A major ransomware attack on Tuesday hit computers at Russia’s biggest oil company, the country’s banks, Ukraine’s international airport as well as global shipping firm A.P. Moller-Maersk.
Moscow-based cyber security firm Group IB said hackers had exploited code developed by the U.S. National Security Agency (NSA) which was leaked and then used in the WannaCry ransomware attack that caused global disruption in May.
One of the victims of Tuesday’s cyber attack, a Ukrainian media company, said its computers were blocked and it had received a demand for $300 worth of the Bitcoin crypto-currency to restore access to its files.
“If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service,” the message said, according to a screenshot posted by Ukraine’s Channel 24.
The same message appeared on computers at Maersk offices in Rotterdam, according to screenshots posted on local media.
The Danish shipping giant said it had been hit across multiple regions by a computer outage. “We can confirm the breakdown is caused by a cyber attack,” a spokeswoman said.
Other companies that said they had been hit by a presumed cyber attack included Russian metal maker Evraz, French construction materials firm Saint Gobain and the world’s biggest advertising agency, WPP – though it was not clear if their problems were caused by the same virus.
Food company Mondelez International also said its staff in different regions were experiencing technical problems.
Wannacry Again
Cyber security firms scrambled to understand the scope and impact of the attacks, seeking to confirm suspicions hackers had leveraged the same type of NSA hacking tool exploited by WannaCry and to identify ways to stop the onslaught.
Researchers with multiple firms identified the ransomware as Petya, malware that makes computers inoperable by encrypting their hard drives and demands ransoms in exchange for a digital key to restore access.
“It’s like WannaCry all over again,” said F-Secure Chief Research Officer Mikko Hypponen.
He said it was highly likely the attack had exploited the NSA hacking tool and he expected the outbreak to be reported in the Americas soon, as workers turned on vulnerable machines, allowing the virus to attack.
“Nothing is stopping Petya now. This could hit the U.S.A. pretty bad,” he said.
The first reports of disruption emerged from Russia and Ukraine, with Ukraine’s Prime Minister Volodymyr Groysman describing the attacks on his country as “unprecedented.”
An advisor to Ukraine’s interior minister said the virus got into computer systems via “phishing” emails written in Russian and Ukrainian designed to lure employees into opening them.
In Russia, Rosneft, one of the world’s biggest oil producers, said its crude production had not been affected by the outage. The company’s website went down for at least two hours but was back up by 1450 GMT.
“The hacking attack could lead to serious consequences, but the company has moved to a reserve production processing system and neither oil output nor refining have been stopped,” it said on Twitter.
In Ukraine, Yevhen Dykhne, director of the capital’s Boryspil Airport, said it had been hit too. “In connection with the irregular situation, some flight delays are possible,” Dykhne said in a post on Facebook.
Ukrainian Deputy Prime Minister Pavlo Rozenko said the government’s computer network had gone down and posted a picture on Twitter of a computer screen with an error message.
The Ukrainian central bank said a number of banks and companies, including the state power distributor, were hit by a cyber attack that disrupted some operations.
“As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations,” the central bank said in a statement. (Additional reporting by European bureau and Jim Finkle in Toronto; writing by Christian Lowe; editing by David Clarke)