 40,000 organizations, including about 4,000 academic institutions, figures that experts say are most likely to be low estimates, given the prevalence of pirated software there.

The list of affected institutions includes two of China's most prestigious schools of higher education, Tsinghua and Peking universities; a movie theater chain in South Korea; and blue-chip companies in Japan such as Hitachi and Nissan, which emphasized that their business operations were not impaired.

The cyberattack has afflicted 200,000 computers in more than 150 countries. Transmitted by email, the malicious software, or malware, locks users out of their computers, threatening to destroy data if a ransom is not paid.

The so-called ransomware continued to ripple through politics and markets Monday. Russia's president, Vladimir Putin, blamed the United States, noting that the malicious software used in the attack was originally developed by the National Security Agency. The information was then stolen and released by an elite hacking group known as the Shadow Brokers.

Monday morning, 11 technology companies in China, mostly dealing in Internet security, suspended trading after their stocks rose as much as 10 percent, the daily limit. Shares in European cybersecurity firms gained in early trading Monday as investors appeared to target companies that would benefit from increased attention on keeping data, networks and computers secure.

The disruptions in China cast a shadow over a major international conference that Beijing was hosting to promote its $1 trillion One Belt, One Road initiative, with participation from world leaders such as Putin.

On social media, students reported being locked out of final papers, and other people said ATMs, some government offices and the payment systems at gas stations had been affected. Talk of how to avoid the virus was widespread on the messaging app WeChat over the weekend.

Securities and banking regulators in the country issued warnings to businesses and financial institutions to audit their networks before putting computers to use to limit damage from the intrusion.

The state-run oil company, PetroChina, confirmed that the attack had disrupted the electronic payment capabilities at many of its gas stations over the weekend. By Sunday, 80 percent of its stations were functioning normally again, it said.

The southern city of Yiyang, with a population of more than 4 million people, said its traffic department had to disconnect from the Internet and suspend all operations, and Xi'an, a city of more than 8 million in central China, said the processing of drivers' tests and traffic violations would be affected because its traffic department had similarly been cut off.

Elsewhere, in France, automaker Renault decided not to reopen a 3,500-employee plant Monday as a "preventative step." And Lebanon's central bank temporarily suspended electronic transactions as a precaution.

In Britain, many hospitals and clinics that are part of the country's National Health Service were still having computer problems. Patients continued to be turned away because their records were inaccessible.

In the U.S., where the effects haven't appeared to be widespread, investigators believe that more companies have been attacked but have not yet come forward to report it, a law enforcement official said in an interview. The official was not authorized to speak publicly about the investigation.

In Japan, about 2,000 terminals in 600 locations, used by individuals as well as by large companies, were most likely affected by the ransomware attack, according to JPCert, an independent group that helps respond to and track computer security breaches.

Taking WannaCry apart

The spread of the malware has focused attention on why a software patch issued by Microsoft in March had not been installed by more users. Microsoft has complained for years that a majority of computers running its software are using pirated versions.

The Australian prime minister, Malcolm Turnbull, said the attacks in his country seemed to be limited mostly to small businesses.

"We haven't seen the impact that they've seen, for example, in the United Kingdom," Turnbull said. "But it is very important that business and enterprises that are in the private or government sector make sure those patches for the Windows systems that were made available by Microsoft in March are installed."

Britain's National Crime Agency, which is taking part in a global investigation into the attack, said another wave of attacks could still occur, and it urged computer users to take precautions.

Security researchers in the meantime have been disassembling the malicious software, known as WannaCry, in hopes of uncovering clues to who released it. They are doing the same with the "phishing" emails that helped the ransomware embed itself in computers.

Investigators also hope to learn more by examining ransom payments made by computer users via bitcoin, the hard-to-trace digital currency often used by criminals.

WannaCry encrypted users' computer files and displayed a message demanding anywhere from $300 to $600 to release them; failure to pay would leave the data mangled and likely beyond repair.

A cybersecurity researcher in Britain managed to slow its spread by activating the software's so-called kill switch, but there were fears that the cybercriminals would release even more malicious versions.

Steve Grobman of the security company McAfee said forensics experts were looking at how the ransomware was written and how it was run. WannaCry is a sophisticated piece of work, he said, which helps rule out the possibility it was released by mere pranksters or lower-level thieves.

As for anonymous bitcoin transactions, he said, it is sometimes possible to follow them until an identifiable person is found.

Elliptic Enterprises, a London-based company that tracks illicit use of bitcoin, said that as of early Monday only about $50,000 had been paid in ransoms. The company calculated the total on the basis of payments tracked to bitcoin addresses specified in the ransom demands, adding that it expects the total to rise.

Eiichi Moriya, a cybersecurity expert and professor at Japan's Meiji University, warned that paying the ransom would not guarantee a fix.

"You are dealing with a criminal," he said. "It's like after a robber enters your home. You can change the locks, but what has happened cannot be undone."

Kill switch's discoverer

Separately, the 22-year-old British computer expert credited with cracking the WannaCry cyberattack said in an interview that he doesn't consider himself a hero but fights malware because "it's the right thing to do."

Marcus Hutchins, who works for Los Angeles-based Kryptos Logic and has long tweeted anonymously under the handle MalwareTech, said Monday that hundreds of computer experts worked throughout the weekend to fight the virus, which paralyzed computers around the globe.

"I'm definitely not a hero," he said. "I'm just someone doing my bit to stop botnets" -- or networks of malware-infected private computers.

The surfer from the south coast of England discovered the kill switch that slowed the outbreak on Friday. He has spent the next three days helping fight the cyberattack.

Hutchins said he stumbled across the solution when he was analyzing a sample of the malicious code and noticed it was linked to an unregistered Web address. He promptly registered the domain, something he said he regularly does to discover ways to track or stop cyberthreats, and found that that stopped the worm from spreading.

Salim Neino, chief executive officer of Kryptos Logic, said Hutchins took over the kill switch Friday afternoon European time, before it could fully affect the United States.

"Marcus, with the program he runs at Kryptos Logic, not only saved the United States but also prevented further damage to the rest of the world," Neino said. "Within a few moments, we were able to validate that there was indeed a kill switch. It was a very exciting moment. This is something that Marcus validated himself."

Kryptos Logic is one of hundreds of companies working to fight online threats for companies, government agencies and individuals around the world.

Hutchins also is part of a global community that constantly watches for attacks and works to thwart them, often sharing information on Twitter. It's not uncommon for members to use aliases to protect from retaliatory attacks and ensure privacy.

Information for this article was contributed by Gerry Mullany, Paul Mozur, Liz Alderman, Sewell Chan, Choe Sang-Hun, Melissa Eddy, Sophia Kishkovsky, Sui-Lee Wee, Jacqueline Williams, Owen Guo and Xu Qi of The New York Times; by Anick Jesdanun, Jill Lawless, Danica Kirka, Yuri Kageyama, Louise Watt, Yu Bing, Liu Zheng, John Leicester, Youkyung Lee and Kelvin Chan of The Associated Press; and by Nate Lanxon and Adam Satariano of Bloomberg News.

A Section on 05/16/2017