Updated 3:34 pm, Tuesday, June 27, 2017
Photo: Thomas Borberg, AP
NEW YORK (AP) — The Latest on a widespread cyberattack that is affecting companies and government systems (all times EDT):
A Pennsylvania health care system says it is taking steps to restore its computer network after being hit by a ransomware attack that was carried out globally.
Heritage Valley Health System says the attack Tuesday affected its two hospitals west of Pittsburgh as well as satellite operations.
Patients reported on social media that some surgeries had to be rescheduled. A hospital spokeswoman would say only that operational changes had to be made.
A Wellsville, Ohio, woman was at one of Heritage Valley’s hospitals to have her gallbladder removed when she heard a voice over a loudspeaker directing staff to come to a command center.
Brenda Pisarsky told The Associated Press she noticed computer monitors were off and saw nurses scurrying around with stacks of paperwork.
She says she had already been prepped for surgery so doctors were able to go through with her operation. But she said she was told some other patients’ procedures had to be rescheduled.
A series of tweets issued by Ukraine’s cyberpolice unit says the ransomware that has caused global havoc may have first spread through a rogue update to a piece of Ukrainian accounting software called MEDoc.
Several vendors — including Kaspersky Lab and Cisco — have already identified MEDoc as a likely vector for the initial infections. Ukraine’s cyberpolice said Tuesday that the rogue update occurred around 10:30 a.m. local time, seeding the infection to an undisclosed number of organizations across the country. Then, just as a few dropped matches can feed a forest fire, the ransomware spread rapidly from there.
In a lengthy statement posted to Facebook, MEDoc acknowledged having been hacked but said it was not responsible for having seeded the rogue program.
Ukraine’s cyberpolice unit acknowledged the company’s statement but stood by its analysis. It stressed that it was not attributing blame to the company.
The German company whose email service was used to help coordinate payments linked to the latest surge of ransom software says it pulled the plug on the account before news of the outbreak became widely known.
In a blog post, the Posteo service said it blocked the email address “immediately” after learning that it was being used as a point of contact for the ransomware’s presumed creators. The post said the block happened around midday in Germany, well before reports began circulating about problems linked to its spread.
While the block prevented the hackers behind the ransomware release from capitalizing on the explosive infection rate, it may also strand victims with no obvious way of retrieving files scrambled by the rogue program.
Posteo, based in Berlin, did not return an email seeking further comment.
How the ransomware was first spread isn’t known for sure, but several experts singled out Ukrainian accounting software called MEDoc, which in a brief message posted to its website acknowledged having been hacked.
In a lengthier statement posted to Facebook, however, the company said that it was not responsible for having seeded the rogue program.
“We can say that the MEDoc system cannot infect your computer with viruses when it updates,” the company said.
The head of a top Ukranian cybersecurity firm says it’s too early to say if his country was singled out as the prime target but that its institutions, long a target of Russian hackers, may have been compromised through attrition.
Victor Zhora, CEO of Infosafe IT in Kiev, says he believes the ransomware, which attacks Microsoft operating systems from Windows XP to Windows 10, was previously seeded and time-activated.
“It seems the virus is spreading all over Europe and I’m afraid it can harm the whole world,” he said. Zhora’s firm did triage on a well-coordinated attack blamed on pro-Russian hackers that tried to thwart the country’s May 2014 election.
Zhora said the current ransomware, which propagates across networks, demands $300 in Bitcoin. He says it’s too early for official confirmation of the targets in Ukraine but local media are reporting ATMs and some gasoline distribution to filling stations have been affected.
Cyberattacks blamed on pro-Russia hackers have twice taken down sizeable portions of Ukraine’s power grid.
Security experts say Tuesday’s cyberattack shares something in common with last month’s WannaCry attack: Both spread by using digital break-in tools purportedly created by the U.S. National Security Agency and recently leaked to the web.
Security vendors Bitdefender Labs and Kaspersky Labs say the NSA exploit, known as EternalBlue, is allowing the malware to spread inside an organization’s network. Other than that, the latest malware is different from WannaCry.
Organizations should be protected if they had installed a fix that Microsoft issued in March.
But Chris Wysopal, chief technology officer at the security firm Veracode, says that’s only the case if 100 percent of computers were patched. He says that if one computer gets infected, the new malware has a backup mechanism to spread to patched computers within the network as well.
Wysopal says the attack seems to be hitting large industrial companies that “typically have a hard time patching all of their machines because so many systems simply cannot have down time.”
Organizations hit include the Russian oil company Rosneft and the Danish oil and shipping company AP Moller-Maersk.
A hospital and health care system based in western Pennsylvania says it is dealing with a widespread cyberattack.
A spokeswoman for Heritage Valley Health System says the attack Tuesday is affecting the organization’s entire health system and employees are working to ensure safe patient care continues.
Heritage Valley is a $480 million network that provides care for residents of Allegheny, Beaver, Butler and Lawrence counties, in Pennsylvania; parts of eastern Ohio; and the panhandle of West Virginia.
It wasn’t immediately clear if the cyberattack was related to the outbreak of malicious data-scrambling software that appears to be causing mass disruption across Europe Tuesday.
Also affected is New Jersey-based Merck, the second-largest drugmaker in the United States with extensive operations in the Philadelphia area.
Merck confirmed its computer network was “compromised” as part of the global attack.
Previously datelined KIEV, Ukraine (all times local)
The second-largest drugmaker in the United States is confirming it’s been affected by a cyberattack.
In a message sent using its verified Twitter account, Merck confirmed Tuesday that its computer network was “compromised” as part of a global attack.
Officials said the Kenilworth, New Jersey-based company was investigating the incident but provided no further details.
Merck has global locations including in Ukraine, where a new and highly virulent outbreak of malicious data-scrambling software causing mass disruption across Europe appeared to be hitting especially hard.
Company and government officials reported serious intrusions at the Ukrainian power grid, banks and government offices, where one senior official posted a photo of a darkened computer screen and the words, “the whole network is down.”
Dutch-based transport company TNT Express, which was taken over last year by FedEx, also said Tuesday that it is suffering computer disruptions. Spokesman Cyrille Gibot says that “like many other companies and institutions around the world, we are experiencing interference with some of our systems within the TNT network. We are assessing the situation and are implementing remediation steps as quickly as possible and we regret any inconvenience to our customers.” He declined further comment.
Ukraine’s prime minister says that a cyberattack affecting his country is “unprecedented,” but “vital systems haven’t been affected.”
A new and highly virulent outbreak of malicious data-scrambling software appears to be causing mass disruption across Europe, hitting Ukraine especially hard.
Prime Minister Volodymyr Groysman also said on Facebook that “our IT experts are doing their job and protecting critical infrastructure … The attack will be repelled and the perpetrators will be tracked down.”
Company and government officials reported serious intrusions at the Ukrainian power grid, banks and government offices, where one senior official posted a photo of a darkened computer screen and the words, “the whole network is down.” Russia’s Rosneft oil company also reported falling victim to hacking, as did Danish shipping giant A.P. Moller-Maersk.
Hackers have caused widespread disruption across Europe, hitting Ukraine especially hard.
Company and government officials reported major disruption to the Ukrainian power grid, banks and government offices. Russia’s Rosneft energy company also reported falling victim to hacking, as did shipping company A.P. Moller-Maersk, which said every branch of its business was affected.
Ukrainian Deputy Prime Minister Pavlo Rozenko on Tuesday posted a picture of a darkened computer screen to Twitter, saying that the computer system at the government’s headquarters has been shut down.
There’s very little information about who might be behind the disruption, but technology experts who examined screenshots circulating on social media said it bears the hallmarks of ransomware, the name given to programs that hold data hostage by scrambling it until a payment is made.