A type of computer virus known as ransomware has caused havoc in British hospitals, a Spanish telecoms company and many other organisations in dozens of countries around the world. Here are some key questions addressed.
1. What is ransomware?
Ransomware is a type of computer virus which locks the files on a user's server or PC using encryption. It then demands a ransom to have the files de-encrypted. The ransom usually has to be paid using the cryptocurrency Bitcoin, which makes its recipient harder to trace. The virus usually threatens to increase the ransom and/or delete files if the money is not paid by a certain date. In many cases the criminals behind such attacks will unlock the files when the ransom is paid, because not doing so would lead people to think there was no point in paying such ransoms in the first place.
2. How do the infections happen?
Generally ransomware attacks are random, not targeted. They are usually spread via malicious files which people unwittingly open, like attachments to emails for example. That then triggers the ransomware. Some forms of ransomware simply pretend to be anti-virus protection software that's detected large numbers of viruses and demands money to resolve the issues. Other forms lock the computer so the user cannot actually access the machine at all. The worst kind encrypts and locks the individual files.
3. Is it possible to unlock files locked like this?
In certain cases sophisticated software can be used to remove ransomware and de-encrypt the files. But this is not always possible. And in some cases, trying to do so can lead to the files being irreparably damaged. So it is often a gamble which requires a level of knowledge when making the decision. As a result, some people just choose to pay the ransom and hope they can move on. However, when it involves a hospital system like the NHS with thousands and thousands of computers, paying up may not be a desirable option.
4. How common is ransomware?
Very common, particularly in the past few years during which time there has been an explosion in incidents. Last month security company Symantec published its annual Internet Security Threat report which found that there were 463,841 ransomware detections in 2016, up from 240,665 in 2015. But not only did the volume of detections increase, but so too did the average ransomware payout, increasing from $294 in 2015 up to $1,077 in 2016. The incidence has exploded because it is very easy for criminal gangs to deploy, has a high return rate for them, is particularly hard to stop and rarely leads to the perpetrators being caught.
5. What about this variant impacting organisations around the world like the NHS?
Cyber security experts say it is WanaCrypt0r 2.0, a new version of the WCry or WannaCry ransomware. Although it is early days and experts are battling to figure out how it works, some are suggesting what's new about it is that it may exploit a vulnerability that was made public by a group called The Shadow Brokers that hacked the National Security Agency in the US, stole its hacking tools and then dumped them on the internet. Microsoft subsequently published a patch for the vulnerability, but it is possible that not everyone applied it to their systems, leaving them vulnerable.
6. Is there anything else unusual about this ransomware?
Experts seem to be surprised at how quickly it has spread. As stated earlier, ransomware is normally spread from machine to machine by unwitting users. But it is possible that this version is spreading inertly as a so-called worm, making it much harder to stop. One expert I spoke to said if this is the case, it would be the first ransomware version they had heard of to do this. This might be why some NHS hospitals which have not been infected have still chose to shut down their systems. Experts also say recently there have been new types of ransomware which seem to more sophisticated and search computers and servers for files that look like they could be particularly important before encrypting them. As a result, there has been a rise in the number of healthcare facilities that have been hit, as their records are considered valuable data. Last year, for example, a number of hospitals in the US were targeted and one ended up having to pay out $17,000 to get its files unlocked.
7. Is it likely to impact computer users in Ireland?
There has been one incident in Ireland, at a healthcare facility in Wexford. The Health Service Executive on Friday evening announced it was taking precautionary measures in light of the NHS attack.
Experts say computer users and network administrators should follow the usual advice to avoid infections. This includes making sure systems have all patches up to date, that there is adequate anti-virus protection in place and that users take great care about opening files unless they are certain they know what they are.
Comments welcome via Twitter to @willgoodbody