The ransomware cyberattack, which seems to have originated in Ukraine this week but spread quickly, is thought to be under control in that country but companies and governments around the world are still trying to determine the attack’s impact on ports, hospitals, factories and supply chains.
The malicious code freezes computers and demands victims post a ransom worth $300 in bitcoins or lose their data entirely—similar to the extortion tactic used in the global WannaCry ransomware attack in May. Many firms, including Symantec, have suggested the ransomware is a variant of Petya—a known ransomware—but according to security firm Kaspersky Lab, preliminary findings indicate the attacks are from a new ransomware that it is now calling “ExPetr,” Reuters reports.
Either way, researchers say the attacks use a Microsoft Windows flaw called EternalBlue to spread through corporate networks. WannaCry also leveraged the EternalBlue exploit, which was leaked as part of a group of hacking tools believed to belong to the National Security Agency. Microsoft issued patches for the exploits in March.
Arriving the same day as the assassination of a senior Ukrainian military intelligence officer in the nation’s capital and a day before a national holiday celebrating a new constitution signed after the breakup of the Soviet Union, the virus is believed to have first taken hold in Ukraine where it infected computers after users downloaded a popular tax accounting package or visited a local news site, national police and international cyber experts say. Ukraine has repeatedly accused Russia of orchestrating attacks on its computer systems and critical power infrastructure since Russia annexed the Black Sea peninsula of Crimea in 2014.
Some experts believe this latest ransomware outbreak was less aimed at gathering money than at sending a message to Ukraine and its allies. Indeed, the aim of the latest attack appeared to be disruption rather than ransom, Brian Lord, former deputy director of intelligence and cyber operations at Britain’s GCHQ and now managing director at private security firm PGI Cyber, says in a Reuters article.
“My sense is this starts to look like a state operating through a proxy ... as a kind of experiment to see what happens,” Lord says.
In a statement yesterday, the Ukrainian Cabinet said that “all strategic assets, including those involved in protecting state security, are working normally.” At the very least, however, thousands of computers worldwide have been struck by the malware, according to preliminary accounts published by cybersecurity firms—although most of the damage may not be publicized.
Some names have trickled into the public domain as the disruption becomes obvious, however. In addition to numerous Ukrainian banks, companies and the state power distributor, shipping giant A.P. Moller-Maersk, which handles one in seven containers shipped worldwide and has a logistics unit in Ukraine, said in statement that a cyberattack had caused outages at its computer systems around the world. Ports in numerous countries have reported an impact on shipping container terminals. U.S. drugmaker Merck, food and drinks company Mondelez International, global law firm DLA Piper, and London-based advertising group WPP have also all come under attack.
“This is another serious ransomware attack with global impact, although the number of victims is not yet known,” says Europol’s Executive Director, Rob Wainwright. “There are clear similarities with the WannaCry attack, but also indications of a more sophisticated attack capability, intended to exploit a range of vulnerabilities. It’s a demonstration of how cybercrime evolves at scale and, once again, a reminder to business of the importance of taking responsible cyber security measures.”
Europol notes that if a company’s computers or network have become infected, the company should: not pay the ransom, report the cyberattack to local police and disconnect an infected device from the Internet. If the infected device is part of a network, it should be isolated to prevent the virus from spreading to other machines.
Have your company or suppliers felt an impact from the ransomware attack this week?