‘It Was Chaos’: Here’s How Ransomware Victims Were Affected By The Massive Hack

“It was chaos,” a receptionist working the night shift at Jakarta’s Dharmais Hospital, Indonesia’s biggest cancer center, tells Fast Company. “There were 150-200 people waiting for hours and getting more impatient, waiting for their appointments. Some of them were crying.” He was just one of hundreds of thousands of people around the world at hospitals, universities, and businesses large and small who were affected by the global ransomware attack that struck computers in at least 150 countries and at its peak even forced hospitals to turn away ambulances.

“Our focus is getting our systems back up and making sure our patients don’t lose out,” says Peter Gibson, a spokesperson for the East and North Hertfordshire National Health Service Trust in the U.K., which on Monday told patients to only visit its Lister Hospital emergency unit “if it is absolutely essential or you are concerned.”

The trust was one of at least 48 regional public medical groups in the U.K. affected by malware that has struck more than 200,000 victims around the globe since Friday, spreading rapidly through a security hole in Microsoft operating systems that was revealed in a set of NSA files. The cyber attack, known as “WannaCrypt”
or “WannaCry,” encrypted files on affected computers and demanded a ransom of at least $300 be paid in bitcoin in order to access their contents, disrupting services everywhere from Chinese gas stations to Indian police departments. There’s no sign that the malware copied any data, and U.K. health systems and other affected organizations say that customer data wasn’t stolen.

Computers in Europe and Asia were particularly hard hit by the malware, which saw its spread disrupted when a security researcher registered an internet domain that acted as a “kill switch” to disable the attack code. But that didn’t help organizations that had already been struck by the malware, which led U.K. hospital operators including London’s Barts Health NHS Trust to redirect ambulances to other hospitals throughout the weekend.

“We are no longer diverting ambulances from any of our hospitals,” the trust said in a Monday statement. “Trauma and stroke care is also now fully operational. However, we continue to experience IT disruption and we are very sorry for any delays and cancellations that patients have experienced.”

“We’re not infected, but we are affected, because we’ve had to turn our computers off as a precautionary measure,” says Danny Hudson, a spokesman for the Sherwood Forest Hospitals NHS Foundation Trust. The move led to four operations being cancelled, and three outpatient clinics closed over the weekend, though services were restored by Monday, according to the hospital system.

The attack forced shutdowns at other types of businesses as well, including at European auto manufacturing plants run by carmakers Nissan and Renault.

“We took protective measures to immediately stop the spread of the virus and protect the [company],” says a spokesperson for Renault. “It included temporary suspension of industrial activities on some of our sites, depending on situations.”

The spokesperson didn’t have a full count of the number of sites affected, and the company had not yet computed the cost of the downtime or restoration efforts Monday. All but one plant had been restarted Monday, with the holdout in the French town of Douai set to resume operations Tuesday.

“We had some production impact, but we will make things happen in order to deliver [to] our customers on time,” the spokesperson said.

The attack also visibly struck the German railroad Deutsche Bahn, Europe’s largest train operator. While company spokesperson Lutz Müller emphasized in an email to Fast Company that train services weren’t affected and “there have not been any security risks for both our passengers and our staff,” the malware did disable some ticket machines and digital schedule boards at German rail stations. Photos of railroad monitors displaying digital ransom notes atop arrivals and departures were shared on social media over the weekend, and Müller says Deutsche Bahn deployed additional personnel to assist passengers while the systems were down.

“We are currently working hard to get all our displays running again, but this will take a few days,” he writes, adding that the railroad’s apps, website, and phone lines are working normally.

Fewer systems in the Americas appeared to be affected, though delivery giant FedEx was notably impacted, leading it to suspend money-back guarantees for FedEx Express packages slated for Saturday delivery.

“FedEx experienced interference with some of our systems which caused disruptions to the FedEx Express Memphis Hub sort operations,” the company said Saturday. “We immediately implemented contingency plans to minimize the impact to our customers. We regret any inconvenience this has caused.”

The Memphis Commercial Appeal, the company’s hometown newspaper, reported that more than 100 FedEx flights appeared to be delayed during the busy Mother’s Day weekend, but by Monday the company said systems had returned to normal.

“FedEx has resumed normal operations and systems are performing as designed,” a spokesperson said via email on Monday, declining to comment on the extent of the weekend disruption.

The Canadian Broadcasting Corporation also reported that Lakeridge Health, a large Ontario hospital, was struck by the malware. The hospital didn’t respond to multiple requests for comment from Fast Company Monday, and the CBC reported that the hospital was able to restore affected computers without an impact to patient treatment.

Universities across the globe were also affected by the attack, including China’s flagship Peking and Tsinghua universities. The Massachusetts Institute of Technology’s IT department warned in a Friday tweet that the ransomware was “affecting MIT folks,” though MIT officials didn’t respond to multiple requests Monday for further details. And Britain’s University of Cambridge also shut down some systems after detecting attempted attacks from the malware, according to a student newspaper, though the university said Monday no systems were ultimately infected.

“The University will continue to monitor developments closely,” a spokesperson said.

A ransomware spreading in the lab at the university pic.twitter.com/8dROVXXkQv

— １２Ｂ (@dodicin) May 12, 2017

The University of Milano-Bicacco also saw four computers in a student computer lab infected with the malware, and a photo of the machines was widely circulated on social media. But the ransomware was removed without any lasting damage, and the rest of the 120 computers in the lab were unaffected, wrote associate professor Claudio Ferretti in an email to Fast Company.

“All the machines in the didactic laboratories normally are replicas of a single image, with no personal/single student data, and therefore no data was lost and the infected machines where immediately restored from the common clean image,” he wrote.

Cybersecurity experts also continued to warn Monday that computers running versions of Windows prior to Windows 10 that haven’t been updated to fix the vulnerability could still fall victim to copycat attacks. Experts urged anyone who had not yet installed Microsoft’s security fixes, issued in March, to do so immediately. Microsoft released patches over the weekend for older, unsupported versions of Windows, including Windows XP, in an unusual move for the company. And Microsoft president Brad Smith critiqued the NSA and other spy agencies for “stockpiling” vulnerabilities that can be leaked to do damage.

The identity of who was behind the malware apparently still remained unknown on Monday. Russia, widely blamed for recent hacks on government agencies and political parties around the world, denied responsibility, reporting that about 1,000 computers in the country’s Interior Ministry were struck by the attack. About $56,000 in ransom was sent to bitcoin addresses associated with the malware, a number that trickled upward throughout Monday, according to bitcoin security firm Elliptic. It was unclear, though, whether the software’s creators would be able to claim the bounty without identifying themselves.

Experts still warned that creators of the original malware, or independent hackers, could tweak the code to allow the attack to continue despite the “kill switch” domain.

“Companies should issue a special alert to employees today to be especially careful with opening emails and attachments even if they know the person sending the email,” said Michael Patterson, CEO of security firm Plixer, in a Monday statement. “This ransomware is evolving and there may be more to this as the week continues.”

Additional reporting by Marcus Baram
This story has been updated