The Washington PostDemocracy Dies in Darkness

Companies struggle to recover after massive cyberattack with ransom demands

June 28, 2017 at 10:54 a.m. EDT

Companies worldwide struggled to recover Wednesday after a wave of powerful cyberattacks crippled computer systems in Europe, Asia and the United States with a virus similar to the global ransomware assault in May that infected computers.

Researchers at Kaspersky Lab in Russia said Wednesday that a regional Ukrainian website was hacked and used to distribute the ransomware, which attacked around 2,000 users across the globe.

The company said that its preliminary findings suggest the malware is a new kind of ransomware not seen before, not a variant of the Petya ransomware, as other cybersecurity researchers had suggested. It named the malware *ExPetr*, adding that while “it has several strings similar to Petya, it possesses entirely different functionality.”

Kaspersky estimated that more than 2,000 attacks were carried out — 60 percent of them in Ukraine and 30 percent in Russia. Among the targets was Russia’s largest oil company.

But Kremlin spokesman Dmitry Peskov said “no serious problems” had occurred as a result of the cyberattacks. Speaking on a conference call Wednesday, Peskov also said he had no accurate information on the origin of the attacks.

Here is what you need to know about ransomware: software that locks down your files and demands payment to release them. (Video: Sarah Parnass, Dani Player, Daron Taylor/The Washington Post)

The worst damage was in Ukraine, and some Ukrainian officials initially expressed suspicions that the attacks originated in Russia. The country's cyber police department told the Interfax news agency that it has received more than 1,000 reports of attacks. They affected government ministries, banks, utilities and other important infrastructure and companies nationwide, demanding ransoms from government employees in the cryptocurrency bitcoin.

The virus even downed systems at the site of the former Chernobyl nuclear power plant in northern Ukraine, forcing scientists to manually monitor radiation levels at the site of a 1986 disaster that released massive amounts of radioactive material.

Companies in Belarus were also hit, the country's Interior Ministry said Wednesday. It said infected files were being sent under the guise of CVs, financial reports and other documents, or disguised as archives containing documents.

On Wednesday, Danish shipping giant A.P. Moller-Maersk said it was working to restore its operations a day after being hit by the cyberattack.

“We have contained the issue and are working on a technical recovery plan with key IT partners and global cyber security agencies,” Maersk, which handles one in every seven containers shipped worldwide, said in a stock exchange announcement.

The Copenhagen-based group said APM Terminals, an international container terminal operating company owned by Maersk, was affected “in a number of ports.” But it said its vessels with Maersk Line were “maneuverable, able to communicate and crews are safe.”

Cyberattacks also spread as far as India and the United States, where the pharmaceutical giant Merck reported on Twitter that "our company's computer network was compromised today as part of global hack." The New Jersey-based company said it was investigating the attack.

France’s biggest bank, BNP Paribas, said Wednesday that its real estate unit, which provides services to corporations around Europe, was hit.

“The international cyber attack hit our non-bank subsidiary, Real Estate. The necessary measures have been taken to rapidly contain the attack,” the bank said in a statement to Reuters.

Kaspersky said the cyberattack involved modified versions of EternalBlue and EternalRomance, “exploits” developed by the National Security Agency that were later leaked onto the Internet by hackers. It was the second massive attack in the past two months to use powerful U.S. exploits against the IT infrastructure that supports national governments and corporations.

The onslaught of ransomware attacks may be the “new normal,” said Mark Graff, chief executive of Tellagraff, a cybersecurity company.

“The emergence of Petya and WannaCry really points out the need for a response plan and a policy on what companies are going to do about ransomware,” he said. WannaCry was the ransomware used in the May attack. “You won’t want to make that decision at a time of panic, in a cloud of emotion.”

The attack also hit companies in Spain, Norway and Britain. Victims included the British advertising and marketing multinational WPP. India’s biggest container port was also crippled when a Maersk-run terminal in Mumbai was hit.

The scale of the hacks and the use of ransomware recalled the massive cyberattack in May, in which hackers possibly linked to North Korea disabled computers in more than 150 nations using a flaw that was once incorporated into the NSA’s surveillance tool kit.

NSA links WannaCry ransomware attack to North Korea

Cyber researchers have tied the vulnerability exploited by the latest virus to the one used by WannaCry — a weakness discovered by the NSA years ago that the agency turned into a hacking tool dubbed EternalBlue.

The Petya-like malware, like WannaCry, is a worm that spreads quickly to vulnerable systems, said Bill Wright, senior policy counsel for Symantec, the world’s largest cyber­security firm. Its pervasiveness is what makes it difficult to control — or to aim at anyone in particular, he said.

“Once you unleash something that propagates in this manner, it’s impossible to control,” he said.

Although Microsoft in March made available a patch for the Windows flaw exploited by EternalBlue, Petya and its variants use other techniques to infect systems, said Jeff Greene, Symantec government affairs director. “It’s a worm that has multiple ways to spread,” he said, which could explain why there are victims who applied the EternalBlue patch and still were affected.

The malware Kaspersky is calling *ExPetr* differs from WannaCry in that it does not appear to reach out to the Internet and scan for vulnerable systems, said Paul Burbage, a malware researcher with Flashpoint, a cyberthreat analysis firm. It limits itself to the computers linked to the same router.

He said the variant of Petya used in the attacks is called GoldenEye, which was sold on underground forums used mainly by Russian-speaking criminal hackers, he said.

The next ransomware attack will be worse

The ransomware hit Europe in the early afternoon Tuesday. In Ukraine, breaches were reported at computers governing the municipal energy company and airport in the capital, Kiev, the state telecommunications company Ukrtelecom, the Ukrainian postal service and the State Savings Bank of Ukraine.

Grocery store checkout machines broke down, ATMs demanded ransom payments, and the turnstile system in the Kiev metro reportedly stopped working.

The mayhem reached high into the government. Ukrainian Deputy Prime Minister Pavlo Rozenko on Tuesday tweeted a picture of a computer screen warning in English that “one of your disks contains errors,” then adding in all capital letters: “DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL YOUR DATA!”

“Ta-Dam!” he wrote. “It seems the computers at the Cabinet of Ministers of Ukraine have been ‘knocked out.’ The network is down.” His spokeswoman published a photograph showing demands for a ransom in bitcoin to release data encrypted by the virus.

Suspicions in Ukraine quickly fell on Russia, which annexed Crimea in 2014 and has been blamed for several large-scale cyberattacks on Ukraine’s power infrastructure. But no proof of the attack was presented, and Russian companies, like the oil giant Rosneft, also complained of being hit by a “powerful hacking attack.” Photographs leaked to the news media from a Rosneft-owned regional oil company showed computers displaying ransomware demands similar to those in Ukraine.

Nakashima reported from Washington. Isaac Stanley-Becker in Berlin and Hamza Shaban and Julie Tate in Washington contributed to this report.

Read more:

How to protect yourself from the global ransomware attack

Today’s coverage from Post correspondents around the world

Like Washington Post World on Facebook and stay updated on foreign news