A global ransomware attack slammed businesses around the world Tuesday, affecting oil companies, a major shipping line, banks and a major U.S. pharmaceutical company, and marking the second consecutive month that such an epidemic swept the world. Tuesday’s impact spanned from India to the United States, although it hit hardest in Ukraine and Russia.
Like a previous attack that affected more than 150 countries on May 12, Tuesday’s virulent outbreak appeared to be powered by a U.S. cyber weapon stolen from the National Security Agency.
The epidemic used a variant of ransomware known as Petya, and it froze hard drives of tens of thousands of computers and left screen messages demanding that owners make a payment of $300 to unlock their data.
While Ukraine and Russia were hardest hit, other countries that felt the impact included France, Spain, Denmark, Poland, Italy, Germany, Brazil, Turkey, India and the United States.
The big U.S. pharmaceutical company Merck, based in Kenilworth, New Jersey, acknowledged in a tweet that it had been hit: “We confirm our company's computer network was compromised today as part of global hack.”
One of the largest health networks in western Pennsylvania, Heritage Valley Health System, said that a “cyber security incident” had affected all operations at its two hospitals and 18 satellite centers but it wasn’t clear if the incident was linked to the Petya ransomware.
A number of global companies reported damage. They included Rosneft, the Russian firm that is the world’s largest publicly traded oil company; the Danish shipping and energy giant A.P. Moller-Maersk; WPP, the British advertising giant, and France’s Saint Gobain construction materials company.
The outbreak appeared to spread through an update sent by a financial software company, MeDoc, in Ukraine.
“Essentially what happened is MeDoc (big financial software) was hacked and they pushed out the malware via the update feature,” posted a security researcher, Marcus Hutchins, who is credited with finding and activating a “kill switch” that put a halt to the WannaCry epidemic in May.
The cyberattack slowed operations at Boryspyl International Airport near Ukraine’s capital, Kyiv, and hit several major public sector enterprises, including the central bank, before dashing across borders.
There may be delays in flights due to the situation.
Yevhen Dykhne, director of Kyiv’s Boryspyl International Airport
“Our IT services are working together to resolve the situation. There may be delays in flights due to the situation,” airport director Yevhen Dykhne said in a statement.
The radiation monitoring system at the ruins of the Chernobyl nuclear plant, site of a catastrophic nuclear accident in Ukraine in 1986, was affected by the cyberattack, the French news agency AFP reported.
The Petya ransomware was an older criminal Trojan that had been given new life and a mechanism for self-replicating through a stolen NSA tool known as EternalBlue, said Nick Bilogorskiy, senior threat director at Cyphort, a Santa Clara, California, cybersecurity firm, in an emailed statement.
The initial infection occurs when a recipient opens a malicious link, he said, which then encrypts the computer’s master file.
“This variant asks for $300 via Bitcoin,” Bilogorskiy said, referring to a digital currency favored by hackers for its anonymity.
European companies took to Twitter or their websites to get word out about outages.