SAN FRANCISCO — A massive ransomware attack called “Petya” has hit businesses around the world, causing major companies to shut down their computer systems.
Researchers are still investigating the software behind the attack, warning that it’s more sophisticated than the WannaCry worm that struck hundreds of thousands of computers across the globe last month.
“WannaCry was a tremendous failure. It was a lot of noise, very little money, and everyone noticed it,” said Craig Williams, an expert at cybersecurity firm Cisco Talos. “What we’re seeing today is a much more intelligent worm.”
Big global brands — like Mondelez, the maker of Oreos, and British advertising giant WPP — say their IT systems are experiencing problems.
Here’s what you need to know about the attack:
What does it do?
The ransomware infects computers and locks down their hard drives. It demands a $300 ransom in the anonymous digital currency Bitcoin.
The email account associated with the ransomware has been blocked, so even if victims pay, they won’t get their files back.
Law enforcement and cybersecurity experts agree that victims should never pay ransoms for such attacks.
How does it spread?
Researchers say the ransomware virus is a worm that infects networks by moving from computer to computer.
It uses a hacking tool called EternalBlue, which takes advantage of a weakness in Microsoft Windows. Microsoft released a patch for the flaw in March, but not all companies have used it.
EternalBlue was in a batch of hacking tools leaked earlier this year that are believed to have belonged to the U.S. National Security Agency.
Who’s been hit?
Top international businesses headquartered in Europe and the U.S. have come under attack. They include Russian oil and gas giant Rosneft, Danish shipping firm Maersk, U.S.-based pharmaceutical company Merck and law firm DLA Piper. French retailer Auchan Group and the real estate division of BNP Paribas were also affected.
Ukrainian organizations took a particularly heavy blow. Banks, government offices, the postal service and Kiev’s metro system were experiencing problems, officials said. The ransomware also caused problems with the monitoring system of the Chernobyl nuclear power plant.
It’s not yet clear if companies in the Asia-Pacific region have been seriously affected.
Mondelez said its five manufacturing facilities in Australia and New Zealand had all been hit but some of them were still able to carry out limited production. And a Maersk facility for shipping containers in the Indian port city of Mumbai was shut down.
“There obviously are companies that will have been affected by this in Asia,” said Michael Gazeley, managing director of Hong Kong-based cybersecurity provider Network Box. “But the success levels are lower, as they’re attacking the same vulnerabilities as WannaCry.”
Am I vulnerable?
Regular consumers who have up-to-date Windows computers are safe from this attack, experts say. However, if there’s one out-of-date machine on a company’s network, it could infect other connected computers.
Where did it start?
Researchers are still figuring out exactly what happened. But Cisco Talos says one way the ransomware got into computer systems was through software in Ukraine, a country that was hit especially hard by the attacks.
A Ukrainian company called MeDoc sent out a compromised update to its tax software that contained the malware, infecting computers that were running it, said Williams, the security expert at Cisco Talos.
Ukrainian officials confirmed a possible link to MeDoc. But the company denied its software spread the infection, saying in a Facebook post that the update was sent out last week and was free of viruses.
Who’s behind it?
It’s still too early to say who might be responsible for unleashing the virus.
Intelligence agencies and security researchers have linked last month’s WannaCry attack to a group associated with North Korea. But it’s unclear if the new ransomware worm is connected.
How is this different from WannaCry?
Like WannaCry, the new ransomware attack uses the EternalBlue tool to spread. But researchers say it also uses other parts of Windows to infect computers, including seizing user credentials.
Unlike WannaCry, it locks down a computer’s entire hard drive instead of just the files. And it didn’t shoot across the internet the way WannaCry did — instead, it spreads inside company networks.
“It seems that the ones in charge of this campaign have learned quite a lot from the WannaCry campaign,” said Itay Glick, the CEO of Israeli cybersecurity company Votiro.