An international army of detectives was working around the clock last night to hunt down the cyber crooks behind the hacking attack that crippled the NHS and froze IT systems in 100 countries around the world.
Computer specialists from 27 European nations were urgently trying to stop the spread of the ransom virus behind the biggest ever hacking attack of its kind.
The attack has locked 130,000 computers with a message demanding that users pay a fee of £230 in Bitcoin – a controversial internet-only currency that is traded anonymously.
Experts last night told The Mail on Sunday the hacking culprits may be from Russia or the Ukraine.
IT security experts said criminals had launched the ‘atom bomb’ of computer attacks after a sinister group of hackers stole a cyber ‘superweapon’ from the US intelligence services
And yesterday, Europol, the European Union’s police force, announced a major investigation has been launched by its Joint Cybercrime Action Taskforce.
A spokesman said: ‘The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits.’
IT security experts said criminals had launched the ‘atom bomb’ of computer attacks after a sinister group of hackers stole a cyber ‘superweapon’ from the US intelligence services last year.
They said a cyber gang named the Shadow Brokers hacked the National Security Agency (NSA) and stole software developed by US agents to spy on Microsoft computers.
The hackers leaked the cache of hacking tools and passwords needed to unleash the virus in an online post last month – which it said was in protest against US military strikes in Syria.
The malicious software was hidden in email attachments downloaded by unwitting computer users on Friday afternoon.
As of last night the hackers had received only about £20,000 in bitcoins – a virtual currency that is all but untraceable. One is worth £1,367 – more than the value of an ounce of gold
Experts said it unleashed a computer virus which spread ‘like wildfire’ across networks.
Users were warned the £230 ransom demand would double if it was not paid within three days.
The dark web currency
Bitcoin is a virtual currency favoured by users of secret sites on the so-called ‘dark web’.
Transactions are recorded but not the identities of those carrying them out.
The message demanded the ransom be paid in Bitcoin. The NHS said it would refuse to pay.
Cyber experts estimated that the attackers could pocket more than £770 million from individuals paying to unlock their machines.
As of last night the hackers had received only about £20,000, according to the group’s Bitcoin accounts, which can be viewed online.
One bitcoin is worth £1,367 – more than the value of an ounce of gold.
They are not physical coins and exist only in cyberspace. Users can remain anonymous, which is why they are often used for illegal activity.
The malicious software was hidden in email attachments downloaded by unwitting computer users on Friday afternoon. The virus is pictured on a laptop
Security experts told The Mail on Sunday the attack was most probably launched by a criminal gang taking advantage of the leak by the Shadow Brokers last month.
The NSA connection
A hacking tool developed by the US government’s National Security Agency to spy on terrorists was stolen and released on to the internet by a group called The Shadow Brokers last month.
A separate gang – possibly Russians or Ukrainians – used it to unleash chaos by spreading a ransomware virus disabling millions of Microsoft computers across the world.
Some experts alleged the Shadow Brokers were closely linked to Russian intelligence.
But others said it was unclear and pointed out Russia was one of the nations worst hit by the cyber attack with reports that 1,000 computers in the country’s Interior Ministry were affected.
Jeremiah Grossman, chief of security strategy at cybersecurity firm SentinelOne, said: ‘Three quarters of ransomware attacks are from Russia and the Ukraine.
‘The attack we are seeing is most likely a criminal gang simply extorting people for money but it would not have happened without the hacking of the NSA and the leak by the Shadow Brokers.
‘The Shadow Brokers appear to be Russian intelligence or linked to the Russian government.
‘This is evident in their communications, their political actions and the timing of events.’
A cyber gang named the Shadow Brokers is thought to have hacked the National Security Agency (NSA) and stole software developed by US agents to spy on Microsoft computers, according to computer experts
Edward Snowden, the NSA whistleblower who fled to Russia in 2013, has previously linked the Shadow Brokers hacking group to the Kremlin. But Russian officials have denied the link.
David Emm, a senior researcher for cyber security firm Kaspersky Lab, said: ‘The people behind it are just looking to make money but this attack is using code dumped by the group calling themselves Shadow Brokers.
‘They dumped a whole load of stuff online claiming this was all part of a series of tools and exploits being used by the NSA.’
Activist Lauri Love, who is facing extradition to the US over unconnected hacking charges, said: ‘This is a top-of-the-range cyber weapon used by the spooks in America. Unfortunately they lost it.’
Paul Norris, of cyber security firm Tripwire, said the attack was likely ‘a criminal network, not a foreign state attack’ but agreed the method had come from the earlier NSA hack.