Petya cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down

CERT-LatestNews Malware Security News SocialEngineering ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic VulnerabilitiesAll
  • Huge cyber attack cripples firms, airports, banks and government departments in Ukraine
  • Hack may have spread to Britain, with the advertising firm WPP affected
  • Danish and Spanish multinationals also paralysed by attack
  • Virus ‘a form of ransomware’ known as Petya 
  • How does ransomware work?

Major firms, airports and government departments in Ukraine have been struck by a massive cyber attack which began to spread across Europe on Tuesday afternoon. 

In Ukraine, government departments, the central bank, a state-run aircraft manufacturer,  the airport in Kiev and  the metro network have all been paralysed by the hack.

In the UK, the advertising firm WPP said its systems had also been struck down, while in the Netherlands a major shipping firm confirmed its computer terminals were malfunctioning. 

The virus is believed to be ransomware – a piece of malicious software that shuts down a computer system and then demands an extortionate sum of money to fix the problem. 

It comes just a few weeks after the WannaCry hack which affected more than 150 countries and crippled parts of the NHS. 

A programer shows a sample of a ransomware cyberattack on a laptop in Taipei, Taiwan

A programer shows a sample of a ransomware cyberattack on a laptop in Taipei, Taiwan

American and British analysts believe that attack, which unfolded in May, was carried out by North Korea. It remains unclear who is responsible for Tuesday’s attack. 

“The National Bank of Ukraine has warned banks… about an external hacker attack on the websites of some Ukrainian banks… which was carried out today,” Ukraine’s central bank said in a statement. 

A spokesman for Ukraine’s Presidential Administration said it was paying “a high level of attention” to the situation.

Maersk, a Danish transport and logistics company with branches worldwide, announced that “multiple sites and business units” had been shut down after the cyber attack. 

It came as Russian oil giant Rosneft said that its servers had suffered a “powerful” cyberattack, as the company is locked in a bitter court fight with the Russian conglomerate Sistema.

Auto update

4:21PM

‘Several cases’ of Petya reported in Lithuania 

Details of which firms are affected are yet to emerge, but there are reports coming from Lithuania that several companies have been infected by Petya. 

4:13PM

UK’s chief cyber security agency ‘monitoring situation’

“We’re aware of the global ransomware incident and are monitoring the situation closely,” a spokesman said. 

4:12PM

Shipping terminals across the world shut down 

More detail has emerged about Danish shipping firm Maersk, which said earlier that its terminals in Rotterdam had been shut down. 

Seventeen shipping container terminals run by APM Terminals have been hacked, including two in Rotterdam and 15 in other parts of the world, according to Dutch broadcaster RTV Rijnmond.

Maersk shipping containers

Maersk shipping containers

APM Terminals is a subsidiary of shipping giant Maersk , which has confirmed it is suffering from a cyber attack.

APM’s website was difficult to reach and phones at its headquarters in The Hague and offices in Rotterdam went unanswered.

A spokeswoman for the company in Copenhagen confirmed its systems were “impacted” as part of Maersk’s IT infrastructure.

4:00PM

Chernobyl nuclear plant affected by hack – local media 

Pravda, a Ukrainian broadsheet newspaper, reports that computers at Chernobyl  nuclear plant have been infected by the virus. 

Staff were told to shut down their computers after several were infected by what appeared to be a virus, shift director Vladimir Ilchuk told Ukrainskaya Pravda.

There was no threat of a radiation leak as a result, he added. 

3:57PM

Virus ‘almost impossible to stop,’ says expert 

 “With the severity of this attack and the degree to which the virus has already spread on an international scale across major business and infrastructure, it is now almost impossible to stop it from spreading further,” said Robert Edwards, a barrister and cybercrime specialist at  St John’s Buildings.

“The fallout of this is likely to be severe, and raises serious questions about the security of devices and the ease in which hackers are able to commit such attacks.

An employee sits next to a payment terminal out of order in Ukraine

An employee sits next to a payment terminal out of order in Ukraine

“We are seeing a worrying trend where variants of ransomware such as Petya are becoming more complex and are spreading faster, and, as we saw with the NHS attack, many businesses simply aren’t doing enough to secure their data. When the safeguards can be as simple as updating software, businesses and employees must do more to protect themselves from this new threat.” 

3:51PM

Ransomware is 2016-programme ‘Petya’ 

 Ransomware known as Petya seems to have re-emerged to affect computer systems across Europe, causing issues primarily in Ukraine, Russia, England and India, a Swiss government information technology agency has told Reuters. 

“There have been indications of late that Petya is in circulation again, exploiting the SMB (Server Message Block) vulnerability,” the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) said in an e-mail.

It said it had no information that Swiss companies had been impacted, but said it was following the situation. The Petya virus was blamed for disrupting systems in 2016.

Russia’s top oil producer Rosneft said a large-scale cyber attack hit its servers on Tuesday, with computer systems at some banks and the main airport in neighbouring Ukraine also disrupted.

3:48PM

‘A multi-pronged attack’

“This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine,” said Allan Liska, a security analyst at Recorded Future. 

“There is some speculation that, like WannaCry, this attack is being spread using the EternalBlue exploit which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to the Ukraine).

The hack is spreading across Europe

The hack is spreading across Europe

“Our threat intelligence also indicated that we are now starting to see US victims of this attack. 

“This attack not only could make the victim’s machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion.”

3:43PM

‘We were told to turn off our computers’

An employee at WPP quoted by MailOnline said they were told to switch off their computers – at which point many workers decided to nip out for a drink. 

“We were told to turn our computers off straight away and not to use the WiFi or servers,” the unnamed employees said. 

“Most people just left the building and went to the pub.”

WPP employs around 250,000 workers worldwide. 

3:27PM

Spanish firms affected

The attack may have spread to Spain, with several multi-nationals reporting issues, according to local media. 

3:23PM

Cyber security expert: Ransomware to blame

“We are looking into the ransomware activity that has reportedly disrupted organizations in Ukraine and elsewhere,” said John Miller, a security expert at FireEye.

At this point, we are investigating whether the activity constitutes a significantly novel threat or an extension of known issues, as widespread ransomware campaigns are a regular occurrence at this time.

Victims are reporting that a variant of the Petya ransomware is responsible; Petya is a well-understood ransomware type that we have reported on since 2016.

3:11PM

Shipping container terminals in Rotterdam shut down

Maersk, a Danish shipping firm, has confirmed that 17 of its shipping container terminals have been crippled by the same cyber attack which hit Ukraine. 

3:08PM

Russian oil giant hacked

Russian oil giant Rosneft has said that its servers had suffered a “powerful” cyberattack, as the company is locked in a bitter court fight with the Russian conglomerate Sistema.

“A powerful hacking attack has been carried out against the company’s servers,” Rosneft said on Twitter, adding that it “hopes” the incident was “not connected to current legal proceedings”.

A tweet from an account belonging to Ukraine deputy prime minister,  Rozenko Pavlo,  appeared to show first-hand the effects of the hack. 

3:06PM

WPP confirms hack

A spokesman for WPP has confirmed that the British advertising firm is also a victim of the hack. 

http://www.telegraph.co.uk/news/2017/06/27/ukraine-hit-massive-cyber-attack1/

Tagged