SEATTLE: Cybersecurity researcher Ray Pompon started his Friday, just after 8am, like he always does: checking e-mail and social media feeds from his West Seattle home.
It didn't take long for Pompon to discover something was very wrong.
A widespread cyberattack in England was starting to show up in other countries, spreading a malicious software program that hijacked computers running Microsoft's Windows operating system and demanded payments to relinquish control.
"It was spreading like wildfire," said Pompon, who works for Seattle Internet infrastructure firm F5 Networks.
The career security researcher fired off chat messages, comparing notes with other F5 analysts who had seen the initial news reports from the UK. They quickly widened the circle, alerting the company's leadership and beginning a search for tools to shield F5 customers.
"We started scrambling around, trying to find out how it was propagating," he said.
It was soon clear to Pompon that he couldn't tear himself away even for the commute to F5's Lower Queen Anne offices. He would work the next three days from home.
The cyberattack that began May 12 crippled British hospitals, Brazil's social-security system, a German railway, and many other computer systems, the latest sign of the dangers posed by weaponised software in a world of ubiquitous computing.
As the attacks became major news worldwide, corporate cybersecurity workers, researchers and law-enforcement agencies jumped into action to try to limit the damage – a crisis response that's becoming common in the information age.
The attacks, which continued into Monday and disabled an estimated hundreds of thousands of devices, targeted a vulnerability in Windows that Microsoft says was discovered by the National Security Agency (NSA). Details of the vulnerability were dumped online earlier this year – along with a slate of other vulnerabilities allegedly uncovered by the US spy agency – by a hacker group called Shadow Brokers.
The flaw resides in a way computers running Microsoft's operating system communicate with shared network resources like printers or files. Malware aimed at that vulnerability could gain control of a system through the communications protocol, and, from there, hop to other systems on a network and take them over, too.
Microsoft issued patches on March 14 for many versions of Windows that closed the weak point, giving the update the "critical" designation applied to serious weaknesses that could allow an unauthorized user to take control of the operating system.
But many businesses don't receive Windows updates automatically. Their technology staff has to opt in because updates can often be a laborious process that requires them to ensure tweaks won't interfere with other software or systems.
When the attack started Friday, it was clear many Windows users hadn't updated, or were running versions of the operating system so old that Microsoft had stopped sending them security updates altogether.
Corey Nachreiner, chief technology officer at Seattle security software firm WatchGuard Technologies, got a call early Friday from one of the company's engineers in Spain. The ransomware attack – called WannaCry, or WannaCrypt – had hit Spanish mobile giant Telefonica, locking employees out of their computer terminals as it spread through the network.
Nachreiner, working with colleagues in Seattle and Baltimore, set out to try to find an example of the code as it rattled around the global internet. "The first step, we just want to analyse it, see how it works," he said.
Unpacking a cyberattack doesn't look much like its flashy Hollywood depictions.
Security researchers describe a tedious process of sifting through network and computer systems, lines of code and system logs, occasionally aided by software designed to detect anomalies and things that don't belong.
Comparing notes with peers in the industry also plays a big role. Many security workers spent Friday glued to Twitter, tracking news reports on the spread of the attack and the progress others were making in identifying and stopping the malware.
Marc Laliberte, a threat analyst with WatchGuard, got his hands on a sample of WannaCry from a public malware repository, a service designed to get simulated systems infected with whatever bad actors come knocking so security researchers can follow their path.
He ran the malware on a simulated system in a sandbox on his laptop – a virtual space where the software could be run securely – before going in to work.
After sifting through the code and initial reports from worried customers, Laliberte was able to say with a decent degree of confidence that customers running WatchGuard's security services and updated systems shouldn't be impacted. The company's tools are used by a range of customers, from German engineering firms to Seattle's Museum of Flight.
A handful of WatchGuard's smaller customers were infected, though. Some were able to avoid the ransomware by restoring systems from backup files, avoiding the ransomware's threat to delete data entirely.
The biggest breakthrough came from an enterprising, 22-year-old security researcher in Britain who found and activated a "kill switch" that halted the main variant of WannaCry's software. (Other, modified versions have surfaced since.)
In Redmond on Friday, Microsoft and its 3,500 security engineers were working to better protect their software. By noon, the company had added WannaCrypt-specific detection to its anti-virus tools.
But with many computers running old versions of Windows being infected, the company also took an unusual step: defending software it no longer supported. Shortly before midnight, the company released patches for six operating systems released between 2001 and 2012.
For Microsoft, the worldwide attention on a high-profile flaw in Windows recalls the years in the early 2000s when the company's reputation was damaged by hacks of software unprepared for the threats of the Internet age.
The company declined to comment on WannaCry beyond a blog posted over the weekend by Microsoft president Brad Smith. He said Microsoft's first responsibility was to address the issue in its software and help stem the attack, but Smith also pointed the finger at governments for developing, stockpiling and exploiting potentially dangerous software weaknesses in the first place.
Jeff Costlow, director of security with Seattle-based technology analytics software maker ExtraHop, said Microsoft "has moved a lot in the last few years" to infuse better security into its products.
"The problem is, this follows all those years that they spent not necessarily being proactive" on security, he said. "This is the era where they have to make up for that, and we have to move very quickly."
Some Microsoft security engineers over the weekend vented frustrations that the attack happened at all, weeks after security researchers warned about the vulnerability, and almost a month after Microsoft patched it for most Windows systems.
Others lamented a business environment that can leave critical services like hospitals relying on outdated and vulnerable software.
Some organizations with tight technology budgets can be slow to update to modern tools, or are unaware of vulnerabilities in expensive machines like hospital imaging devices that aren't thought of as computers.
"Sure, desktops, servers, they should have been updated," Microsoft security analyst Barry Dorrans said in a post on Twitter. "But there's always going to be machines that can't be touched."
Security researchers around the industry kept working Saturday and Sunday, trying to better understand the malicious software and encouraging corporate technologists to update old systems. Pompon, of F5, said hackers sometimes aim for Fridays when deploying malware, hoping their software spreads just as those charged with securing computer systems are checking out for the weekend.
"They look for a skeleton crew," he said. "You wind up working the weekend. That's been my entire career." — The Seattle Times/Tribune News Service