Pharmaceutical giant Merck (MRK) became the first major USA company impacted by the ransomware, annoucing mid-day Tuesday its “computer network was compromised” as part of the global hack. “Companies are just not doing what they are supposed to do to fix the problem”.
Those who decide to pay that amount have been asked to send a confirmation to a certain email address hosted by German email provider Posteo.
This particular ransomware is called Petya and is using the EternalBlue exploit to spread. Kaspersky Lab analysts reportedly said that about 2,000 users had been attacked as of midday Tuesday in North America.
NZ Cert is advising organisations running Windows XP through to Windows 2008 R2 and Small Business Server to install the security patch released by Microsoft at the time of the WannaCry attack (it’s on Microsoft’s website here).
According to Cisco, Nyetya is “WannaCry’s bad cousin” and “initial vector identification has shown that the virus is more defiant”.
A spokesman said: “We are aware of a global ransomware incident and are monitoring the situation closely”.
In a statement, the White House National Security Council said there was now no risk to public safety. “The attack will be repelled and the perpetrators will be tracked down”, he said.
The NSA did not respond to a request for comment.
The exploit itself, known as EternalBlue, was developed by the National Security Agency and leaked by hacking group TheShadowBrokers. The first reports of organizations being hit emerged from Russian Federation and Ukraine, but the impact quickly spread westwards to computers in Romania, the Netherlands, Norway, and Britain.
Several multinational companies said they were targeted, including USA pharmaceutical giant Merck, Russian state oil giant Rosneft, British advertising giant WPP and the French industrial group Saint-Gobain.
The wave of cyberattacks also impacted Maersk, a global cargo shipping company; Saint-Gobain, a French company producing glass and other construction materials; and British-based WPP.
And the ad agency WPP, which has offices in Dublin, also fell foul of the bug. Computers hit by the malware display a distinctive black screen and a red text that instructs the user to pay a ransom of $300 worth of bitcoin for the computers to be unlocked.
“The email address the ransomware asks you to contact upon payment has been blocked by the provider, so there is now little chance files can be recovered by paying the ransom”, he said. “Nobody can recover your files without our decryption service”. One consumer lender, Home Credit, had to suspend client operations. It impacted Russian oil and steel companies, French construction materials firm Saint-Gobain, and US pharmaceuticals firm Merck.
Other firms affected include United Kingdom media agency, WPP, Russian oil firm Rosneft, and several government organizations in the Ukraine, including the agency responsible for monitoring the Chernobyl nuclear plant, which reverted to manually monitoring radiation due Windows system shutdowns. Western Pennsylvania’s Heritage Valley Health System’s entire network was shut down by a cyber attack on Tuesday, according to local media reports.
The Moscow-based cyber security firm Group IB estimated that the virus affected about 80 companies in Russian Federation and Ukraine. Ukranian officials confirmed the MeDoc link.
Anton Geashchencko, an aide to the Ukrainian Interior Ministry said on Facebook the government’s computer network had collapsed.
According to the state security agency, the emails contained infected Word documents or PDF files as attachments.