A number of firms around the world are reporting that they have been impacted by a major cyber attack which the UK’s cyber security agency is describing as a “global ransomware incident.”
Many of the initial reports of organizations affected came from Ukraine, including banks, energy companies, and even Kiev’s main airport. But since then more incidents have been reported across Europe, indicating the incident is affecting more organizations more widely.
The National Bank of Ukraine said it has been hit by an “unknown virus” and is having difficulty providing customer services and banking operations as a result, while Kiev’s Boryspil International Airport is also understood to be suffering from some kind of cyber attack. Even the radiation monitoring facility at the Chernobyl nuclear power plant has been hit.
Ukraine’s Interior Ministry has already called the cyber attack the biggest in Ukraine’s history
Danish transport and energy firm Maersk has confirmed that its IT systems are down across multiple sites due to a cyber attack, while Russian petroleum company Rosneft has reported a “massive hacker attack” hitting its servers.
The attack has also hit the United States, with American pharmaceutical firm Merck stating that its computer network has been compromised as part of “a global hack”.
British advertising firm WPP has also said it has also been affected by a cyber attack and the UK’s National Cyber Security Centre is investigating reports of the attack.
“We are aware of a global ransomware incident and are monitoring the situation closely,” said an NCSC spokesperson.
EC3, Europol’s cybercrime division, is also looking into the global cyber attack. “We are urgently responding to reports of another major ransomware attack on businesses in Europe,” Rob Wainwright, Executive Director of Europol said in a Tweet.
Interpol has also confirmed its cyber unit in Singapore is “closely monitoring” the global ransomware attack and is liaising with member countries and other partners.
Many reports are suggesting that many victims are seeing a ransom note, which suggests that systems are being infected with ransomware – if that’s the case, it’s the second major global ransomware outbreak in as many months following on from the WannaCry epidemic which it hundreds of thousands of PCs around the world.
Preliminary investigation by cybersecurity researchers at Bitdefender suggests that the malware being spread is an improved version of the GoldenEye ransomware, which in of itself is a variant of the of the Petya ransomware family.
The Petya ransomware family is particularly vicious, not only encrypting the victims’ files using one of the most advanced cryptographic algorithms, but also encrypting the entire hard drive by overwriting the master reboot record, preventing the computer from loading the operating system.
However, while many are suggesting that this is a Petya attack, researchers at Kaspersky Lab say organizations are being targeted by a form of ransomware which hasn’t been seen before. They’ve dubbed this ‘NotPetya’.
Kaspersky data suggests 2,000 users have been attacked so far, with organizations Russia and the Ukraine are the most affected
Meanwhile, Analysts at Symantec say the ransomware, like WannaCry, is taking advantage of the EternalBlue Microsoft Windows exploit to spread. This Windows flaw is one of many zero-days which apparently was known by the NSA — before being leaked by the Shadow Brokers hacking collective. Kaspersky also confirmed that the attack is using a modified version of the EternalBlue exploit which is used to spread within corporate networks.
Microsoft released a patch for the vulnerability earlier this year, but as WannaCry and now this incident is demonstrating, many remain vulnerable.
In addition to this, cyber security researchers at firms including Recorded Future say this attack appears to take advantage of the Windows Management Instrumentation Command-line (WMIC), the command line used to execute system management commands for Windows.
WMIC requires a username and password, suggesting that the payload could also contain a trojan information stealer, meaning attackers can scrape usernames and passwords from the infected machine and jump from one unit to the next- potentially even those patched against EternalBlue.