New cy­ber at­tack wal­lops Europe; spreads slowly in US

South Florida Times - - BUSINESS - Associated Press

By RAPHAEL SATTER AND FRANK BAJAK

PARIS (AP) - A new and highly vir­u­lent out­break of data-scram­bling soft­ware caused dis­rup­tion across the world Tues­day. Fol­low­ing a sim­i­lar at­tack in May , the fresh as­sault par­a­lyzed some hos­pi­tals, gov­ern­ment of­fices and ma­jor multi­na­tional cor­po­ra­tions in a dra­matic demon­stra­tion of how eas­ily ma­li­cious pro­grams can bring daily life to a halt.

Ukraine and other parts of Europe were hit par­tic­u­larly hard by the new strain of ran­somware - ma­li­cious soft­ware that locks up com­puter files with all-but-un­break­able en­cryp­tion and then de­mands a ran­som for its re­lease. As the mal­ware be­gan to spread across the United States, it af­fected com­pa­nies such as the drug­maker Merck and Mon­delez In­ter­na­tional, the owner of food brands such as Oreo and Nabisco. But its pace ap­peared to slow as the day wore on.

The ori­gins of the mal­ware re­main un­clear. Re­searchers pick­ing the pro­gram apart found ev­i­dence its cre­ators had bor­rowed from leaked Na­tional Se­cu­rity Agency code, rais­ing the pos­si­bil­ity that the dig­i­tal havoc had spread us­ing U.S. tax­payer-funded tools.

"The virus is spread­ing all over Europe and I'm afraid it can harm the whole world," said Vic­tor Zhora, the chief ex­ec­u­tive of In­fosafe IT in Kiev, where re­ports of the ma­li­cious soft­ware first emerged ear­lier on Tues­day.

In Ukraine, vic­tims in­cluded top-level gov­ern­ment of­fices, where of­fi­cials posted pho­tos of dark­ened com­puter screens; en­ergy com­pa­nies; banks; and even cash ma­chines, gas sta­tions, and su­per­mar­kets. Multi­na­tional com­pa­nies, in­clud­ing the global law firm DLA Piper and Dan­ish ship­ping giant A.P. Moller-Maersk were also af­fected, al­though the firms didn't spec­ify the ex­tent of the dam­age.

In the U.S, a hos­pi­tal in west­ern Penn­syl­va­nia said it was deal­ing with a "wide­spread" cy­ber­at­tack, but didn't im­me­di­ately re­lease fur­ther de­tails.

Se­cu­rity ex­perts said Tues­day's global cy­ber­at­tack shares some­thing in com­mon with last month's out­break of ran­somware, dubbed Wan­naCry: Both spread us­ing dig­i­tal lock picks orig­i­nally cre­ated by the NSA and later pub­lished to the web by a still-mys­te­ri­ous group known as the Shad­ow­bro­kers.

Se­cu­rity ven­dors in­clud­ing Bit­de­fender and Kasper­sky said the NSA ex­ploit, known as Eter­nalBlue, is al­low­ing mal­ware to spread rapidly by it­self across in­ter­nal com­puter net­works at com­pa­nies and other large or­ga­ni­za­tions. Mi­crosoft is­sued a se­cu­rity fix in March, but Chris Wysopal, chief tech­nol­ogy of­fi­cer at the se­cu­rity firm Ver­a­code, warned that would only be ef­fec­tive if 100 per­cent of com­put­ers on a com­pany's net­work were patched, say­ing that if one US gov­ern­ment and pri­vate busi­ness search for cy­ber locks on unau­tho­rized net­work ac­cess. com­puter were in­fected, the mal­ware could use a backup mech­a­nism to spread to patched com­put­ers as well.

Bog­dan Botezatu, an an­a­lyst with Bit­de­fender, com­pared such self-spread­ing soft­ware, of­ten called "worms," to a con­ta­gious dis­ease.

"It's like some­body sneez­ing into a train full of peo­ple," Botezatu said. "You just have to ex­ist there and you're vul­ner­a­ble."

Aside from its method of prop­a­ga­tion, the mal­ware was dif­fer­ent from Wan­naCry. Botezatu said the new pro­gram ap­peared to be nearly iden­ti­cal to Gold­enEye, it­self a vari­ant of a known fam­ily of hostage-tak­ing pro­grams known as "Petya."

The mo­tives of those be­hind the mal­ware re­main un­known. Emails sent to an ad­dress posted to the bot­tom of ran­som de­mands went un­re­turned. That might be be­cause the email provider host­ing that ad­dress, Ber­lin-based Pos­teo, pulled the plug on the ac­count be­fore the in­fec­tion be­came widely known.

In an email, a Pos­teo rep­re­sen­ta­tive said it had blocked the email ad­dress "im­me­di­ately" af­ter learn­ing that it was associated with ran­somware. The com­pany added that it was in con­tact with Ger­man au­thor­i­ties "to make sure that we re­act prop­erly."

The blocked ad­dress may make it dif­fi­cult for hack­ers to cap­i­tal­ize on the dig­i­tal havoc, but it may also com­pli­cate vic­tims' at­tempts to re­trieve their data. With­out the hack­ers' de­cryp­tion key - or the dis­cov­ery of some weak­ness in the mal­ware's code - the en­crypted data may stay scram­bled for a long time yet.

STOCK PHOTO

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.