The Atlanta Journal-Constitution
HOW GLOBAL RANSOMWARE ATTACK HIT CLOSE TO HOME
Software scrambles data, demands ransom for release.
PARIS—A new and highly virulent outbreak of data- scrambling software caused disruption across the world Tuesday. Following a similar attack in May , the fresh assault paralyzed some hospitals, government offices and major multinational corporations in a dramatic demonstration of how easily malicious programs can bring daily life to a halt.
Ukraine and other parts of Europe were hit particularly hard by the newstrain of ransomware — malicious software that locks up computer files with all-but-unbreakable encryption and then demands a ransom for its release. As the malware began to spread across the United States, it affected companies such as the drugmaker Merck and Mondelez International, the owner of food brands such as Oreo and Nabisco. But its pace appeared to slow as the day wore on.
The origins of the malware remain unclear. Researchers picking the program apart found evidence its creators had borrowed from leaked National Security Agency code, raising the possibility that the digital havoc had spread using U.S. taxpayer-funded tools.
“The virus is spreading all over Europe and I’m afraid it can harm the whole world,” said Victor Zhora, the chief executive of Info safe IT in Kiev, where reports of the malicious software first emerged earlier on Tuesday.
In Ukraine , victims included top-level government offices, where officials posted photos of darkened computer screens; energy companies; banks; and even cash machines, gas stations, and supermarkets. Multinational companies, including theglobal law firm DLA Piper and Danish shipping giant A.P. Moller-Maersk were also affected, although the firms didn’t specify the extent of the damage.
In the U.S, a hospital in western Pennsylvania said it was dealing with a “widespread” cyberattack, but didn’t immediately release further details.
Security experts said Tuesday’s global cyberattack shares something in common with last month’s outbreak of ransomware, dubbed Wanna Cry : Both spread using digital lock picks originally created by the NSA and later published to the web by a still-mysterious group known as the Shadow brokers.
Security vendors including Bitdefender and Kaspersky said the NSA exploit, known as Eternal Blue, is allowing malware to spread rapidly by itself across internal computer networks at companies and other large organizations. Microsoft issued a security fix in March, but Chris Wysopal, chief technology offifficer at the security fifirm Veracode, warned that would only be effec- tive if 100 percent of computers on a company’s network were patched, saying that if one computer were infected, the malware could use a backup mechanism to spread to patched computers as well.
Bogdan Botezatu, an analyst with Bitdefender, compared such self- spreading software, often called “worms,” to a contagious disease.
“It’s like somebody sneezing into a train full of people,” Botezatu said. “You just have to exist there and you’re vulnerable.”
Aside from its method of propagation, the malware was different from Wanna Cry. Botezatu said the new program appeared to be nearly identical to Golden Eye, itself a variant of a known family of hostage-taking programs known as “Petya.”
The motives of those behind the malware remain unknown. Emails sent to an address posted to the bottom of ransom demands went unreturned. That might be because the email provider hosting that address, Berlin-based Posteo, pulled the plug on the account before the infection became widely known.
In an email, a Posteo representative said it had blocked the email address “immediately” after learning that it was associated with ransomware. The company added that it was in contact with German authorities “to make sure that we react properly.”
The blocked address may make it difficult for hackers to capitalize on the digital havoc, but it may also complicate victims’ attempts to retrieve their data. Without the hackers’ decryption key — or the discovery of some weakness in the malware’s code — the encrypted data may stay scrambled for a long time yet.
‘It’s like somebody sneezing into a train full of people. You just have to exist there and you’re vulnerable.’ Bogdan Botezatu, an analyst with Bitdefender