Just 20 Irish IP addresses hit by global cyber attack

Internet security experts warn firms to be wary of ‘indiscriminate’ ransomware

WannaCry  ransomware: thousands of computers in over 100 countries  have been infected since May 12th. Photograph: EPA
WannaCry ransomware: thousands of computers in over 100 countries have been infected since May 12th. Photograph: EPA

Just 20 Irish IP addresses have been hit by the cyber attack over the weekend which locked up more than 200,000 computers worldwide, according to the Republic’s National Cyber Security Centre (NCSC).

Cybersecurity experts have said the spread of the virus dubbed “WannaCry” – a “ransomware worm” – has slowed, but the respite might only be brief. New versions of the worm are expected, and the extent of global damage from the attack remains unclear.

So far, it appears Irish businesses have escaped largely unscathed, although NCSC director Richard Browne told The Irish Times on Monday he expected some incidents to arise.

He said that technical problems with the virus had allowed the authorities to examine how it operates, and the number of IP addresses it has engaged with. An IP address is an identification number specific to each computer or tablet device.

READ SOME MORE

"As of three minutes ago, we had only one confirmed incident in the State, which was the one in Wexford, so as of that point we had no confirmed incidence of a private sector operator being hit," said Mr Browne.

“Now, we expect them to arise. There are going to be some affected entities out there. We know there are other Irish IP addresses.

“Malware often has a kill switch detector in it. In other words, they want to make sure that people like us can’t take it apart, see how it works, and stop it. They put in this detector which tries to connect to the outside web.

“This wasn’t very well implemented and there were a whole load of issues with it.

“Essentially, when this person registered the domain, it tripped the kill switch detector, so the malware stopped performing and we got access to the IP addresses that were radiating back.

“So, we can see what Irish domains are on it, and we’ve been dealing with entities across the State to try and make sure that any affected entity is dealt with. Now, for most of them, the virus never went live.

“It’s in the order of 20 IP addresses, so that could be a private individual at home on his laptop, or it could be a business or whatever.”

In terms of whether the figure of 20 was the likely total number, or whether it could rise, Mr Browne said he couldn’t be certain but that it was a “fairly good indication” of the total.

As to whether these 20 IP addresses were specifically targeted or randomly affected, Mr Browne said: “As far as we can tell, this was a worm that spreads itself on the basis of vulnerability, so it’s not targeted.

“We’ve been engaging with internet service providers and others directly saying ‘we know this is a problem. Please contact your client.’ We’ve been doing that since Saturday morning.”

Mr Browne added that due to data protection issues, the facility cannot directly contact the individuals or institutions affected.

“We don’t have access to who they are,” he said. “We’re going through the internet providers. For the most part, they can work out who is at the end of the IP address.”

Ibec head of digital policy said the business lobby group had not been contacted by members. “So far, we haven’t heard anything from our networks,” he said. “We’re still monitoring it. It’s a big concern obviously.”

ISME, the small and medium sized enterprises organisation, also said there had been little or no alarm among its members.

Neil McDonnell, the chief executive, said many businesses were proactively upgrading cyber security following the incident.

“We haven’t had anyone come forward with complaints about it, but some of our providers who are in the game have had a busy day,” he said. “Some of it is repairing issues and some of it is preventative.

“An awful lot of our members would be at the lower level of internet functionality, but we have an awful lot of accountants and solicitors who tend to be extremely discreet even if there is a problem.”

Pat Moran, who leads PricewaterhouseCooper's cyber practice in Dublin, said there had been no major emergencies for company's clients, but that they had "been busy" over the weekend.

Hugh Callaghan, head of EY's advanced security centre in Dublin, expressed concern for SMEs who may not have updated their software as routinely as larger organisations.

Furthermore, he added, larger organisations may be operating with legacy infrastructure that is particularly vulnerable.

Colin Gleeson

Colin Gleeson

Colin Gleeson is an Irish Times reporter

Peter Hamilton

Peter Hamilton

Peter Hamilton is a contributor to The Irish Times specialising in business