Northwest Arkansas Democrat-Gazette
Cyberattack reaches around globe
Malware targets include big firms, hospitals, public offices
PARIS — A new outbreak of data-scrambling software caused disruption around the world Tuesday. After a similar attack in May, the new assault paralyzed some hospitals, government offices and major multinational corporations.
Ukraine and Russia were hit particularly hard by the new strain of ransomware — malicious software that locks up computer files with all-but-unbreakable encryption and then demands a ransom for their release. As the malware began to spread across the United States, it affected companies such as the drugmaker Merck and Mondelez International, the owner of food brands such as Oreo and Nabisco. But its pace appeared to slow as the day wore on.
The origins of the malware remain unclear. Researchers picking the program apart found evidence its creators had borrowed from leaked National Security Agency code, raising the possibility that the digital havoc had spread using U. S. taxpayer-funded tools.
“The virus is spreading all over Europe, and I’m afraid it can harm the whole world,” said Victor Zhora, the chief executive of Infosafe IT in Kiev, Ukraine, where reports of the malicious software first emerged early Tuesday.
In Ukraine, victims included top- level government offices, where officials posted photos of darkened computer screens, as well as energy companies, banks, cash machines, gas stations and supermarkets. Ukrainian Railways and the communications company Ukrtelecom were among major enterprises hit, Infrastructure Minister Volodymyr Omelyan said in a Facebook post.
The virus hit the radiation-monitoring at Ukraine’s shuttered Chernobyl power plant, site of the world’s worst nuclear accident, forcing it into manual operation.
Multinational companies, including the global law firm DLA Piper and Danish shipping giant A.P. MollerMaersk, were also affected, although the firms didn’t specify the extent of the damage.
Ukraine bore the brunt with more than 60 percent of the attacks, followed by Russia with more than 30 percent, according to initial findings by researchers at the cybersecurity firm Kaspersky Lab. It listed Poland, Italy and Germany, in that order, as the next-worst affected.
In the U.S., two hospitals in western Pennsylvania were hit; patients reported on social media that some surgeries had to be rescheduled. A spokesman for Heritage Valley Health System would say only that operational changes had to be made.
Security experts said Tuesday’s global cyberattack shares something in common with last month’s outbreak of ransomware, dubbed WannaCry. Both spread using digital lock picks originally created by the NSA and later published to the Web by a still-mysterious group known as the Shadowbrokers.
Security vendors including Bitdefender and Kaspersky said the NSA exploit, known as EternalBlue, is allowing malware to spread rapidly by itself across internal computer networks at companies and other large organizations.
Microsoft issued a security fix in March, but Chris Wysopal, chief technology officer at the security firm Veracode, said it would only be effective if every single computer on a network were patched — otherwise, a single infected machine could infect all others.
“Once activated, the virus can automatically and freely distribute itself on your network,” Ukraine’s cyberpolice tweeted.
Aside from its method of propagation, the malware was different from WannaCry. Botezatu said the new program appeared to be nearly identical to GoldenEye, itself a variant of a known family of hostage-taking programs known as “Petya.” It demanded $300 in Bitcoin.
The motives of those behind the malware remain unknown. Emails sent to an address posted to the bottom of ransom demands went unreturned. That might be because the email provider hosting that address, Berlin-based Posteo, pulled the plug on the account before the infection became widely known.
In an email, a Posteo representative said it had blocked the email address “immediately” after learning that it was associated with ransomware. The company added that it was in contact with German authorities “to make sure that we react properly.”