Whispers of WannaCry abound, though security experts said a different breed, named Petya, is to blame. “[We’re seeing] several thousands of infection attempts at the moment, comparable in size to WannaCry’s first hours,” said Kaspersky Lab’s Costin Raiu. “We are seeing infections from many different countries.” One firm, BitDefender, said it believed a similar strain called GoldenEye was actually responsible.
This morning saw major Danish shipping and energy company Maersk report a cyber attack, noting on its website: “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.” And Russian oil industry giant Rosnoft said it was facing a “powerful hacker attack.” Major British advertiser WPP said on Facebook it was also hit by an attack, while law firm DLA Piper was also reportedly affected. None had responded to requests for comment or stated what kind of attack they were under.
Sources told Forbes of one U.S. target: pharmaceuticals company Merck. One source said the problem extended to global offices, including those in Ireland, with both phones and PCs out of action, and employees going home. Merck Sharp & Dohme (MSD), the U.K. subsidiary of Merck, confirmed its network was compromised. “We’re trying to understand the level of impact,” a spokesperson said. “We’re trying to operate as normally as possible.”
Ukraine the main target
The impact initially appeared to be most severe in Ukraine, with very few in the U.S., according to Kaspersky. The organization managing the zone of the Chernobyl disaster fallout said it had to switch radiation monitoring services on industrial sites to manual as they had to shut all Windows computers down, though automated systems for the rest of the zone operated normally. The main Chernobyl plant website has also been closed.
The ransomware outbreak has affected Ukraine and Russia the worst in its early stages. There were USA targets, however, Kaspersky said.
Other victims included major energy companies such as the state-owned Ukrenergo and Kiev’s main supplier Kyivenergo. Government officials have reportedly sent images of their infected computers, including this from deputy prime minister Pavlo Rozenko, who later said the whole government network was down:
— Christian Borys (@ItsBorys) June 27, 2017
From the looks of images being posted across social media, the ransomware note is in English and demanding $300 in Bitcoin, similar to the WannaCry ransom.
— Group-IB (@GroupIB_GIB) June 27, 2017
A Ukrenergo spokesperson told Forbes power systems were unaffected, adding: “On June 27, a part of Ukrenergo’s computer network was cyberattacked. Similarly, as it is already known with the media, networks and other companies, including the energy sector, were attacked.
“Our specialists take all the necessary measures for the complete restoration of the computer system, including the official [website].” The site remains down at the time of publication.
The National Bank blamed an “unknown virus” as the culprit, hitting several Ukrainian banks and some commercial enterprises. “As a result of cyber attacks, these banks have difficulties with customer service and banking operations,” a statement on the organization’s website read.
The deputy general director of Kiev’s Borispol Airport, Eugene Dykhne, said in a Facebook post: “Our IT services are working together to resolve the situation. There may be delays in flights due to the situation… The official Site of the airport and the flight schedules are not working.”
Kiev Metro, meanwhile, said today in a Twitter alert that it wasn’t able to accept bank card payments as a result of a ransomware infection.
It’s currently unclear whether the attacks are purely ransomware, or if myriad attacks are currently hitting various parts of Ukraine. Attacks on Ukraine’s power grid in 2015 and 2016 were believed to have been perpetrated by Russia, though the country denies all cyberattacks on foreign soil.
Though ransomware is typically used by cybercriminals, with WannaCry it was alleged a nation state was likely responsible for spreading the malware: North Korea. Cyber intelligence companies and the NSA believe with medium confidence that the nation used leaked NSA cyber weapons to carry out the attacks that took out hospitals in the U.K and infected hundreds of thousands of others.
How the ransomware spreads
Security researchers fear the latest outbreak is hitting systems via the same leaked NSA vulnerabilities as WannaCry. Early analysis of some Petya samples confirmed the so-called EternalBlue exploits, which targeted a now-patched vulnerability in Microsoft Windows, were used by the malware creators.
But CERT.be, the federal cyber emergency team for Belgium, pointed to a different flaw in Windows. As noted by security firm FireEye in April, attacks exploiting the bug allow a hacker to run commands on a user’s PC when they opened a malicious document. FireEye saw Office documents that contained the hack and downloaded popular malware types onto target computers.
CEO of Hacker House, Matthew Hickey, said the initial attacks appeared to have been delivered by that latter attack, using phishing emails containing Excel files. The Petya malware may have spread so quickly by subsequently using the worm features of the NSA attack, he added, confirming that the ransomware’s code certainly used EternalBlue.
“This time it’ll breach people who weren’t impacted by WannaCry because it’ll get to the internal networks via email,” Hickey warned.