The fallout from an unprecedented global cyberattack which has hit more than 200,000 victims could worsen as people return to work, European and British policing and security agencies warned.
An international manhunt was under way for the plotters behind the world’s biggest-ever computer ransom assault which has affected more than 150 countries.
The indiscriminate attack, which began Friday, struck banks, hospitals and government agencies, exploiting known vulnerabilities in old Microsoft computer operating systems.
US package delivery giant FedEx, European car factories, Spanish telecoms giant Telefonica, Britain’s health service and Germany’s Deutsche Bahn rail network were among those hit.
Europol executive director Rob Wainwright said the situation could worsen on Monday when workers return to their offices after the weekend and log on. “We’ve never seen anything like this,” the head of the European Union’s policing agency told Britain’s ITV television, calling its reach “unprecedented”.
Wainwright described the cyberattack as an “escalating threat”. “I’m worried about how the numbers will continue to grow when people go to work and turn on their machines on Monday,” he said.
The warning was echoed by Britain’s National Cyber Security Centre: “As a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale.”
The 5,500-strong Renault factory in Douai, northern France, one of the most important car plants in the country, will not open on Monday due to the attack, sources said.
Images appear on victims’ screens demanding payment of USD 300 (275 euros) in the virtual currency Bitcoin, saying: “Ooops, your files have been encrypted!”
Payment is demanded within three days or the price is doubled, and if none is received within seven days the locked files will be deleted, according to the screen message.
Bitcoin, the world’s most-used virtual currency, allows anonymous transactions via heavily encrypted codes.
Experts and governments alike warn against ceding to the demands and Wainwright said few victims so far had been paying up.
Yesterday, security firm Digital Shadows said that transactions totalling USD 32,000 had taken place through Bitcoin addresses used by the ransomware.
The culprits used a digital code believed to have been developed by the US National Security Agency — and subsequently leaked as part of a document dump, according to researchers at the Moscow-based computer security firm Kaspersky Lab.
Microsoft slams US government
Microsoft on Sunday pinned blame on the US government for not disclosing more software vulnerabilities.
In a blog post on Sunday, Microsoft President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: The ransomware attack leveraged a hacking tool, built by the U.S. National Security Agency, that leaked online in April.
“This is an emerging pattern in 2017,” Smith wrote. “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”
He also poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret - in order to conduct espionage and cyber warfare - against sharing those flaws with technology companies to better secure the internet.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Smith wrote. He added that governments around the world should “treat this attack as a wake-up call” and “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Australia and New Zealand largely escape
Australia and New Zealand appeared to have escaped largely unscathed as they woke up for their first business day since a massive ransomware worm hit thousands of computer systems around the world, disrupting operations at hospitals, shops and schools.
Cyber Security Minister Dan Tehan said on Monday that just three businesses had been hit by the bug, despite worries of widespread infection. There were no reported cases in New Zealand. “At this stage, it does seem like that we have missed the major impact of this ransomware incident,” Tehan said on Australian Broadcasting Corp radio.
Cyber security experts in the United States and Europe said the spread had slowed on Sunday, but warned the respite might be brief amid fears it could cause new havoc on Monday when employees return to work. New versions of the worm are expected, the experts said, and the extent - and economic cost - of the damage from Friday's attack were unclear.
In Australia, Alistair MacGibbon, special advisor to Prime Minister Malcolm Turnbull on Cyber Security, said some small businesses would likely be hit “but as a whole of nation we can be confident, so far, that we have missed the worst of this.”
“We have seen no impact on our critical infrastructure, we have seen no impact in the health systems which is important, we have had no reports of any government agencies, state, territories or commonwealth impacted by this,” MacGibbon said.
Tehan declined to provide details on the three affected companies, but said the first Australian company reported as hit was not “a government organisation or a hospital or anything like that.”
In New Zealand, the Government Communications Security Bureau said it had not received any reports of the malware infection. The bureau had raised its cyber security of critical infrastructure, government departments and key businesses, it added.
MacGibbon said it was still not known how the virus had originated and then spread, although it was likely the transmission included email.
European, Asian companies short on cyber insurance
Many companies outside the United States may not have cover for a recent computer-system attack, leaving them potentially with millions of dollars of losses because there has been relatively little take-up of cyber insurance, insurers say.
Nearly nine out 10 cyber insurance policies in the world are in the United States, according to Kevin Kalinich, global head of Aon Plc's cyber risk practice. The annual premium market stands at $2.5-$3 billion.
The biggest reason for the larger penetration in the United States, says Bob Parisi, U.S. cyber product leader for insurance broker Marsh, “is that the U.S. has been living with state breach notification laws for the past 10 years.”
The greater transparency created an incentive for U.S. companies to get insurance to compensate for damage from incidents they were required to report. An upcoming European Union directive is expected to have the same impact there.
Companies that were not prepared for WannaCry can expect to rack up business interruption costs that far exceed a ransomware payment, said Kalinich. “If youre a hospital that turned away patients, if you're a global delivery company that can't send package, or a telecom company in Spain, Russia or China, the financial statement impact from the business interruption is much larger than the $300 ransomware,” he said.
Organisations hit by the attacks, which lock up computer systems until the victims pay a ransom, included Britain's National Health Service, French car manufacturer Renault , and Spain's Telefonica.
Sources close to Telefonica said the company had insurance to cover the attacks but it was too soon to estimate the economic impact.
Renault and the NHS did not respond to requests for comment.
West Coast cyber risk modelling firm Cyence estimated the average individual ransom cost from Friday's attacks at $300, and the total economic costs from interruption to business at $4 billion.
The U.S. Cyber Consequences Unit, a non-profit research institute that advises governments and businesses on the costs of cyber attacks, estimated more modest total losses. They were likely to range in the hundreds of millions of dollars, and unlikely to exceed $1 billion, the group forecast.
High margin business
A typical cyber insurance policy will protect companies against extortion like ransomware attacks, which insurers say have spiked in the past 18 months. It would cover the investigation costs and also pay the ransom, according to Parisi.
But there are caveats. Companies that did not download a Microsoft patch issued in March to protect users from vulnerabilities may be out of luck, since many cyber policies exclude coverage in such an instance.
Companies using pirated software are also unlikely eligible for an insurance payout, Kalinich said.
Most cyber insurance policies cover breaches of up to $50 million, with much of the losses related to the interruption of the firms' business, Parisi said. Some policies can cover losses for as much as $500-600 million.
Cyber insurance policies also typically cover the cost of notifying those whose data has been breached, hiring a PR agency to address reputational damage and arranging credit monitoring for those affected, as well as potential legal suits.
It is a high-margin business. Insurer Sciemus, for example, has previously said it charges around $100,000 for $10 million in data breach insurance and as much as seven times that to cover attacks causing physical damage.
Other providers include Allianz, AIG, Chubb and Zurich as well as Lloyds' of London insurers such as Beazley and Hiscox.
Demand to rise
Even before the weekend attacks, demand in Europe was expected to rise after an EU directive is implemented in mid-2018 requiring companies to notify authorities of a data breach.
With strong competition and uncertainty as to how many of the losses over the weekend were insured, the impact on insurance premiums, however, may be muted.
Insurers are likely to more carefully scrutinize risks they take on as well as how they word policies and exclusions, Kalinich said.
“They will want to pick the companies that are most prepared,” Kalinich said. Other firms might be eligible for coverage, but more exclusions may apply, he said.
For example, insurers may seek to deny coverage if companies pay the ransom without contacting their insurers first, he said.
“There are really important intricacies. You could end up losing a couple million dollars.”