Massive Ransomware Attack Hits Ukraine; Experts Say It's Spreading Globally
Updated at 5:57 p.m. ET
Ransomware hit at least six countries Tuesday, including Ukraine, where it was blamed for a large and coordinated attack on key parts of the nation's infrastructure, from government agencies and electric grids to stores and banks.
The malware has been called "Petya" — but there is debate in the security community over whether the ransomware is new or a variant that has been enhanced to make it harder to stop.
In either case, it appears to be spreading globally, raising fears it might rival another widespread attack — the WannaCry outbreak that struck in May.
The Maersk shipping company, based in Denmark, confirmed that its "IT systems are down across multiple sites and business units due to a cyber attack." And pharmaceutical giant Merck tweeted that its "computer network was compromised today as part of global hack."
In the U.S., Department of Homeland Security spokesman Scott McConnell says the agency is "monitoring reports of cyber attacks affecting multiple global entities and is coordinating with our international and domestic cyber partners."
Any requests for help from DHS are confidential, McConnell says.
Interpol says it is also "closely monitoring" the suspected attack.
Computers hit by the malware display a locked screen that demands a payment to retrieve files. The malware promises to provide a specialized key to users who pay a ransom of $300 in bitcoins — the same ploy used by the WannaCry ransomware, which affected computers in more than 150 countries.
WannaCry was based on exploits stolen from the National Security Agency — including a program called EternalBlue, which exploited a Microsoft vulnerability. Petya reportedly shares some of WannaCry's traits — but while computers that had gotten a security patch were safe from WannaCry, Petya can also infect patched machines.
Mikko Hypponen, chief research officer at F-Secure, says Petya uses other exploits to spread in internal systems. "That's why patched systems can get hit."
Signs that this is a new strain led Kaspersky Lab malware analyst Vyacheslav Zakorzhevsky to say the outbreak comes from a "new ransomware we haven't seen before." For this reason, Kaspersky announced in a statement it would be coining a new name for the ransomware: "ExPetr."
"The company's telemetry data indicates around 2,000 attacked users so far," its statement continued, noting Ukraine and Russia appear to be the most affected. But "we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries."
Kaspersky is an NPR funder.
Raj Samani, head of strategic intelligence at McAfee, echoed these assessments.
"This outbreak does not appear to be as great as WannaCry," Samani said in a statement, "but the number of impacted organizations is significant."
Ukraine's security experts are working to fix the problem, according to the government portal. Until the issue is resolved, the government said, Ukrainians should simply turn off their computers.
While the malware's most concentrated effects were reported in Ukraine, several companies and at least one utility in Russia were also reportedly affected.
From Moscow, NPR's Lucian Kim reports, "Ukraine has blamed Russia for cyberattacks in the past, a charge Moscow denies. A number of Russian companies, including the state oil giant Rosneft, have also reported suffering cyberattacks today."
The attack struck at 2 p.m. local time, Ukraine's government says. The country's National Bank was among the first to report a problem. In Russia, the malware hit companies such as Mars, Nivea and Mondelez International, according to the Tass news agency.
Anton Gerashchenko, a lawmaker and adviser to Ukraine's interior minister, says he believes that despite its appearance as a ransomware hack, the attack is actually the work of Russian agents waging a type of hybrid warfare to try to destabilize Ukraine.
The malware was delivered in emails that had been created to resemble business correspondence, Gerashchenko said on his Facebook page. He added that the attack took days and likely weeks to stage before being activated.