The New York Times

Mark Scott and Paul Mozur

Ransomware Attack Raises Concerns Over Future Assaults

Governments and organizations around the world grappled on Wednesday to contain a cyberattack that struck parts of Europe, the United States and Asia, the second time in two months that hackers have tried to shake down computer users, threatening to delete their data unless they paid up.

The worldwide cyberattack, which began and was most prevalent in Ukraine, has raised concerns that similar attempts will become more widespread as hackers mimic the techniques in future digital assaults.

Experts said that the most recent attack was less severe than a similar hacking in May, when software called WannaCry introduced the term “ransomware” to much of the world. The attack forced the closing of hospitals in Britain and disrupted other vital infrastructure, mostly in Europe.

Yet as law enforcement, governments and companies from the United States to India assessed the damage of the new attack, many cautioned that people should be prepared for such events to become a regular danger as criminals worldwide look to take advantage of the vulnerabilities in organizations’ digital infrastructure.

“It’s pretty clear that this attack was inspired by WannaCry,” said Gavin O’Gorman, an intelligence analyst at Symantec, a cybersecurity company. “We’ll likely see more of these types of attacks in the future.”

Like the WannaCry attack last month, computers struck by the virus displayed a message that their data had been encrypted and demanded a ransom — in this case, $300 — to decrypt it. Experts initially said the malware that began to strike computers on Tuesday was similar to a virus called Petya, first identified last year. But Kaspersky Lab, a cybersecurity firm based in Moscow, later said that it was a type of ransomware that had never been seen before.

The scope of the attack underlines the power of a cache of National Security Agency hacking tools that were leaked to the public. Hackers made use of the same N.S.A. tools that were used during the WannaCry episode, along with two other methods to promote its spread, according to Symantec.

The reason the cyberattack was less widespread was not immediately clear, though experts expressed doubt that the world had learned its lesson and prepared properly. So far, the hacking has generated more than $10,000 in ransom payments, a figure that is likely to rise.

Security researchers said the attack originated in Ukraine, seemingly timed to hit a day before a holiday marking the adoption in 1996 of Ukraine’s first Constitution. More than 12,500 machines in the country were targeted, according to Microsoft, though the online attack quickly spread to 64 other countries.

While law enforcement officials struggled to determine who was behind the attack, Microsoft said the assailants initially focused on supply-chain software run by M.E.Doc, a Ukrainian company specializing in tax accountancy. In a Facebook post, M.E.Doc denied that it was the source of the attack.

The attack targeted businesses in Ukraine, Russia and Poland, according to a post from Kaspersky Lab. According to the report, those three countries, as well as Italy and Germany, were most affected.

“The rapid spread of the Petya ransomware is unfortunate yet unsurprising,” said Michela Menting, a cybersecurity expert at ABI Research in Geneva. “The WannaCry attack should have been a wake-up call for organizations worldwide.”

In Russia, Home Credit, one of the country’s biggest lenders, was paralyzed when all of its offices closed after the attack struck. It said in a statement on Wednesday that it had suspended all of its I.T. systems at the time, but they would return to operation by Wednesday.

Still, companies and government offices worldwide appeared less affected than they were by the WannaCry attack, notably in places like China, which was hard hit in May. Reports from Asia suggested that many of the companies hit were the local arms of European and American companies that were struck on Tuesday.

In Mumbai, India, a port terminal operated by A.P. Moller-Maersk, the Danish shipping giant, was shut down on Tuesday afternoon after it disclosed that it had been hit by the malware. In a statement, Indian port authorities said they were taking steps to relieve congestion, including finding places to park stranded cargo.

On the Australian island of Tasmania, computers in a Cadbury chocolate factory owned by Mondelez International, the American food company, displayed the ransomware message, according to the local news media.

“We continue to work quickly to address the current global I.T. outage across Mondelez International and to contain any further exposure to our network,” a spokeswoman for the company said, adding that it was not clear when the company’s systems would be back up.

The virus also spread to the Australian branches of DLA Piper, a law firm with offices around the world. The firm warned clients that it was dealing with a “serious global cyber incident” and said that it had taken down its communications as a precaution.

The Australian government urged companies to install security updates and isolate any infected computers from their main networks.

In China, which was hit hard by the WannaCry attack last month, there were only scattered reports of the malware. Qihoo 360, a Chinese computer security company, said the attack hit far fewer companies and government offices than WannaCry. Without giving a specific total, Qihoo’s chief security engineer, Zheng Wenbin, said the number of reported incidents was only a tenth of what was seen during WannaCry.

“It’s not a widespread outbreak,” Mr. Wenbin said, adding that many of the affected networks in the country were associated with companies involved in international trade or transnational communications.

Experts cautioned that paying the ransom would not help restore computers, adding that the unnamed attackers were unlikely to be motivated by financial gain.

Brian Lord, former deputy director for intelligence and cyberoperations at Britain’s Government Communications Headquarters, the country’s equivalent to the N.S.A., said the attackers had made it overly complicated for individuals to pay the potential ransom.

He said that, rather than aiming for financial rewards, the hackers were trying to create the largest amount of disruption — particularly in Ukraine, where the attack began.

“They get a double whammy from the initial cyberattack, and then from organizations being forced to shut down their operations to avoid spreading the attack,” said Mr. Lord, who is now managing director for cyber and technology at PGI Cyber, an online security company. “That causes the most amount of disruption.”

Isabella Kwai and Hari Kumar contributed reporting. Carolyn Zhang contributed research.

This article originally appeared in The New York Times.

This article was written by Mark Scott and Paul Mozur from The New York Times and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to