Global cyber-attack: How roots can be traced to the US
The huge cyber-attack affecting organisations around the world, including some UK hospitals, can be traced back to the US National Security Agency (NSA) - raising questions over the US government's decision to keep such flaws a secret.
Elements of the malicious software used in Friday's attacks were part of a treasure trove of cyber-attack tools leaked by hacking group the Shadow Brokers in April.
One of the tools contained in the Shadow Brokers leak, codenamed EternalBlue, proved to be "the most significant factor" in the spread of Friday's global attack, according to cyber-security firm Kaspersky Lab.
The tool was said to have been created by the NSA - though, as is typical, the agency has neither confirmed nor denied this.
EternalBlue was made public on 14 April, and while Microsoft had fixed the problem a month prior to its leak, it appeared many high-profile targets had not updated their systems to stay secure.
Explaining the global ransomware outbreak
'My heart surgery was cancelled'
Friday's attack has reignited the debate over whether or not governments should disclose vulnerabilities they have discovered or bought on the black market.
"It would be deeply troubling if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen," said Patrick Toomey, a lawyer working for the American Civil Liberties Union.
"These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world.
"Patching security holes immediately, not stockpiling them, is the best way to make everyone's digital life safer."
Edward Snowden, who famously leaked many internal NSA files in June 2013, criticised the NSA on Friday in a series of tweets.
"In light of today's attack, Congress needs to be asking [the NSA] if it knows of any other vulnerabilities in software used in our hospitals," he wrote.
"If [the NSA] had privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, this may not have happened."
However, others focused the blame at institutions for being too slow in updating their systems, given that this attack happened almost two months after a (free) fix was made available by Microsoft.
"Say what you want to say about the NSA or disclosure process," said Zeynep Tufeki, a professor at the University of North Carolina.
"But this is one in which what's broken is the system by which we fix."
For the UK's National Health Service, the problem is perhaps more acute.
Security firms have continually raised alarms about the NHS's reliance on Windows XP, an operating system that is no longer supported by Microsoft.
Cyber-attack: Is my computer at risk?
Experts are warning that there could be further ransomware cases this week after the global cyber-attack. So, what has happened and how can organisations and individuals protect themselves from such attacks?
What is the scale of the attack?
Ransomware - a malicious program that locks a computer's files until a ransom is paid - is not new but the size of this attack by the WannaCry virus is "unprecedented", according to EU police body Europol.
It said on Sunday that there were believed to be more than 200,000 victims in 150 countries. However, that figure is likely to grow as people switch on their computers on Monday if their IT has not been updated and their security systems patched over the weekend.
There are also many other strains of ransomware which cyber-security experts say they are seeing being given new leases of life.
In the UK, the NHS was hit hard, but by Saturday morning the majority of the 48 affected health trusts in England had their machines back in operation. The NHS has not yet revealed what steps it took.
The malware has not proved hugely profitable for its owners so far. The wallets set up to receive ransom payments - $300 (£230) in virtual currency Bitcoin was demanded for each infected machine - contained about $30,000 when seen by the BBC. This suggests that most victims have not paid up.
Is my computer at risk?
The WannaCry virus infects only machines running Windows operating systems. If you do not update Windows, and do not take care when opening and reading emails, then you could be at risk.
However, home users are generally believed to be at low risk to this particular strain.
You can protect yourself by running updates, using firewalls and anti-virus software and by being wary when reading emailed messages.
Regularly back up your data so you can restore files without having to pay up should you be infected, as there is no guarantee that paying the ransom will result in your files being unlocked.
The UK's National Cyber Security Centre website contains advice on how to apply the patch to stop the ransomware - MS17-010 - and what to do if you can't.
How did the attack spread so fast?
The culprit is malware called WannaCry and seems to have spread via a computer virus known as a worm.
Unlike many other malicious programs, this one has the ability to move around a network by itself. Most others rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.
Once WannaCry is inside an organisation, it will hunt down vulnerable machines and infect them too. This perhaps explains why its impact is so public - because large numbers of machines at each victim organisation are being compromised.
It has been described as spreading like the vomiting bug norovirus.
Why weren't people protected?
In March, Microsoft issued a free patch for the weakness that has been exploited by the ransomware. WannaCry seems to be built to exploit a bug found by the US National Security Agency.
When details of the bug were leaked, many security researchers predicted it would lead to the creation of self-starting ransomware worms. It may, then, have taken only a couple of months for malicious hackers to make good on that prediction.
It was originally thought that a number of victims were using Windows XP, a very old version of the Windows operating system that is no longer supported by Microsoft.
However, according to cyber-security expert Alan Woodward, from Surrey University, the latest statistics suggest this figure is actually very small.
Large organisations have to test that security patches issued by the provider of their operating systems will not interfere with the running of their networks before they are applied, which can delay them being installed quickly.
Who was behind the attack?
It's not yet known, but some experts are saying that it was not particularly sophisticated malware. The "kill switch" that stopped it spreading - accidentally discovered by a security researcher - may have been intended to stop the virus working if captured and put in what's called a sandbox - a safe place where security experts put computer malware to watch what they do - but not applied properly.
Ransomware has been a firm favourite of cyber-thieves for some time as it lets them profit quickly from an infection. They can cash out easily thanks to the use of the Bitcoin virtual currency, which is difficult to trace.
However it's unusual for an expert criminal gang to use so few Bitcoin wallets to collect their ransom demands - as in this case - as the more wallets there are, the more difficult the gang is to trace.
Global cyber-attack: Security blogger halts ransomware 'by accident'
A UK security researcher has told the BBC how he "accidentally" halted the spread of the malicious ransomware that has affected hundreds of organisations, including the UK's NHS.
The 22-year-old man, known by the pseudonym MalwareTech, had taken a week off work, but decided to investigate the ransomware after hearing about the global cyber-attack.
He managed to bring the spread to a halt when he found what appeared to be a "kill switch" in the rogue software's code.
"It was actually partly accidental," he told the BBC, after spending the night investigating. "I have not slept a wink."
Although his discovery did not repair the damage done by the ransomware, it did stop it spreading to new computers, and he has been hailed an "accidental hero".
"I would say that's correct," he told the BBC.
Cyber-attack scale 'unprecedented'
NHS 'robust' after cyber-attack
"The attention has been slightly overwhelming. The boss gave me another week off to make up for this train-wreck of a vacation."
What exactly did he discover?
The researcher first noticed that the malware was trying to contact a specific web address every time it infected a new computer.
But the web address it was trying to contact - a long jumble of letters - had not been registered.
MalwareTech decided to register it, and bought it for $10.69 (£8). Owning it would let him see where computers were accessing it from, and give him an idea of how widespread the ransomware was.
Owning the web address let MalwareTech monitor where infections were happening
By doing so, he unexpectedly triggered part of the ransomware's code that told it to stop spreading.
This type of code is known as a "kill switch", which some attackers use to halt the spread of their software if things get out of hand.
He tested his discovery and was delighted when he managed to trigger the ransomware on demand.
"Now you probably can't picture a grown man jumping around with the excitement of having just been 'ransomwared', but this was me," he said in a blog post.
MalwareTech now thinks the code was originally designed to thwart researchers trying to investigate the ransomware, but it backfired by letting them remotely disable it.
Does this mean the ransomware is defeated?
While the registration of the web address appears to have stopped one strain of the ransomware spreading from device-to-device, it does not repair computers that are already infected.
Security experts have also warned that new variants of the malware that ignore the "kill switch" will appear.
"This variant shouldn't be spreading any further, however there'll almost certainly be copycats," said security researcher Troy Hunt in a blog post.
MalwareTech warned: "We have stopped this one, but there will be another one coming and it will not be stoppable by us.
"There's a lot of money in this, there is no reason for them to stop. It's not much effort for them to change the code and start over.
Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a messagerequesting payment to unlock it. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.The ransomware may also encrypt the computer's Master File Table (MFT) or the entire hard drive.[Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files[ since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.
What does ransomware do?
There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.
They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.
• Prevent you from accessing Windows.
• Encrypt files so you can't use them.
• Stop certain apps from running (like your web browser).
Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys.
There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.
Details for home users
There are two types of ransomware – lockscreen ransomware and encryption ransomware.
Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
Encryption ransomware changes your files so you can’t open them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.
Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.
These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.
Newer versions encrypt the files on your PC so you can’t access them, and then simply demand money to restore your files.
Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:
• Visiting unsafe, suspicious, or fake websites.
• Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
• Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.
It can be very difficult to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware.
That’s why the best solution to ransomware is to be safe on the Internet and with emails and online chat:
• Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
• If you’re ever unsure – don’t click it!
• Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).
Check our frequently asked questions for more information about ransomware, including troubleshooting tips in case you’re infected, and how you can backup your files to help protect yourself from ransomware.
Details for enterprises and IT professionals
The number of enterprise victims being targeted by ransomware is increasing. Usually, the attackers specifically research and target a victim (similar to whale-phishing or spear-phishing – and these in fact may be techniques used to gain access to the network).
The sensitive files are encrypted, and large amounts of money are demanded to restore the files. Generally, the attacker has a list of file extensions or folder locations that the ransomware will target for encryption.
Due to the encryption of the files, it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which only the attackers will have access to.
The best advice for prevention is to ensure company-confidential, sensitive, or important files are securely backed up in a remote, un-connected backup or storage facility.