Ransomware virus hits computer servers across the globe

A major global cyber attack disrupted computers at Russia's biggest oil company, Ukrainian banks and multinational firms with a virus similar to the ransomware that infected more than 300,000 computers last month.

>>Reuters
Published : 27 June 2017, 04:22 PM
Updated : 28 June 2017, 07:29 AM

The rapidly spreading cyber extortion campaign, which began on Tuesday, underscored growing concerns that businesses have failed to secure their networks from increasingly aggressive hackers, who have shown they are capable of shutting down critical infrastructure and crippling corporate and government networks.

Businesses in the Asia-Pacific region reported some disruptions on Wednesday with the operations of several European companies hit, including India's largest container port, although the impact on companies and governments across the wider region appeared to be limited.

The ransomware virus includes code known as "Eternal Blue", which cyber security experts widely believe was stolen from the U.S. National Security Agency (NSA) and was also used in last month's ransomware attack, named "WannaCry".

"Cyber attacks can simply destroy us," said Kevin Johnson, chief executive of cyber security firm Secure Ideas. "Companies are just not doing what they are supposed to do to fix the problem."

The virus crippled computers running Microsoft Corp's Windows by encrypting hard drives and overwriting files, then demanded $300 in bitcoin payments to restore access. More than 30 victims paid into the bitcoin account associated with the attack, according to a public ledger of transactions listed on blockchain.info.

The logo of Russia's top crude producer Rosneft is seen at the company's headquarters, behind the Kremlin wall, in central Moscow May 27, 2013. Reuters

Microsoft said the virus could spread through a flaw that was patched in a security update in March.

"We are continuing to investigate and will take appropriate action to protect customers," a spokesman for the company said, adding that Microsoft antivirus software detects and removes it.

Australia, India hit

Operations at one of the three terminals of Jawaharlal Nehru Port (JNPT) in Mumbai, India's largest container port, were disrupted.

The impacted terminal is operated by Danish shipping giant AP Moller-Maersk, which also reported disruptions in Los Angeles. JNPT chairman Anil Diggikar told Reuters the port has been trying to clear containers manually and is operating at about a third of its capacity.

India-based employees at Beiersdorf, makers of Nivea skin care products, and Reckitt Benckiser (RB.L), which owns Enfamil and Lysol, told Reuters the ransomware attack had affected some of their systems.

In Australia, a Cadbury chocolate factory was hit, a trade union official said. Production at the Hobart factory on the island state of Tasmania ground to a halt late on Tuesday after computer systems went down.

Cadbury owner Mondelez International Inc said in a statement overnight staff in various regions were experiencing technical problems but it was unclear whether this was due to a cyber attack.

Cybersecurity firms Kaspersky Lab and FireEye Inc told Reuters they had detected attacks in other Asia-Pacific countries but did not provide details.

An employee sits next to a payment terminal out of order at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks earlier in the day, in Kiev, Ukraine, June 27, 2017. Reuters

Globally, Russia and Ukraine were most affected by the thousands of attacks, according to Kaspersky Lab, with other victims spread across countries including Britain, France, Germany, Italy, Poland and the United States. The total number of attacks was unknown.

Security experts said they expected the impact to be smaller than WannaCry because many computers had been patched with Windows updates in the wake of the WannaCry ransom attack last month to protect them against attacks using Eternal Blue code.

Still, the attack could be more dangerous than traditional strains of ransomware because it makes computers unresponsive and unable to reboot, Juniper Networks (JNPR.N) said in a blog post analysing the attack.

Other security experts said they did not believe that the ransomware released on Tuesday had a "kill switch", meaning that it might be harder to stop than WannaCry was last month.

Researchers said the attack may have borrowed malware code used in earlier ransomware campaigns known as "Petya" and "GoldenEye".

The MV Maersk Mc-Kinney Moller, the world's biggest container ship, arrives at the harbour of Rotterdam August 16, 2013. Reuters

Following last month's attack, governments, security firms and industrial groups aggressively advised businesses and consumers to make sure all their computers were updated with Microsoft patches to defend against the threat.

The US Department of Homeland Security said it was monitoring the attacks and coordinating with other countries. It advised victims not to pay the extortion, saying that doing so did not guarantee access would be restored.

'Don't waste your time'

The White House National Security Council said in a statement there was currently no risk to public safety. The United States was investigating the attack and determined to hold those responsible accountable, it said.

The NSA did not respond to a request for comment. The spy agency has not said publicly whether it built Eternal Blue and other hacking tools leaked online by an entity known as Shadow Brokers.

FILE PHOTO: Dispatchers are seen inside the control room of Ukraine's National power company Ukrenergo in Kiev, Ukraine, October 13, 2016. Reuters

Any organisation that heeded strongly worded warnings in recent months from Microsoft Corp to urgently install a security patch and take other steps appeared to be protected against the latest attacks.

Ukraine was particularly badly hit, with Prime Minister Volodymyr Groysman describing the attacks on his country as "unprecedented".

An advisor to Ukraine's interior minister said the virus got into computer systems via "phishing" emails written in Russian and Ukrainian designed to lure employees into opening them.

According to the state security agency, the emails contained infected Word documents or PDF files as attachments.

Yevhen Dykhne, director of the Ukrainian capital's Boryspil Airport, said it had been hit. "In connection with the irregular situation, some flight delays are possible," Dykhne said in a post on Facebook. A Reuters reporter who visited the airport late on Tuesday said flights were operating as normal.

FILE PHOTO: A terminal of Kiev International Airport is seen in Kiev, Ukraine, April 8, 2016. Reuters

Several private security experts have said they believe Shadow Brokers is tied to the Russian government, and that the North Korean government was behind WannaCry. Both countries' governments deny charges they are involved in hacking.

The first attacks were reported from Russia and Ukraine.

Russia's Rosneft (ROSN.MM), one of the world's biggest crude producers by volume, said its systems had suffered "serious consequences" but said oil production had not been affected because it switched over to backup systems.

Ukrainian Deputy Prime Minister Pavlo Rozenko said the government's computer network went down and the central bank reported disruption to operations at banks and firms, including the state power distributor.

WPP, the world's largest advertising agency, said it was also infected. A WPP employee who asked not to be identified said workers were told to shut down their computers. "The building has come to a standstill," the employee said.

A Ukrainian media company said its computers were blocked and had received the ransom demand.

"Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service," the message said, according to a screenshot posted on Ukraine's Channel 24.

Russia's central bank said there were isolated cases of lenders' IT systems being infected. One consumer lender, Home Credit, had to suspend client operations.