LONDON, ENGLAND - MAY 12: A message informing visitors of a cyber attack is displayed on the NHS website on May 12, 2017 in London, England. NHS hospitals across England have been hit by a large-scale cyber-attack with many hospitals having to divert emergency patients and doctors reporting messages demanding money. (Photo by Carl Court/Getty Images)
© Getty

Sam Jones, Defence and Security Editor 

Published

Jump to comments section

Dozens of organisations and networks worldwide have been hit by a cyber weapon known as WannaCry. Already it has proved itself to be one of the most virulent and potentially destructive cyber attacks ever observed.

Telefónica, the multinational Spanish telecoms network which owns O2, was among the first to report news they had been infected early on Friday afternoon. Hospitals across Britain’s National Health Service have been among the highest profile victims: patients have been affected as critical services and records were taken offline

Portugal Telecom was a victim, as was FedEx in the US, while reports were emerging of infections in Asia — such as universities in China — and across the rest of Europe. 

What does the attack do?

The attack used a category of virus known as ransomware. Once infected, a target’s computer has its files encrypted. The user then gets a ransom demand — usually asking for payment in a “crypto currency” such as bitcoin — which must be paid in order for access to be restored.

Ransomware’s use has been on the rise. “We have seen it grow very rapidly,” said Darren Thomson, chief technology office for the cyber security firm Symantec. “Globally, we have seen a 36 per cent increase year-on-year.”

There are at present more than 100 known families of ransomware propagating online. WannaCry is one of the newest. 

Who is responsible? 

So far the perpetrators are unknown but western security agencies are scrambling to find out. Their current working hypothesis is that WannaCry’s latest incarnation, despite its incredible destructive reach, is still being wielded by a criminal organisation rather than a state or a state-backed group. 

According to cyber intelligence analysts studying the “dark web”, payments demanded by the ransomware’s operators can be linked back to a single bitcoin account.

Why has this attack been so successful?

Until now, ransomware was regarded as a relatively rudimentary threat. It is usually spread through emails that are sent en masse to target unwary individuals. Attacks against organisations and businesses are far more unusual. Big organisations usually have sophisticated detection methods to prevent and contain infections.

The version of WannaCry that spread so rapidly on Friday is different, however: its designers have supercharged it by using tools leaked by the most powerful cyber arsenal in the world — that owned by the US National Security Agency.

Video: WannaCry attack risks remain

How is the NSA involved?

The FT has spoken to several senior cyber security researchers and western government officials who have confirmed that NSA tools are likely to have been used by the hackers. They say an NSA tool known as Eternal Blue looks like it has been incorporated into the ransomware’s architecture; Eternal Blue allows the ransomware to spread laterally across businesses’ computer networks through a vulnerability in commonly used Windows file-sharing systems.

The vulnerability explains why WannaCry has metastasised so rapidly around the world, jumping between any linked organisations that may have file-sharing arrangements set up for business purposes. As such, it has highlighted the greatest vulnerability of our increasingly interconnected digital environment. 

How can it be stopped?

Scrubbing malware from systems is an arduous and lengthy task. The scale of infections in this case already suggests it may be an impossible one.

Governments and law enforcement agencies will probably try to identify the “command and control” servers from which the malware is being run. If intelligence efforts can pinpoint those and seize control of them, then the encryption keys could be released to all infected networks.

An alternative may be that WannaCry’s operators turn over the keys themselves: the success of the ransomware has made them the top global target for the west’s cyber security community overnight. Even the most hardened criminal organisation is likely to worry about such prominence. 

This story has been corrected to reflect the fact that Energias de Portugal took precautionary measures under police advice, but was not affected.

Copyright The Financial Times Limited 2025. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Comments