First, there were reports of Spain's largest telecom being hit with pop-up windows demanding a $300 ransom to access files. Then at least 16 hospitals in England's National Health Service were affected, locking doctors and nurses out of patients' records unless they paid up. Now comes word that networks around the world are under attack Friday.
"Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia," cyber security firm Kaspersky says. (We'll note that Kaspersky supports NPR and is a provider of security services for its IT systems.)
Friday's attacks are being blamed on a piece of malware called WCry, WannaCry, or Wana Decryptor, that's now been tracked in large-scale attacks across Europe and Asia — particularly Russia and China — as well as attacks in the U.S. and South America, according to a map on the Malware Tech site.
After the attack left medical providers in the U.K. scrambling to deliver vital services either without using computers or with machines that limped through the day, the U.S. Department of Health and Human Services issued a statement saying it's working to understand the threat and protect America's medical systems.
"We are also aware that there is evidence of this attack occurring inside the United States," the agency said in a message to public health entities Friday afternoon.
Victims of the attack are confronted with a pop-up window that tells them their files are now encrypted and that they need to send $300 via the bitcoin cryptocurrency.
"You can decrypt some of your files for free," reads the message, which we're seeing today in a variety of languages. "But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled."
The window includes a countdown clock that threatens the files will be lost permanently in seven days.
Wana Decryptor exploits a Windows flaw that was patched in Microsoft's Security Bulletin MS17-010 in March. But on machines that haven't been updated or patched, the malicious code encrypts all of an infected machine's files — and then spreads itself.
"Infection of a single computer can end up compromising the entire corporate network," Spain's National Cryptologic Center says.
The malware is alleged to have been leaked or stolen from the National Security Agency, as the Bleeping Computer site reports. It was reportedly distributed by the Shadow Brokers, which claimed to have hacked an NSA-linked team of hackers last August.
The Shadow Brokers group, which is suspected of having ties to Russia, posted Windows hacking tools last month.
"Activity from this ransomware family was almost inexistent prior to today's sudden explosion when the number of victims skyrocketed in a few hours," Bleeping Computer's Catalin Cimpanu writes.
At least one Russian agency was hit by the ransomware — a fact that emerged after earlier conflicting reports. In an update after midnight local time, Russia's Interior Ministry acknowledged to state-run Tass media that its computers had been hit.
"As of now the virus has been localized," ministry spokeswoman Irina Volk told TASS. "There have been no inside information leaks from the Russian Interior Ministry's information resources."
In the U.S., the Computer Emergency Readiness Team, or CERT, says it has "received multiple reports of ransomware infections in several countries around the world." The agency did not identify those countries.
The Department of Homeland Security says it's coordinating with "international cyber partners" in the wake of the widespread attacks. When asked to confirm that Wana Decryptor has struck in the U.S., and at what scale, Acting Deputy Press Secretary Scott McConnell did not provide specifics.
"We routinely provide cybersecurity assistance upon request, including technical analysis and support," McConnell says. "Information shared with DHS as part of these efforts, including whether a request has been made, is confidential."
Commenting on today's attack, Sen. Ben Sasse, a member of the Senate Armed Services Committee, says:
"This is big: around the world, doctors and nurses are scrambling to treat patients without their digital records or prescription dosages, ambulances are being rerouted, and millions of people's data is potentially exposed. Cybersecurity isn't a hypothetical problem – today shows it can be life or death. We'll likely look back at this as a watershed moment."
The malware is both powerful and insidious, computer security expert Craig Williams of CISCO Talos tells NPR's Aarti Shahani:
"You could just walk up to your computer and it's infected, even if you didn't even touch it. You don't have to be there. All that has to happen is your computer is on and on the network."
England's NHS says at least 16 of its organizations were hit by the ransomware. In a statement released around 11:30 a.m. ET, the system's digital office said, "This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors."
The attack also hit facilities in Scotland, where Health Secretary Shona Robison says officials are "taking immediate steps to minimize the impact of the attack across NHS Scotland and restrict any disruption."
"The investigation is at an early stage, but we believe the malware variant is Wanna Decryptor," the NHS says, referring to software that is being blamed for a number of ransom attacks in Europe Friday.
"At this stage we do not have any evidence that patient data has been accessed," the system says.
An IT worker at the public health care system tells The Guardian newspaper that it's the biggest problem they've seen in their six years working for the service.
The problem erupted around 12:30 p.m. local time, the IT worker says, with a number of email servers crashing. Other services soon went down, and then, the unidentified NHS worker says, a "bitcoin virus pop-up message" started taking over computer screens.
The U.K.'s National Cyber Security Center says it's working with both the digital office of the NHS and law enforcement.
Images that were posted online of the NHS pop-up look nearly identical to pop-up ransomware windows that hit Spain's Telefonica, a powerful attack that forced the large telecom to order employees to disconnect their computers from its network and to resort to an intercom system to relay messages, according to Bleeping Computer.