New Cyberattack Spreads From Russia to the United States
Computer systems from Russia to the United States were victims of an international cyberattack on Tuesday in a hacking that bore similarities to a recent one that crippled tens of thousands of machines worldwide.
As reports of the attack spread quickly, the Ukrainian government said that several of its ministries, radiation monitoring at the Chernobyl nuclear facility, local banks and metro systems had been affected. A number of companies — including the Danish shipping giant Maersk; Rosneft, the Russian energy giant; Saint-Gobain, the French construction materials company; and WPP, the British advertising agency — also said they had been targeted.
And in the first confirmed cases in the United States, Merck, the drug giant, confirmed that its global computer networks had been hit, as did DLA Piper, the multinational law firm.
It remains unclear who is behind this most recent cyberattack. Like the previous WannaCry attacks in May, Tuesday’s hack takes over computers and demands digital ransom to regain control.
“We are urgently responding to reports of another major ransomware attack on businesses in Europe,” Rob Wainwright, executive director of Europol, Europe’s police agency, said on Twitter.
Computer experts were calling the computer virus “Petya,” and said that it was similar to the WannaCry attack that spread quickly across much of Asia and Europe. Others cautioned, however, that it could be yet another type of ransomware.
At least nine European countries had been targeted in the latest attack, said Dan Smith, an information security researcher at Radware, a cybersecurity firm. “I first saw reports of this attack around 8 a.m. Eastern time coming from Ukraine, but it’s too early to tell who’s behind this,” Mr. Smith said.
Researchers at the computer security company Symantec said the new attack is using the same hacking tool created by the National Security Agency that was used in the WannaCry attacks. Called “Eternal Blue,” the tool was among dozens leaked online last April by a group known as the Shadow Brokers.
The vulnerability used by Eternal Blue was patched by Microsoft last April, but as the WannaCry attacks demonstrated, hundreds of thousands of organizations around the world failed to properly install the patch. But researchers at F-Secure, the Finnish cybersecurity firm, also noted that the ransomware used at least two other vectors to spread, beyond Eternal Blue, which suggests even those who implemented the Microsoft patch could be vulnerable.
“Just because you roll out a patch doesn’t mean it’ll be put in place quickly,” said Carl Herberger, vice president of security at Radware. “The more bureaucratic an organization is, the higher chance it won’t have updated its software.”
Immediate reports that the computer virus was a variant of Petya, suggest the attackers will be hard to trace. Petya was for sale on the so-called dark web, where its creators made the ransomware available as “ransomware as a service” — a play on Silicon Valley term for delivering software over the internet, according to the security firm Avast Threat Labs.
That means anyone can launch the ransomware, with the click of a button, encrypt someone’s systems and demand a ransom to unlock it. If the victim pays, the authors of the Petya ransomware, who call themselves “Janus Cybercrime Solutions,” get a cut of the payment.
That distribution model means that pinning down the individuals responsible for Tuesday’s attack could be difficult, if near impossible.
The attack is actually “an improved and more lethal version of WannaCry” according to Matthieu Suiche, a security researcher who helped contain the spread of the WannaCry ransomware last month when he created a “kill switch” that stopped the attacks from spreading.
Just over the past seven days, Mr. Suiche noted that WannaCry had attempted to hit another 80,000 organizations, but was prevented from executing attack code because of the kill switch.