Ukraine’s government, National Bank, its transportation services and largest power companies are bearing the brunt of what appears to be a massive ransomware outbreak that’s fast spreading across the world and hitting a significant number of critical infrastructure providers.
Whispers of WannaCry abound, though some security experts said on Tuesday that a different breed, named Petya, was to blame. “[We’re seeing] several thousands of infection attempts at the moment, comparable in size to WannaCry’s first hours,” said Kaspersky Lab’s Costin Raiu, who added that the infections are occurring in many different countries. Another firm, BitDefender, said it believed a similar strain called GoldenEye was responsible. Later, security firms, including Kaspersky and Avast, said the malware responsible was actually an entirely new ransomware that had borrowed Petya code.
Regardless of the malware, the attacks are now global. Danish shipping and energy company Maersk reported a cyberattack on Tuesday, noting on its website: “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyberattack.” Russian oil industry giant Rosnoft said it was facing a “powerful hacker attack.” Major British advertiser WPP said on Facebook it was also hit by an attack, while law firm DLA Piper also confirmed it had been targeted by hackers. None of the companies offered specifics on the nature of those hacks.
Attacks on the U.S. pharmaceuticals company Merck extended to its to global offices, sources told Forbes. Both phones and PCs were out of action at Merck’s Ireland offices, and employees were sent home. Merck Sharp & Dohme (MSD), the U.K. subsidiary of Merck, confirmed its network was compromised. “We’re trying to understand the level of impact,” a spokesperson said. “We’re trying to operate as normally as possible.”
Ukraine the main target
The impact initially appeared to be most severe in Ukraine, with very few instances in the U.S., according to Kaspersky. The government organization managing the zone of the Chernobyl disaster fallout said it had to switch radiation monitoring services on industrial sites to manual as they had to shut down all Windows computers. Automated systems for the rest of the zone operated normally. The main Chernobyl plant website has also been closed.
Other victims included major energy companies such as the state-owned Ukrenergo and Kiev’s main supplier Kyivenergo. Government officials have reportedly sent images of their infected computers, including this from deputy prime minister Pavlo Rozenko, who later said the whole government network was down:
— Christian Borys (@ItsBorys) June 27, 2017
It appears on the images posted across social media, the ransomware note is in English and demands $300 in Bitcoin to unlock the files, a request similar to the WannaCry ransom. Ransomware encrypts files and requires payment for the keys to unlock them.
— Group-IB (@GroupIB_GIB) June 27, 2017
A Ukrenergo spokesperson told Forbes power systems were unaffected, adding: “On June 27, a part of Ukrenergo’s computer network was cyberattacked. Similarly, as it is already known with the media, networks and other companies, including the energy sector, were attacked.
“Our specialists take all the necessary measures for the complete restoration of the computer system, including the official [website].” The site remains down at the time of publication.
The National Bank blamed an “unknown virus” as the culprit, hitting several Ukrainian banks and some commercial enterprises. “As a result of cyberattacks, these banks have difficulties with customer service and banking operations,” a statement on the organization’s website read.
The deputy general director of Kiev’s Borispol Airport, Eugene Dykhne, said in a Facebook post: “Our IT services are working together to resolve the situation. There may be delays in flights due to the situation… The official Site of the airport and the flight schedules are not working.”
Kiev Metro, meanwhile, said today in a Twitter alert that it wasn’t able to accept bank card payments as a result of a ransomware infection.
It’s currently unclear whether the attacks are purely ransomware, or if myriad attacks are currently hitting various parts of Ukraine. Attacks on Ukraine’s power grid in 2015 and 2016 were believed to have been perpetrated by Russia, though the country denies all cyberattacks on foreign soil.
Though ransomware is typically used by cybercriminals, with WannaCry it was alleged a nation state was likely responsible for spreading the malware: North Korea. Cyber intelligence companies and the NSA believe with medium confidence that the nation used leaked NSA cyber weapons to carry out the attacks that took out hospitals in the U.K and infected hundreds of thousands of others.
How the ransomware spreads
Security researchers fear the latest outbreak is hitting systems via the same leaked NSA vulnerabilities used by WannaCry. Early analysis of some of the ransomware samples confirmed that the malware creators used the so-called EternalBlue exploits, which targeted a now-patched vulnerability in Microsoft Windows.
But CERT.be, the federal cyber emergency team for Belgium, pointed to a different flaw in Windows. As noted by security firm FireEye in April, attacks exploiting the bug allow a hacker to run commands on a user’s PC after the user opened a malicious document. Office documents that contained the hack and downloaded popular malware types onto target computers, FireEye reported.
CEO of Hacker House, Matthew Hickey, said the initial attacks appeared to have been delivered by that latter attack, using phishing emails containing Excel files. The malware may have used the worm features of the NSA attack to spread so quickly, he said. Hickey also confirmed that the ransomware’s code used EternalBlue. But it’s still unclear if the second flaw was used in these hacks as no phishing emails have yet emerged.
What’s clear is the latest ransomware variant is spreading quickly, even on patched Windows PCs, thanks to some added features in the malware, now being dubbed NotPetya.