A global ransomware attack slammed businesses around the world Tuesday, affecting oil companies, a major shipping line, banks and a major U.S. pharmaceutical company, and marking the second consecutive month that such an epidemic swept the world. Tuesday’s impact spanned from India to the United States, although it hit hardest in Ukraine and Russia.
Like a previous attack that affected more than 150 countries on May 12, Tuesday’s virulent outbreak appeared to be powered by a U.S. cyber weapon stolen from the National Security Agency.
The epidemic used a variant of ransomware known as Petya, and it froze hard drives of tens of thousands of computers and left screen messages demanding that owners make a payment of $300 to unlock their data.
While Ukraine and Russia were hardest hit, other countries that felt the impact included France, Spain, Denmark, Poland, Italy, Germany, Brazil, Turkey, India and the United States.
The big U.S. pharmaceutical company Merck, based in Kenilworth, New Jersey, acknowledged in a tweet that it had been hit: “We confirm our company's computer network was compromised today as part of global hack.”
One of the largest health networks in western Pennsylvania, Heritage Valley Health System, said that a “cyber security incident” had affected all operations at its two hospitals and 18 satellite centers but it wasn’t clear if the incident was linked to the Petya ransomware.
A number of global companies reported damage. They included Rosneft, the Russian firm that is the world’s largest publicly traded oil company; the Danish shipping and energy giant A.P. Moller-Maersk; WPP, the British advertising giant, and France’s Saint Gobain construction materials company.
The outbreak appeared to spread through an update sent by a financial software company, MeDoc, in Ukraine.
“Essentially what happened is MeDoc (big financial software) was hacked and they pushed out the malware via the update feature,” posted a security researcher, Marcus Hutchins, who is credited with finding and activating a “kill switch” that put a halt to the WannaCry epidemic in May.
The cyberattack slowed operations at Boryspyl International Airport near Ukraine’s capital, Kyiv, and hit several major public sector enterprises, including the central bank, before dashing across borders.
There may be delays in flights due to the situation.
Yevhen Dykhne, director of Kyiv’s Boryspyl International Airport
“Our IT services are working together to resolve the situation. There may be delays in flights due to the situation,” airport director Yevhen Dykhne said in a statement.
The radiation monitoring system at the ruins of the Chernobyl nuclear plant, site of a catastrophic nuclear accident in Ukraine in 1986, was affected by the cyberattack, the French news agency AFP reported.
The Petya ransomware was an older criminal Trojan that had been given new life and a mechanism for self-replicating through a stolen NSA tool known as EternalBlue, said Nick Bilogorskiy, senior threat director at Cyphort, a Santa Clara, California, cybersecurity firm, in an emailed statement.
The initial infection occurs when a recipient opens a malicious link, he said, which then encrypts the computer’s master file.
“This variant asks for $300 via Bitcoin,” Bilogorskiy said, referring to a digital currency favored by hackers for its anonymity.
European companies took to Twitter or their websites to get word out about outages.
“We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack,” the shipping company said.
A global law firm with headquarters in London, DLA Piper, reported extensive problems. A sign outside its offices in Washington told employees upon entering: “Please remove all laptops from docking stations & keep turned off. *No exceptions*”
One cyber expert said the latest attack may be a harbinger of greater disruption ahead.
“The sophistication and consequences of ransomware attacks have reached a new level. The days are near where a cyber-attack can result in a total blackout and affect the lifeblood of society,” said Matthias Maier, security expert at Splunk, a San Francisco software company.
The spread of the ransomware unfolded at alarming speed. One security researcher, Dave Kennedy of TrustedSec, a Strongsville, Ohio, firm, tweeted that Petya “spreads SUPER fast,” adding that he observed the ransomware hit 5,000 networks “in under 10 minutes.”
Like the perpetrators of the May 12 WannaCry attack, those behind the Petya attack raised little money from the mayhem they were causing. By late afternoon, they’d received 31 payments of bitcoin with a value of about $8,050.
“That’s one of the headscratchers of this. If it’s done for criminal means, you’d think they be better criminals,” said Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, a think tank. “It could be that they are just really bad at creating malicious software or setting up criminal enterprises.”
The WannaCry ransomware epidemic utilized one of a handful of powerful cyber tools stolen from the NSA and leaked to the public in March by an underground group, The Shadow Brokers. The group contends it has many more tools that it will auction off to bidders. Some experts say a North Korean hacking unit launched the WannaCry epidemic, which they said hit 10 to 15 million computers worldwide.
The NSA has never confirmed the breach.
Jonathan Pollet, founder of a Houston area industrial cybersecurity firm, Red Tiger Security, said that a decade ago malware was usually constructed for a single purpose. But today, malicious code is more sophisticated and comprises tool sets that “are almost like lego bricks” and have multiple purposes. The NSA EternalBlue tool is just one component, he said.
For those angry that a government-created tool might fall into criminal hands and point back at the country of its creators, Pollet said there is little to be done.
“You can’t sue a federal agency,” Pollet said. “There’s no recourse for this.”