Hackers launched blistering ransomware attacks Tuesday against
companies and agencies across the world, particularly targeting Ukranian businesses.
Major global firms reported that they had been targeted, including British advertising agency WPP (WPPGY), Russian oil and gas giant Rosneft and Danish shipping firm Maersk.
“IT systems in several WPP companies have been affected by a suspected cyber attack,” WPP said on its Twitter account.
Maersk issued a similar statement, saying its tech systems “are down across multiple sites and business units due to a cyberattack.”
The U.S.-based pharmaceutical company Merck (MRK) also said it was hit.
“We confirm our company’s computer network was compromised today as part of global hack,” Merck said on Twitter.
The source of the attack is not yet clear. It is similar to WannaCry, which spread globally in May, but there are differences. Both asked victims to pay Bitcoin to get their files back, and both use a similar flaw to spread through networks.
The Moscow-based cybersecurity firm Group IB estimated Tuesday that the virus affected about 80 companies in Russia and Ukraine.
Group IB said the ransomware infects and locks a computer, and then demands a $300 ransom to be paid in Bitcoins.
Many firms, including Symantec, have suggested the ransomware is a variant of Petya, a known ransomware. But according to security firm Kaspersky Lab, preliminary findings indicate the attacks are from a new ransomware that it’s now calling “ExPetr.”
Either way, researchers say Tuesday’s attacks use a Windows flaw called EternalBlue to spread through corporate networks. WannaCry also leveraged the EternalBlue exploit, which was leaked as part of a trove of hacking tools believed to belong to the NSA. Microsoft (MSFT, Tech30) issued a patches for the exploits in March.
Microsoft said it found that the ransomware is using multiple techniques to spread, including one that was addressed by the security patch released in March. It is continuing to investigate.
The Department of Homeland Security is also monitoring the cyberattacks.
Spokesman Scott McConnell said DHS is “coordinating with our international and domestic cyber partners. We stand ready to support any requests for assistance.”
Europol said it is investigating the attack as well.
Ukrainian companies and government agencies seem to have been hit particularly hard.
Ukraine’s central bank warned financial firms across the country that an unknown virus hit the sector, creating problems for banks and customer service.
According to security firm Cisco Talos, the ransomware initially infected MeDoc, a piece of Ukranian accounting software. MeDoc then sent an infected file to customers. It spread to other computers on companies’ networks by leveraging software holes. Ukranian officials confirmed the MeDoc link.
This ransomware was much more advanced than WannaCry, according to Craig Williams, senior tech lead and security outreach manager at Cisco Talos.
Officials at Ukraine’s postal service and metro system in Kiev also reported hacking problems.
Ukraine’s vice prime minister, Pavlo Rozenko, tweeted a screenshot of his malfunctioning computer saying computers at the Cabinet of Ministers had been affected.
The Chernobyl nuclear power plant was also hit by the cyber attack, according to a Ukrainian federal agency. In a statement, the agency said that “in connection with the cyber attack, the Chernobyl nuclear power plant website is not working.” Its Microsoft Windows systems were temporarily disconnected, and radiation monitoring in the area of the industrial site is being carried out manually, it said.
Ransomware victims are always advised not to pay ransom to get their files back because it encourage the attackers. The best way to mitigate damage from ransomware is to update operating systems and backup data.