On Friday morning, somewhere in Europe, an unwitting user opened an email attachment or clicked a link allowing the ransomware “WannaCry” to infect their computer. The virus spread rapidly, infecting 200,000 systems in more than 150 countries around the world.
Spanish telecommunications giant Telefonica was the among the first large company to be infected by WannaCry before Britain’s National Health Service also reported being hit by the attack on Friday, leading to thousands of cancelled appointments and operations.
Elsewhere in Europe, French carmaker Renault was hit as was German rail company, Deutsche Bahn, while FedEx computers in the U.S. also fell victim to the malware.
“It exposes a vulnerability in Windows XP for file sharing protocol,” said cybersecurity expert Daniel Tobok. “It gets into one computer and then from there laterally goes into all the computers on the network.”
The vulnerability was first revealed as part of a massive leak of NSA hacking tools and known weaknesses by an anonymous group calling itself “Shadow Brokers” in April.
Tobok said there were “three attack vectors” involved in WannaCry: computers were accessed directly, some people opened email attachments, and others were redirected to websites where they downloaded the malware.
Apple users generally were not affected by WannaCry as it targeted computers running outdated versions of Microsoft Windows, said Tobok.
WATCH: Oshawa hospital among thousands hit by international cyberattack
In Canada, Lakeridge Health in Oshawa confirmed it experienced computer problems linked to the global cyberattacks, although Tobok said his company found at least 50 other companies were affected but chose not to report the attacks.
By Monday, the cyberattack spread to thousands more computers as people across Asia logged in at work, disrupting businesses, schools, hospitals and daily life. But no new large-scale outbreaks were reported.
A 22-year-old British researcher is being credited with discovering a so-called “kill switch” that halted the spread of the cyberattack.
Britain’s National Cyber Security Centre and others say a cybersecurity researcher identified online only as MalwareTech found a hidden web address that wasn’t registered. Those in the global cybersecurity community regularly use aliases to protect themselves from retaliatory attacks or for privacy.
MalwareTech explained in a blog post Saturday that after Britain’s health system had been hit by ransomware he believed that “this was something big.”
He began analyzing the malicious software and noticed its code included a web domain that wasn’t registered and “promptly” registered the domain for just $10.69, according to the Guardian.
Meanwhile in the U.S., Darien Huss, a 28-year-old research engineer in Michigan, said he noticed the authors of the malware had left in a feature known as a kill switch. Huss took a screen shot of his discovery and shared it on Twitter.
Together he and MalwareTech found that by registering the domain name and redirecting the attacks to a separate server had activated the kill switch, halting ‘WannaCry’ infections.
“The ‘hero’ is a bit strong,” MalwareTech told the Associated Press Sunday. “I sort of did what I could.”
What is ransomware?
WATCH ABOVE: Cyber attack aftershocks disrupt devices across Asia
WannaCry — also known as WanaCrypt0r 2.0, WannaCry and WCry — is a type of malicious software known as “ransomware” that gets into your computer — either when you click on or download the wrong thing — and then it encrypts some of your files. You will receive a message that the files will be unencrypted only if you pay a certain amount in ransom, usually in bitcoin.
With WannaCry, a red screen would appear saying “oops, your files have been encrypted” and you would be hit with a demand for $300 worth of bitcoin. That would jump to $600 after 72 hours. After seven days, the files would be permanently locked.
“It basically says in a very nice way, ‘you’re screwed.’ The information is encrypted. If you want it back you have to pay us,” said Tobok., “It actually has a little ticking clock that counts down the time.”
Security experts warn there is no guarantee that access will be granted after payment.
How to protect yourself
The global cyberattack is also a reminder to always install updates and patches on your computer to close any vulnerabilities.
PC users should patch their machines with updates from Microsoft, especially those using older versions of operating systems such as Windows XP. Microsoft did put out a patch two months ago for more recent systems, but not all users may have downloaded it.
“It’s a wake-up call, it happens every day,” said Tobok. “This is far from over … you have to be proactive, you can’t be reactive in these types of situations.”
Since ransomware can be spread by emails, users should be wary of any unsolicited emails or emails from addresses they may not know.
To verify if a link provided in an email is legitimate. check the URL by hovering your mouse over the link — if the email appears to be from a business (say, UPS, for example) and the URL is not the company’s official web address, then it’s likely a fraudulent email.
— With files from Rebecca Joseph and The Associated Press