Massive cyberattack spreads ransomware across Europe, US

The ransomware attack hit Ukraine particularly hard.

ByABC News
June 27, 2017, 9:16 PM

MOSCOW -- A massive cyberattack that freezes computers and demands a ransom to open them has hit companies in the U.S. and elsewhere around the world today, U.S. officials and private cybersecurity analysts said.

Among the American targets are the giant Merck pharmaceutical company in New Jersey; a major multinational law firm, DLA Piper; and possibly the Mondelez food company, which produces Oreo cookies.

According to American cybersecurity researchers, the ransomware attack used a global spam campaign to trick computer users into downloading malicious software that locks them out of their devices until they pay $300 in bitcoin. The email address where victims can confirm payment is not working, however, making recovery impossible.

Researchers tell ABC News that tens of thousands of computers across multiple large organizations in at least four continents have been hit, with organizations in Russia and the Ukraine the most affected.

While several researchers identified the virus as a derivative of the “Petya” ransomware, Kaspersky Lab, which congressional sources told ABC News is itself under FBI scrutiny, disputed that assessment, concluding that the virus was “a new ransomware that has not been seen before” and dubbing it “NotPetya.”

Like the WannaCry attack in May, today’s ransomware appears to be using the hacking tools EternalBlue and DoublePulsar developed by the U.S. National Security Agency and leaked to the public by the Shadow Brokers hacker group. The virus exploits a vulnerability in Microsoft Windows to spread quickly throughout networks with outdated security software.

"Many researchers are seeing evidence that the NSA exploits are being used to propagate this," John Bambenek of Fidelis Cybersecurity told ABC News. "Some ineffective security defenses allowed this to happen as well."

On Tuesday afternoon, Amit Serper, a researcher at the Boston-based cybersecurity firm Cybereason, tweeted that he had found a way to stop the malware using the virus’ original file name, though he cautioned it was not a “generic kill switch” like the one discovered to stop WannaCry, but only a “temporary workaround.”

Early reports indicated the virus affected major companies in Russia and Ukraine as well as the world’s largest shipping firm, Maersk, according to the affected companies and government sources.

Ukraine appears to have been particularly hard hit, with the country’s government reporting that some of its systems, as well as those of key institutions, including banks and telecom providers, were affected. Even radiation monitoring at the Chernobyl nuclear power station was impacted, with technicians forced to take measurements around the ruined station manually after their Windows computers were knocked out, Ukraine’s government said.

Merck confirmed on Twitter that its network was infected.

"We confirm our company's computer network was compromised today as part of global hack," the company tweeted. "Other organizations have also been affected. We are investigating the matter and will provide additional information as we learn more."

A spokesperson for DLA Piper, a global law firm with offices in Washington, D.C., confirmed that malware spread to its system, saying, “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.”

Mondelez International, a New Jersey–based food and drink company, released a statement saying its networks were down.

"The Mondelez International network is experiencing a global IT outage. Our global special situations management team is in place, and they are working to resolve the situation as quickly as possible. We will update as we have more information.”

Both the Department of Homeland Security and the FBI issued statements indicating that officials were aware of the attack and working to contain it.

"The Department of Homeland Security is monitoring reports of cyber attacks affecting multiple global entities and is coordinating with our international and domestic cyber partners," said the agency in a statement. "We stand ready to support any requests for assistance. Upon request, DHS routinely provides technical analysis and support. Information shared with DHS as part of these efforts, including whether a request has been made, is confidential."

"The FBI is aware of the reported global cyber attacks and takes all potential cyber compromises seriously," an FBI spokesperson told ABC News. "Threat mitigation, as well as bringing the perpetrators of cyber attacks to justice, are the FBI’s top priorities."

Photos of screens of affected computers and ATMs sent to ABC News and other media outlets showed the following message: "If you see this text, then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

Maersk reported its IT systems were affected by the attack, with local media showing the same ransom message from the firm’s offices in Rotterdam, Reuters reported.

Russia's state-owned energy giant Rosneft said it suffered a major attack and in a statement on Twitter said it succeeded in halting it. Workers at another oil company, Bashneft, that is owned by Rosneft, sent photos to the Russian newspaper Vedomosti showing their screens locked with the same ransom message. An analyst at IB-Group told the Russian news site RNS that at least 80 companies were affected in Russia and Ukraine.

In Ukraine the virus struck the country’s government administration. Vice Prime Minister Pavlo Rozenko wrote on Facebook that the Cabinet’s office computers were all locked out. Ukraine’s central bank said a number of banks in the country were hit, as well as a state energy company. Some ATMs in the country were blocked and displayed the lock-out screen. Ordinary Ukrainians reported being unable to use some banking services. Local Ukrainian media reported that the country’s Borispol airport and national rail company were also attacked.

In a post on his Facebook page, Anton Gerashchenko, an adviser to Ukraine’s Interior Ministry, called the cyberattack the worst in the country’s history. Ukrainian officials, including a spokesperson for Ukraine’s SBU intelligence service, were quick to point fingers at Russia for the attack, though there was no evidence so far that Moscow was behind it.

Researchers told ABC News that they do not believe that a nation was behind the attack and suggested that it could have been launched by a lone cybercriminal.

"I think what’s happened here is someone is launching this tool to stock a bitcoin wallet and is probably just surprised at how effective it is," said Erik Rasmussen, a former deputy prosecuting attorney and special agent with the U.S. Secret Service who now works for the cybersecurity firm Kroll. "This attack doesn't have a specific target, so it’s likely ransomware that’s gone awry and is just really good at doing damage."

Bambenek suggested that the surprise success of the virus has made its creator a top target for law enforcement.

"This individual has just put himself on the top of everybody’s dinner menu," he said.

ABC News’ Jack Date and Mike Levine contributed to this report.

Related Topics