Saturday, May 13, 2017

It Looks Like Someone Else Might Be Using Your Account | Hotmail Support UK

It Looks Like Someone Else Might Be Using Your Account | Hotmail Support UK
There's like 100 people using my account. 





It Looks Like Someone Else Might Be Using Your Account

If you login into your Hotmail account and you get a message saying

'It looks like someone else might be using your account', then it is a sign that your Hotmail account has been hacked.

You will not get this message if you access the Hotmail account on multiple devices.

Instead, this message only comes up when someone has accessed your Hotmail account from outside your native country and they have sent out lots of spam emails from your Hotmail account.

These hackers will sometimes also send out emails to your contacts stating that you are stranded in a remote island and that you need money.

The message 'It looks like someone else might be using your account' will look a bit like the picture below:

It looks like someone else might be using your account

If you notice any of the above with your Hotmail account,

Please contact us for Hotmail Support.

Causes:

  1. You clicked on a malicious link in an email.We have noticed emails which say 'Whats App' or 'Private Message' to be the cause of this problem.
  2. If your computer has malware infections which are capable of stealing passwords, then this problem can occur.Even if you have virus protection software on the computer, the problem can still occur, since there is nothing in this world which is capable of giving 100% protection against all infections.
  3. One of the most common causes of the problem is Phishing.You have entered your password on a phishing website which appeared to be a genuine Hotmail website. Your password gets stolen and is then used by the hacker to hack into your Hotmail account.
  4. You use the same password for all accounts on all websites. This may cause one of your passwords to be stolen and the hacker getting hold of your Hotmail account with the help of that same password.

What's Next?

Please contact us for Hotmail Support if you are getting the message saying It looks like someone else might be using your account.



^ed 

Data breach notification fatigue: Do consumers (eventually) tune out? | CSO Online

Data breach notification fatigue: Do consumers (eventually) tune out? | CSO Online

Data breach notification fatigue: Do consumers (eventually) tune out?

Data breach notifications are flying en masse following the Epsilon Interactive breach, but are they doing customers any good?

Earlier this month more than 50 companies were involved in a massive heist of names and email addresses from Epsilon Interactive. With millions of customers of companies such as Best Buy, Brookestone, Dell, Marriott and many others affected, the question is being raised: are so many breach notifications from so many companies numbing their impact?

As for the breach that started it all for Epilson, it's becoming an all-too common story: employees were spear-phished with emails that linked to a malicious web site, or contained an attachment designed to infect end points with malware. Once a foothold was established, the attackers moved in on what they were after. Such attack techniques have been behind, among many other incidents, the now infamous Operation Aurora and recent RSA Security breach.

The Epsilon breach is relatively tame by breach standards. As far as we know, no Social Security numbers, financial account numbers or even physical street addresses were stolen: only name, email address, and the knowledge of where that customer had a business relationship. What worries experts now is that customers will become targeted themselves by spear-phishing attacks.

Gartner analyst Avivah Litan, told CSOOnline that the banks -- Barclays Bank of Delaware, CapitalOne, Citibank, JPMorgan Chase TD Ameritrade, and others are "freaking out" over the breach.

Now, with a breach that in all likelihood involved millions of notifications, will people pay attention or will they receive so many breach notifications that they tune out?

"The Epsilon breach resulted in many consumers receiving multiple notifications, almost exclusively by email, that systems storing emails may have been compromised and that they shouldn't trust emails. There is a lot of irony in that," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation. "Then there is the idea of notification fatigue. People get these notices and they wonder what they can do about it. The frank answer is there is nothing they can do about it."

But Rafal Los, security evangelist at HP Software, says the notices have built considerable awareness around the dangers of phishing attacks.

"People not only see these notifications, but it's made the headlines of national newspapers and has been all over the TV. It's helping to tune people in to the fact that they may be targeted in their email boxes," he says. "And following this email breach those concerns are real."

Gartner analyst John Pescatore classifies breach notifications into two camps: those where nothing happens to those notified, and the notifications where bad stuff does happen. "There is definite notification fatigue happening on the former. For example, there has never actually been a publicly acknowledged customer account compromise due to a lost backup tape, but there were scads of notifications," he says. "But, I think more importantly, there are two reasons for requiring breach notifications: First, to give the information into how well or how badly companies are protecting their information. Second, to give the owners of the companies an incentive to want to minimize how often they have to issue press releases saying dear customers, we lost your sensitive information. "Both of those are really good things, worth some notification fatigue."

Still, others think that all of the breach notifications regarding names and email addresses are not doing anyone any good. "I certainly think it's a mistake," says Rasch. "It's not that I think corporations should conceal these incidents. When it's a name and email address the statutes don't require a notification. But that's not why I think that they shouldn't do it. They shouldn't do it because it's not helpful."

George V. Hulme writes about security and technology from his home in Minneapolis. He hasn't opened any email since the Epsilon breach went public. But you can still find him on Twitter at @georgevhulme.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.



^ed 

Massive ransomware cyber-attack hits nearly 100 countries around the world | Technology | The Guardian

Massive ransomware cyber-attack hits nearly 100 countries around the world | Technology | The Guardian

Massive ransomware cyber-attack hits nearly 100 countries around the world

More than 45,000 attacks recorded in countries including the UK, Russia, India and China may have originated with theft of 'cyber weapons' from the NSA

The attack hit England's National Health Service (NHS) on Friday, locking staff out of their computers and forcing some hospitals to divert patients.

A ransomware cyber-attack that may have originated from the theft of "cyber weapons" linked to the US government has hobbled hospitals in England and spread to countries across the world.

Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 99 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected.

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.

Markus Jakobsson, chief scientist with security firm Agari, said that the attack was "scattershot" rather than targeted.

"It's a very broad spread," Jakobsson said, noting that the ransom demand is "relatively small".

"This is not an attack that was meant for large institutions. It was meant for anyone who got it."

MalwareHunterTeam (@malwrhunterteam)

Fresh IDR based heatmap for WanaCrypt0r 2.0 ransomware (WCry/WannaCry).
Also follow @MalwareTechBlog's tracker: https://t.co/mjFwsT3JzH pic.twitter.com/SPeZfBpckm

May 12, 2017

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of "cyber weapons" from the National Security Agency (NSA). At the time, there was skepticism about whether the group was exaggerating the scale of its hack.

On Twitter, whistleblower Edward Snowden blamed the NSA.

"If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened," he said.

"It's very easy for someone to say that, but the reality is the US government isn't the only one that has a stockpile of exploits they are leveraging to protect the nation," said Jay Kaplan, CEO of Synack, who formerly worked at the NSA.

"It's this constant tug of war. Do you let intelligence agencies continue to take advantage of vulnerabilities to fight terrorists or do you give it to the vendors and fix them?"

The NSA is among many government agencies around the world to collect cyber weapons and vulnerabilities in popular operating systems and software so they can use them to carry out intelligence gathering or engage in cyberwarfare. The agency did not immediately respond to a request for comment.

Ransomware is a type of malware that encrypts a user's data, then demands payment in exchange for unlocking the data. This attack used malicious software called "WanaCrypt0r 2.0" or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.

"This was eminently predictable in lots of ways," said Ryan Kalember from cybersecurity firm Proofpoint. "As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldn't be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch."

The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the "payment will be raised" after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.

"Attacks with language support show a progressive increase of the threat level," Jakobsson said.

The attack hit England's National Health Service (NHS) on Friday, locking staff out of their computers and forcing some hospitals to divert patients.

"The attack against the NHS demonstrates that cyber-attacks can quite literally have life and death consequences," said Mike Viscuso, chief techology officer of security firm Carbon Black. "When patients' lives are at stake, there is no time for finger pointing but this attack serves as an additional clarion call that healthcare organizations must make cybersecurity a priority, lest they encounter a scenario where lives are risked."

Ransomware attacks are on the rise. Security company SonicWall, which studies cyberthreats, saw ransomware attacks rise 167 times in 2016 compared to 2015.

"Ransomware attacks everyone, but industry verticals that rely on legacy systems are especially vulnerable," said Dmitriy Ayrapetov, executive director at SonicWall.

A Los Angeles hospital paid $17,000 in bitcoin to ransomware hackers last year, after a cyber-attack locked doctors and nurses out of their computer system for days.

Jakub Kroustek (@JakubKroustek)

36,000 detections of #WannaCry (aka #WanaCypt0r aka #WCry) #ransomware so far. Russia, Ukraine, and Taiwan leading. This is huge. pic.twitter.com/EaZcaxPta4

May 12, 2017

Jakobsson said that the concentration of the attack in Russia suggested that the attack originated in Russia. Since the malware spreads by email, the level of penetration in Russia could be a sign that the criminals had access to a large database of Russian email addresses.

However, Jakobsson warned that the origin of the attack remains unconfirmed.



^ed 

What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS? | Technology |

What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS? | Technology | The Guardian


What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?

Malicious software has attacked computers across the NHS and companies in Spain, Russia, the Ukraine and Taiwan. What is it and how is it holding data to ransom?

What is ransomware, how does it work, how does it spread and why is it attacking the NHS?

'WanaCrypt0r 2.0' malicious software has hit the NHS, some of Spain's largest companies including Telefónica, as well as computers across Russia, the Ukraine and Taiwan, leading to PCs and data being locked up and held for ransom.

The ransomware uses a vulnerability first revealed to the public as part of a leaked stash of NSA-related documents in order to infect Windows PCs and encrypt their contents, before demanding payments of hundreds of dollars for the key to decrypt files.

The co-ordinated attack had managed to infect large numbers of computers across the health service less than six hours after it was first noticed by security researchers, in part due to its ability to spread within networks from PC to PC

The ransomware has already caused hospitals across England to divert emergency patients – but what is it, how does it spread and why is this happening in the first place?

What is ransomware?

Ransomware is a particularly nasty type of malware that blocks access to a computer or its data and demands money to release it.

How does it work?

When a computer is infected, the ransomware typically contacts a central server for the information it needs to activate, and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – and threatens to destroy the information if it doesn't get paid, often with a timer attached to ramp up the pressure.

How does it spread?

Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.

MalwareHunterTeam (@malwrhunterteam)

There is a new version of WCry/WannaCry ransomware: "WanaCrypt0r 2.0".
Extension: .WNCRY
Note: @Please_Read_Me@.txt@BleepinComputer pic.twitter.com/tdq0OBScz4

May 12, 2017

What is WanaCrypt0r 2.0?

The malware that has affected Telefónica in Spain and the NHS in Britain is the same software: a piece of ransomware first spotted in the wild by security researchers MalwareHunterTeam, at 9:45am on 12 May.

Less than four hours later, the ransomware had infected NHS computers, albeit originally only in Lancashire, and spread laterally throughout the NHS's internal network. It is also being called Wanna Decryptor 2.0, WCry 2, WannaCry 2 and Wanna Decryptor 2.

How much are they asking for?

WanaCrypt0r 2.0 is asking for $300 worth of the cryptocurrency Bitcoin to unlock the contents of the computers.

Myles Longfield (@myleslongfield)

Shocking that our @NHS is under attack and being held to ransom. #nhscyberattack pic.twitter.com/1bcrqD9vEz

May 12, 2017

Who are they?

The creators of this piece of ransomware are still unknown, but WanaCrypt0r 2.0 is their second attempt at cyber-extortion. An earlier version, named WeCry, was discovered back in February this year: it asked users for 0.1 bitcoin (currently worth $177, but with a fluctuating value) to unlock files and programs.

How is the NSA tied in to this attack?

Once one user has unwittingly installed this particular flavour of ransomware on their own PC, it tries to spread to other computers in the same network. In order to do so, WanaCrypt0r uses a known vulnerability in the Windows operating system, jumping between PC and PC. This weakness was first revealed to the world as part of a huge leak of NSA hacking tools and known weaknesses by an anonymous group calling itself "Shadow Brokers" in April.

Was there any defence?

Yes. Shortly before the Shadow Brokers released their files, Microsoft issued a patch for affected versions of Windows, ensuring that the vulnerability couldn't be used to spread malware between fully updated versions of its operating system. But for many reasons, from lack of resources to a desire to fully test new updates before pushing them out more widely, organisations are often slow to install such security updates on a wide scale.

Who are the Shadow Brokers? Were they behind this attack?

In keeping with almost everything else in the world of cyberwarfare, attribution is tricky. But it seems unlikely that the Shadow Brokers were directly involved in the ransomware strike: instead, some opportunist developer seems to have spotted the utility of the information in the leaked files, and updated their own software accordingly. As for the Shadow Brokers themselves, no-one really knows, but fingers point towards Russian actors as likely culprits.

Will paying the ransom really unlock the files?

Sometimes paying the ransom will work, but sometimes it won't. For the Cryptolocker ransomware that hit a few years ago, some users reported that they really did get their data back after paying the ransom, which was typically around £300. But there's no guarantee paying will work, because cybercriminals aren't exactly the most trustworthy group of people.

There are also a collection of viruses that go out of their way to look like ransomware such as Cryptolocker, but which won't hand back the data if victims pay. Plus, there's the ethical issue: paying the ransom funds more crime.

What else can I do?

Once ransomware has encrypted your files there's not a lot you can do. If you have a backup of the files you should be able to restore them after cleaning the computer, but if not your files could be gone for good.

Some badly designed ransomware, however, has been itself hacked by security researchers, allowing recovery of data. But such situations are rare, and tend not to apply in the case of widescale professional hits like the WanaCrypt0r attack.

Disrupted patients 'fed up' with delays due to cyber-attack

How long will this attack last?

Ransomware often has a short shelf life. As anti-virus vendors cotton on to new versions of the malware, they are able to prevent infections originating and spreading, leading to developers attempting "Big Bang" introductions like the one currently underway.

Will they get away with it?

Bitcoin, the payment medium through which the hackers are demanding payment, is difficult to trace, but not impossible, and the sheer scale of the attack means that law enforcement in multiple countries will be looking to see if they can follow the money back to the culprits.

Why is the NHS being targeted?

The NHS does not seem to have been specifically targeted, but the service is not helped by its reliance on old, unsupported software. Many NHS trusts still use Windows XP, a version of Microsoft's operating system that has not received publicly available security updates for half a decade, and even those which are running on newer operating systems are often sporadically maintained. For an attack which relies on using a hole fixed less than three months ago, just a slight oversight can be catastrophic.

Attacks on healthcare providers across the world are at an all-time high as they contain valuable private information, including healthcare records.



^ed 

'Accidental hero' halts ransomware attack and warns: this is not over | Technology | The Guardian

'Accidental hero' halts ransomware attack and warns: this is not over | Technology | The Guardian

'Accidental hero' halts ransomware attack and warns: this is not over

Expert who stopped spread of attack by activating software's 'kill switch' says criminals will 'change the code and start again'

The "accidental hero" who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.

The ransomware used in Friday's attack wreaked havoc on organisations including FedEx and Telefónica, as well as the UK's National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.

But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a "kill switch" in the malicious software.

The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who lives with his parents and works for Kryptos logic, an LA-based threat intelligence company.

"I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit," he told the Guardian. "I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time."

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.

MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. "The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain," he said. But the following hours were an "emotional rollercoaster".

"Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it," he said.

MalwareTech said he preferred to stay anonymous "because it just doesn't make sense to give out my personal information, obviously we're working against bad guys and they're not going to be happy about this."

He also said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom are aware that they have been affected.

He warned people to patch their systems, adding: "This is not over. The attackers will realise how we stopped it, they'll change the code and then they'll start again. Enable windows update, update and then reboot."

He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.

"It's always been a hobby to me, I'm self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. I've been working there a year and two months now."

But the dark knight of the dark web still lives at home with his parents, which he joked was "so stereotypical". His mum, he said, was aware of what had happened and was excited, but his dad hadn't been home yet. "I'm sure my mother will inform him," he said.

"It's not going to be a lifestyle change, it's just a five-minutes of fame sort of thing. It is quite crazy, I've not been able to check into my Twitter feed all day because it's just been going too fast to read. Every time I refresh it it's another 99 notifications."

Proofpoint's Ryan Kalember said the British researcher gets "the accidental hero award of the day". "They didn't realise how much it probably slowed down the spread of this ransomware".

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organisations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.

Theresa May: 'This is not targeted at the NHS, it's an international attack' – video

The kill switch won't help anyone whose computer is already infected with the ransomware, and it's possible that there are other variants of the malware with different kill switches that will continue to spread.

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of "cyber weapons" from the National Security Agency (NSA).

Ransomware is a type of malware that encrypts a user's data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called "WanaCrypt0r 2.0" or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.

MalwareTech (@MalwareTechBlog)

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

May 13, 2017

The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the "payment will be raised" after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.

"This was eminently predictable in lots of ways," said Kalember. "As soon as the Shadow Brokers dump came out everyone [in the security industry] realised that a lot of people wouldn't be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch."

Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected.

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.



^ed 

Have you been affected by the cyberattack on the NHS? | Society | The Guardian

Have you been affected by the cyberattack on the NHS? | Society | The Guardian

Have you been affected by the cyberattack on the NHS?

If you are a patient - or NHS staff member - who has been affected we'd like to hear about your experience

Red open lock among blue closed locks

The IT systems of NHS sites across England have been hit by a large-scale cyber-attack with a pop-up message demanding a ransom in exchange for access to the PCs. Hospitals across the country have staff who have been locked out of their computers and many trusts have been forced to divert emergency patients, the NHS has confirmed.

Details of patient records and appointment schedules, as well as internal phone lines and emails, have all been rendered inaccessible.

Share your experiences

Have you been affected by the cyber-attack? Perhaps you are in A&E awaiting to be treated, or are due to have an appointment with your GP. Whether you are a patient or NHS staff, you can share your experiences by filling in the form below, anonymously if you wish. We'd also like to hear from those working in the NHS.

We'll feature some of your responses in our reporting.

Your responses are secure as the form is encrypted and only the Guardian has access to your contributions.




^ed 

Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool - NYTimes.com

Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool - NYTimes.com

Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool

Ambulance staff at a National Health Service hospital in London on Friday. Several hospitals across Britain were hit by a large-scale cyberattack, causing failures to computer systems.

Andy Rain / European Pressphoto Agency

SAN FRANCISCO — Hackers exploiting malicious software stolen from the National Security Agency executed damaging cyberattacks on Friday that hit dozens of countries worldwide, forcing Britain's public health system to send patients away, freezing computers at Russia's Interior Ministry and wreaking havoc on tens of thousands of computers elsewhere.

The attacks amounted to an audacious global blackmail attempt spread by the internet and underscored the vulnerabilities of the digital age.

Transmitted via email, the malicious software locked British hospitals out of their computer systems and demanded ransom before users could be let back in — with a threat that data would be destroyed if the demands were not met.

By late Friday the attacks had spread to more than 74 countries, according to security firms tracking the spread. Kaspersky Lab, a Russian cybersecurity firm, said Russia was the worst-hit, followed by Ukraine, India and Taiwan. Reports of attacks also came from Latin America and Africa.

The attacks appeared to be the largest ransomware assault on record, but the scope of the damage was hard to measure. It was not clear if victims were paying the ransom, which began at about $300 to unlock individual computers, or even if those who did pay would regain access to their data.

Security experts described the attacks as the digital equivalent of a perfect storm. They began with a simple phishing email, similar to the one Russian hackers used in the attacks on the Democratic National Committee and other targets last year. They then quickly spread through victims' systems using a hacking method that the N.S.A. is believed to have developed as part of its arsenal of cyberweapons. And finally they encrypted the computer systems of the victims, locking them out of critical data, including patient records in Britain.

The connection to the N.S.A. was particularly chilling. Starting last summer, a group calling itself the "Shadow Brokers" began to post software tools that came from the United States government's stockpile of hacking weapons.

The attacks on Friday appeared to be the first time a cyberweapon developed by the N.S.A., funded by American taxpayers and stolen by an adversary had been unleashed by cybercriminals against patients, hospitals, businesses, governments and ordinary citizens.

Something similar occurred with remnants of the "Stuxnet" worm that the United States and Israel used against Iran's nuclear program nearly seven years ago. Elements of those tools frequently appear in other, less ambitious attacks.

The United States has never confirmed that the tools posted by the Shadow Brokers belonged to the N.S.A. or other intelligence agencies, but former intelligence officials have said that the tools appeared to come from the N.S.A.'s "Tailored Access Operations" unit, which infiltrates foreign computer networks. (The unit has since been renamed.)

The attacks on Friday are likely to raise significant questions about whether the growing number of countries developing and stockpiling cyberweapons can avoid having those same tools purloined and turned against their own citizens.

They also showed how easily a cyberweapon can wreak havoc, even without shutting off a country's power grid or its cellphone network.

In Britain, hospitals were locked out of their systems and doctors could not call up patient files. Emergency rooms were forced to divert people seeking urgent care.

In Russia, the country's powerful Interior Ministry, after denying reports that its computers had been targeted, confirmed in a statement that "around 1,000 computers were infected," which it described as less than 1 percent of its total. The ministry, which oversees Russia's police forces, said technicians had contained the attack.

Some intelligence officials were dubious about that announcement because they suspect Russian involvement in the theft of the N.S.A. tools.

But James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said he suspected that criminals operating from Eastern Europe acting on their own were responsible. "This doesn't look like state activity, given the targets that were hit," he said.

Those targets included corporate computer systems in many other countries — including FedEx in the United States, one of the world's leading international shippers, as well as Spain's Telefónica and Russia's MegaFon telecom giant.

It could take months to find who was behind the attacks — a mystery that may go unsolved. But they alarmed cybersecurity experts everywhere, reflecting the enormous vulnerabilities to internet invasions faced by disjointed networks of computer systems.

There is no automatic way to "patch" their weaknesses around the world.

"When people ask what keeps you up at night, it's this," said Chris Camacho, the chief strategy officer at Flashpoint, a New York security firm tracking the attacks. Mr. Camacho said he was particularly disturbed at how the attacks spread like wildfire through corporate, hospital and government networks.

Another security expert, Rohyt Belani, the chief executive of PhishMe, an email security company, said the wormlike capability of the malware was a significant shift from previous ransom attacks. "This is almost like the atom bomb of ransomware," Mr. Belani said, warning that the attack "may be a sign of things to come."

The hackers' weapon of choice on Friday was Wanna Decryptor, a new variant of the WannaCry ransomware, which encrypts victims' data, locks them out of their systems and demands ransoms.

Researchers said the impact and speed of Friday's attacks had not been seen in nearly a decade, when the Conficker computer worm infected millions of government, business and personal computers in more than 190 countries, threatening to overpower the computer networks that controlled health care, air traffic and banking systems over the course of several weeks.

One reason the ransomware on Friday was able to spread so quickly was that the stolen N.S.A. hacking tool, known as "Eternal Blue," affected a vulnerability in Microsoft Windows servers.

Hours after the Shadow Brokers released the tool last month, Microsoft assured users that it had already included a patch for the underlying vulnerability in a software update in March.

The home page of the East and North Hertfordshire N.H.S. Trust website on Friday.

East And North Hertfordshire NHS / Press Association, via Associated Press

But Microsoft, which regularly credits researchers who discover holes in its products, curiously would not say who had tipped the company off to the issue. Many suspected that the United States government itself had told Microsoft, after the N.S.A. realized that its hacking method exploiting the vulnerability had been stolen.

Privacy activists said if that were the case, the government would be to blame for the fact that so many companies were left vulnerable to Friday's attacks. It takes time for companies to roll out systemwide patches, and by notifying Microsoft of the hole only after the N.S.A.'s hacking tool was stolen, activists say the government would have left many hospitals, businesses and governments susceptible.

"It would be deeply troubling if the N.S.A. knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen," Patrick Toomey, a lawyer at the American Civil Liberties Union, said on Friday. "These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world."

During the Obama administration, the White House created a process to review software vulnerabilities discovered by intelligence agencies, and to determine which should be "stockpiled" for future offensive or defensive cyberoperations and which should be reported to the companies so that they could be fixed.

Last year the administration said that only a small fraction were retained by the government. But this vulnerability appeared to be one of them, and it was patched only recently, suggesting that the N.S.A. may have concluded the tool had been stolen and therefore warned Microsoft.

But that was clearly too little, and far too late.

On Friday, hackers took advantage of the fact that vulnerable targets — particularly hospitals — had yet to patch their systems, either because they had ignored advisories from Microsoft or because they were using outdated software that Microsoft no longer supports or updates.

The malware was circulated by email. Targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets. The fact that the files were encrypted ensured that the ransomware would not be detected by security systems until employees opened them, inadvertently allowing the ransomware to replicate across their employers' networks.

Employees at Britain's National Health Service had been warned about the ransomware threat earlier on Friday. But it was too late. As the disruptions rippled through at least 36 hospitals, doctors' offices and ambulance companies across Britain, the health service declared the attack a "major incident," warning that local health services could be overwhelmed.

Britain's health secretary, Jeremy Hunt, was briefed by cybersecurity experts, while Prime Minister Theresa May's office said on television that "we're not aware of any evidence that patient data has been compromised."

As the day wore on, dozens of companies across Europe, Asia and the United States discovered that they had been hit with the ransomware when they saw criminals' messages on their computer screens demanding $300 to unlock their data. But the criminals designed their ransomware to increase the ransom amount on a set schedule and threatened to erase the hostage data after a predetermined cutoff time, raising the urgency of the attack and increasing the likelihood that victims would pay.

Without the ability to decrypt their data on their own, security experts said that victims who had not backed up their data were faced with a choice: Either live without their data or pay. It was not clear how many victims ultimately paid.

Security experts advised companies to immediately update their systems with the Microsoft patch.

Until organizations use the Microsoft patch, Mr. Camacho said, they could continue to be hit — not just by ransomware, but by all kinds of malicious tools that can manipulate, steal or delete their data.

"There is going to be a lot more of these attacks," he said. "We'll see copycats, and not just for ransomware, but other attacks."



^ed