Many corporates may still be feeling the heat from Wannacry, the ransomware attack that swept across the globe last month targeting computers running Microsoft Windows with its malware. But corporates across the world have no time to waste in getting their cyber defenses in order, because another virus is sweeping the globe.
Reports first surfaced this week of a “massive cyberattack” originating in Europe and quickly spreading to major corporations across the globe.
According to Bloomberg reports Tuesday (June 27), the attack is similar to WannaCry, first targeting Russia and Ukraine, where more than 80 businesses were affected. The attack saw a ransom of $300 in cryptocurrency demanded from corporates to unlock their computers.
“It’s massive,” said McAfee lead scientist and principal engineer Christiaan Beek in an interview with Wired. “Complete energy companies, the power grid, bus stations, gas stations, the airport and banks are being targeted.”
Reports said the attack began by infecting computers on which users downloaded a tax accounting solution or visited a local news website, according to cyber experts.
On Tuesday, Kaspersky Lab analysts said 2,000 users had so far been affected, with Russia and Ukraine hit worst. Computers at the Chernobyl nuclear facility, Rosneft, and government systems and ATMs in Kiev were affected.
Global Expansion
News then quickly spread about the attack, which began to affect computers throughout the world. Cases were reported across Europe, the U.S. and South America, reports said, continuing into Wednesday (June 28).
Slovakia-based antivirus company ESET said that though 80 percent of cases among its customers were in Ukraine, the second-worst hit country was Italy, with about 10 percent of cases, the company told Reuters.
The attack is believed to have spread globally from multinational corporations with a presence in Ukraine. Shipping giant A.P. Moller-Maersk, which has a logistics unit in the country, was affected, as was France’s Saint Gobain and Cadbury owner Mondelez International, which similarly operate in Ukraine.
Maersk said its operations across India, Europe and the U.S. were affected by the attack, unable to process new orders and resulting in congestion throughout its dozens of terminals across the globe.
BNP Paribas Real Estate was affected, too, though the firm said BNP’s banking operations were not.
“The international cyber attack hit our non-bank subsidiary, Real Estate,” the FI said in a statement Wednesday. “The necessary measures have been taken to rapidly contain the attack.”
But experts noted that this attack is not as destructive as Wannacry, and in some ways, Wannacry may have ultimately protected corporations that were motivated to upgrade and improve cybersecurity after the May attacks. Further, reports explained, the attack couldn’t crawl freely to find its next target as Wannacry could.
It was initially reported to be Petya, but according to a tweet from Kaspersky Lab, the ransomware is something else (therefore dubbed NotPetya by the company).
Reports said businesses running Windows that had installed Microsoft’s most recent security patches were largely protected against this attack.
The Blame Game
Experts say it is still unclear who initiated the attack. Ukraine has accused Russia of leading cyberattacks on its systems since the annexation of Crimea in 2014, but Russia, which has denied those accusations, said Wednesday that it has no involvement in the latest attacks.
“No one can effectively combat cyber threats on their own, and unfortunately, unfounded blanket accusations will not solve this problem,” a Kremlin spokesperson said.
Microsoft security teams, as well as those at Talos and Symantec, have confirmed that initial infections of NotPetya occurred when users downloaded Ukrainian tax software MEDoc, but M.E.Doc, which supplies that software, denied blame.
“Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process,” Microsoft said in a blog post.
While attackers were seeking $300 from their targets, experts said that whoever initiated the attack probably aimed for disruption, not ransom. Reports in Wired said only about $7,500 had been collected from attackers since NotPetya began.
According to Brian Lord, former deputy director of intelligence and cyber operations at U.K.-based GCHQ and current managing director at private security provider PGI Cyber, NotPetya “starts to look like a state operating through a proxy … as a kind of experiment to see what happens,” he told Reuters.
Experts say the full picture of the attack has yet to come to light as more is learned about NotPetya’s code and a possible motivation.