This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.nytimes.com/2017/05/15/world/asia/china-cyberattack-hack-ransomware.html

The article has changed 9 times. There is an RSS feed of changes available.

Version 6 Version 7
Cyberattack Spreads in Asia; Thousands of Groups Affected The Fallout From a Global Cyberattack: ‘A Battle We’re Fighting Every Day’
(about 9 hours later)
HONG KONG A global cyberattack spread to thousands of additional computers on Monday as workers logged in at the start of a new workweek. On Sunday, union representatives for a Renault auto plant in France received text messages from the management: Tell the workers to stay home the next day. The company was still dealing with the fallout from a global hack that hit thousands of businesses and the factory would be shut.
Universities, hospitals, businesses and daily life were disrupted, but no catastrophic breakdowns were reported. In Europe, where the cyberattack first emerged, officials said it appeared that a much-feared second wave based on copycat variants of the original malicious software had not yet materialized. Since the hack was first detected on Friday, the company’s technicians have been racing to assess the damage. They have cleaned and rebooted systems that control robots on Renault’s factory floors, trying to make sure their systems were back to normal.
The new disruptions were most apparent in Asia, where many workers had already left on Friday when the attack broke out. As universities, hospitals and businesses around the world continued to take stock from a global hack that has locked up at least 200,000 machines since last week, they are going through much the same process. Many are also trying to determine if they have lost any data or if their systems are safe. Some are trying to figure out whether they should pay the ransom, or whether they have backups that will allow them to avoid giving in.
China alone reported disruptions at nearly 40,000 organizations, including about 4,000 academic institutions, figures that experts say are most likely to be low estimates, given the prevalence of pirated software there. On Saturday morning, technicians inspecting computers at Renault’s Sandouville operation in northern France found a demand in French for a $300 Bitcoin ransom with a threat to erase data. The carmaker decided not to pay.
But Renault will face other costs from shutting factories. Production is slowed, for example, and it will need to pay partial unemployment insurance for the thousands of employees at the Douai site who were not able to work on Monday.
The fallout for companies and institutions is growing by the day. The hack spread to thousands of additional computers on Monday, largely in China, India and Russia, although the pace of the rogue software’s advance appeared to be subsiding, at least temporarily. The attack is even causing consternation at companies not affected so far, as they shore up their own defenses — and leaving them feeling more relieved than reassured.
“It’s a battle we’re fighting every day,” said William Caraher, chief information officer at von Briesen & Roper, a midsize law firm in Milwaukee.
“We live in this world where any email attachment could be carrying malicious software that could go viral,” he said.
Gauging the extent of the disruption globally is difficult. Some companies report attacks, but many do not, fearing potential damage to their corporate reputations. For some, the modest $300 ransom is an incentive to pay and move on, said Greg Young, an analyst at Gartner.
In Germany, the hackers’ ransom demands popped up over the weekend on the screens of ticket vending machines of Deutsche Bahn, the national railway. On Monday, Deutsche Bahn technicians were still working to remove the malware, and some vending machine screens were displaying plain text advising travelers to get information elsewhere — on the railway’s website or smartphone app.
But Deutsche Bahn emphasized that the hacking had no effect on its train service or signaling systems. And like many other organizations affected by the hack, they were hoping the worst was over.
In the United States, FedEx, the giant package shipper, which had been hit in the attack that began on Friday, said it had “resumed normal operations” and its computer systems were healthy again.
In Asia, though, some of the challenges are just beginning. China alone reported disruptions at nearly 40,000 organizations, including about 4,000 academic institutions, figures that experts say are most likely to be low estimates, given the prevalence of pirated software there.
The list of affected institutions includes two of China’s most prestigious institutions of higher education, Tsinghua and Peking Universities; a movie theater chain in South Korea; and blue-chip companies in Japan like Hitachi and Nissan, which emphasized that their business operations had not been impaired.The list of affected institutions includes two of China’s most prestigious institutions of higher education, Tsinghua and Peking Universities; a movie theater chain in South Korea; and blue-chip companies in Japan like Hitachi and Nissan, which emphasized that their business operations had not been impaired.
The cyberattack has afflicted 200,000 computers in more than 150 countries. Transmitted by email, the malicious software, or malware, locks users out of their computers, threatening to destroy data if a ransom is not paid. China’s state-run oil company, PetroChina, confirmed that the attack had disrupted the electronic payment capabilities at many of its gas stations over the weekend. By Sunday, 80 percent of its stations were functioning normally again, it said.
The so-called ransomware continued to ripple through politics and markets on Monday. Russia’s president, Vladimir V. Putin, blamed the United States, noting that the malicious software used in the attack had originally been developed by the National Security Agency. (It was then stolen and released by an elite hacking group known as the Shadow Brokers.)
On Monday morning, 11 technology companies in China, mostly dealing in internet security, suspended trading after their stocks rose 10 percent, the daily limit. Shares in European cybersecurity firms gained in early trading on Monday, as investors appeared to target companies that would benefit from increased attention on keeping data, networks and computers secure.
The disruptions in China cast a shadow over a major international conference that Beijing is hosting to promote its $1 trillion “One Belt, One Road” initiative, with participation from world leaders like Mr. Putin.
On Chinese social media, students reported being locked out of final papers, while other people said that A.T.M.s, some government offices and the payment systems at gas stations had been affected. Talk of how to avoid the virus was widespread on the messaging app WeChat over the weekend.
Securities and banking regulators issued warnings to businesses and financial institutions to audit their networks before bringing computers online to limit damage from the intrusion. The securities regulator also said that it had taken down its network and was installing a patch as a security measure.
The state-run oil company, PetroChina, confirmed that the attack had disrupted the electronic payment capabilities at many of its gas stations over the weekend. By Sunday, 80 percent of its stations were functioning normally again, it said.
The southern city of Yiyang, with a population of more than four million, said its traffic department had to disconnect from the internet and suspend all operations, while Xi’an, a city of more than eight million in central China, said the processing of drivers’ tests and traffic violations would be affected because its traffic department had similarly been cut off.
The spread of the malware has focused attention on why a software patch issued by Microsoft in March had not been installed by more users. Microsoft has complained for years that a large majority of computers running its software in China were using pirated versions.
The Australian prime minister, Malcolm Turnbull, said the attacks in his country seemed to be limited mostly to small businesses.
“We haven’t seen the impact that they’ve seen, for example, in the United Kingdom,” Mr. Turnbull said. “But it is very important that business and enterprises that are in the private or government sector make sure those patches for the Windows systems that were made available by Microsoft in March are installed.”
In Japan, about 2,000 terminals in 600 locations, used by individuals as well as by large companies, were most likely affected by the ransomware attack, according to JPCert, an independent group that helps respond to and track computer security breaches.
The South Korean government said that just nine cases of ransomware had been found in the country so far, and that dozens of samples of the malware were being analyzed.
In Europe, the malware did not appear to be spreading appreciably on Monday. “So far, the situation seems stable in Europe, which is a success,” said Jan Op Gen Oorth, a senior spokesman for Europol.
In Britain, where the attack was first detected on Friday, the National Health Service struggled to get hospitals, clinics and doctors’ offices fully operational. The attack had caused some patients to be turned away from emergency rooms, and surgical procedures and medical appointments needed to be rescheduled.In Britain, where the attack was first detected on Friday, the National Health Service struggled to get hospitals, clinics and doctors’ offices fully operational. The attack had caused some patients to be turned away from emergency rooms, and surgical procedures and medical appointments needed to be rescheduled.
“We have not seen a second wave of attacks, and the level of criminal activity is at the lower end of the range that we had anticipated, and so I think that is encouraging,” the British health minister, Jeremy Hunt, told Sky News on Monday. But he also warned against complacency: “The message is very clear, not just for organizations like the N.H.S. but for private individuals, for businesses.” In Sandbach, in northwest England, John Cosgrove, a 42-year-old general practitioner, said things were recovering, but he still did not have access to complete patient records. And the public seems to be putting off medical care that can be postponed until the N.H.S. computer systems are up and running normally again.
The health service has been criticized for using outdated software despite repeated warnings. Mr. Hunt said they were “making sure that our data is properly backed up, and making sure that we are using the software patches.” “On Friday, there was a feeling of chaos,” Dr. Cosgrove said. “But there are not many people booking to see us. It does feel quite different still.”
The British National Crime Agency, which is taking part in a global investigation into the attack, said that a second wave of attacks could still occur, and it urged computers users to take precautions. Until computer security experts closely examine infected machines, they will not know the mechanism by which the malicious software got into the computers and then spread.
A Renault factory in Douai, France, that employs around 5,500 people did not open on Monday because information security technicians were performing “preventive testing” on the information and robotics system before restarting production on Tuesday. The company said that no data had been lost or damaged, and that no ransom had been paid. The malware used by the attackers was sophisticated, security experts say, but the collection mechanism was not, by the current standards of ransomware, said Caleb Barlow, vice president in change of threat intelligence for IBM.
In Germany, the national railway operator, Deutsche Bahn, said that the attack had infected electronic information boards showing arrivals and departures, and video surveillance cameras at some stations. Several of Deutsche Bahn’s 7,000 electronic ticket machines were also affected, but nearly all had been repaired by Sunday, the company said. Rail travel was not affected. Some perpetrators include instructions for how to pay by Bitcoin and even examples of people who paid and regained access to their data, and those who did not. But this global ransomware attack did not include such payment-easing features, Mr. Barlow said, and may account for the modest level of estimated payments so far. “That is a bit of head-scratcher,” he said.
Deutsche Bahn appeared to be the only major company in Germany affected by the hacking attack. Nevertheless, the country’s Federal Criminal Police Office opened an investigation. Last year, the country passed security legislation aimed at helping to prevent such malware attacks, after criminals believed to be Russian hackers managed to breach the German Parliament’s network in 2015. The Bitcoin payments as of late Monday afternoon were just under $60,000, according the Chainalysis, a Bitcoin analytics firm. The largest transaction was $3,300, said Jonathan Levin, co-founder of Chainalysis, suggesting that large corporations and government agencies have not been paying.
The cyberattack underlines the growing problem of ransomware.
IBM’s security research unit collects and monitors about 45 million pieces of spam a day worldwide. In 2015, less than 1 percent of the spam was ransomware. By last year, 40 percent had a document or web link that activated ransomware, and the current attack promises to lift that percentage higher.
On Monday, Robert A. Iger, Disney’s chief executive, told employees at a town-hall meeting in New York that hackers had contacted the company to claim access to one of its unreleased movies and had demanded a ransom. Mr. Iger, who did not identify the film, said that Disney is not paying and has been working with federal investigators to resolve the matter.
It was not clear if a Disney film had actually fallen into hackers’ hands or if the attack on Disney was related to the one over the weekend. A Disney spokeswoman did not respond to queries.