(CN) – Hackers unleashed a massive global cyberattack Friday exploiting a vulnerability that The New York Times says was identified in leaked National Security Agency documents.
The attack, using a form of ransomware, began Friday morning as a severe disruption of Britain’s public health system. The hackers locked the health systems computers and demanded ransom paid in Bitcoins. They warned that if they are not paid within a week, the health system will lose all of its documents.
Since then multiple cybersecurity firms have said it appears tens of thousands of attacks are underway, in at least 72 countries.
No one appears to know who is behind the attacks, but they appear to be using a ransomware that exploits a vulnerability discovered and developed at the NSA. The ransomware, a form of malware, encrypts a user’s data, locks them out of their computer, and demands a ransom to release it.
It appears to have been distributed as a compressed file in an email. Once opened, it infected the users’ computers, then spread like a tidal wave, across whole systems.
According to The New York Times, the ransomware was part of a cache of NSA hacking tools dumped online last year by a group called the Shadow Brokers.
In March, Microsoft issued a patch to protect the vulnerability the ransomware exploits, but the hackers struck before many institutions, including the British hospitals, updated their systems.
Britain’s National Health Service began warning its employees about the ransomware threat Friday morning, but by then, at least 36 medical facilities and ambulance services had been taken down.
British Prime Minister Theresa May later appeared on television to assure her nation that it does not appear patient data had been compromised.
A spokesman for the European Union’s police agency, Europol, said late Friday that Britain and Spain have asked for its support as they investigate the cyberattacks in those countries.
The spokesman, Jan Op Gen Oorth, declined to give further details so as not to jeopardize the ongoing investigations.
In a tweet, Europol Director Rob Wainwright said the cyberattack on British health care institutions “follows trend from US of ransomware attacks on health care trusts.”
Meanwhile, Romania’s intelligence service says it has intercepted an attempted cyberattack on a government institution which it said likely came from cybercriminal group APT28 also known as Fancy Bear.
Cyberint, subordinated to the Romanian Intelligence Service, said Friday it thwarted a cyberattack to a government institution, without saying when it occurred, following notification from NATO and the Romanian foreign intelligence agency.
The foreign ministry did not confirm whether it was the institution in question.
The statement said “due to the efficient cooperation between the institutions, the attack was prevented as were damages, as the targets were identified as well as the methodology of the attack.”
The statement said there were thousands of cyberattacks daily “and Romania is no exception.”
A top Russian mobile operator said it has also come under cyberattacks that appeared similar to those in Britain.
Pyotr Lidov, a spokesman for Megafon, said the attacks froze computers in company’s offices across Russia. He said that mobile communications haven’t been affected. Lidov said that the attack involved demands of payment of $300 worth to free up the system.
He added that the company managed to restore the work of its call center but closed most of its offices for the day.
Russian media is also reporting cyberattacks on the Interior Ministry and the Investigative Committee. The committee, the nation’s top investigative agency, has rejected the claim.
The Associated Press contributed to this report.