Powerful national institutions around the world flailed around on Wednesday to restrict a cyberattack that struck parts of Europe, the United States and Asia for the second time in two months. The attack entailed compromising the software systems of multiple companies and then threatening to delete their data unless they paid up. Several companies struck by the ransomware include: The French multinational Saint-Gobain, the American pharmaceutical giant Merck, the British advertising firm WPP and the Russian steel and mining company Evraz.
Microsoft announced that the attack had originated in Ukraine, where hackers first targeted M.E.Doc, a tax-accounting software company, and the ransomware soon spread to at least 64 countries. ESET, a Slovakia-based cybersecurity company, also said the first known infection was through M.E.Doc. More than 12,500 companies were actually targeted, however.
Photographs and videos of computers affected by the attack showed a message of red text on a black screen: "Oops, your important files have been encrypted. If you see this text then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking to recover your files but don't waste your time."
Symantec, a Silicon Valley cybersecurity firm, established that the ransomware was infecting computers through at least one vulnerability to computer systems, dubbed EternalBlue. The exploit was leaked online last April by a mysterious group of hackers known as the Shadow Brokers, who have previously released hacking tools employed by the National Security Agency. That same vulnerability was used in May to spread the WannaCry ransomware, which also affected hundreds of thousands of computers in more than 150 countries.
"It's pretty clear that this attack was inspired by WannaCry," said Gavin O'Gorman, an intelligence analyst at Symantec, a cybersecurity company. "We'll likely see more of these types of attacks in the future."
EternalBlue takes advantage of a weakness in Microsoft Windows. Microsoft sent out a patch for the flaw in March, but not all companies have used it.
Normal consumers that use up-to-date Windows computers are secure from this attack, experts say. Yet, if there's one out-of-date machine on a company's network, it could infect other connected computers like an air-borne virus.
Cybersecurity researchers recognized a Bitcoin address to which the attackers demanded a routing of a payment of $300 from their victims. Some even paid the ransom (As of Wednesday morning, the address had logged 45 transactions), even though the email address used by the attackers was shut down. That eliminates the possibility that the attackers could restore a victim's access to their computer networks, even if the ransom is paid.
Ukraine and Russia are areas most deeply impacted by this attack, and despite some reports across Asia, the region has mostly evaded the widespread problems felt in Europe and the United States. Researchers from Symantec believe that several dozen organizations have been affected in the United States alone.
Cybersecurity experts claim that similar to WannaCry, the ransomware infects computers using vulnerabilities in the central nerve of a computer, called a kernel, making it difficult for antivirus firms to detect. This means that an unpatched computer could prove fatal for many companies.
While costs of repairing the damage and installing better securities will be high, it is a measure that must be taken to avoid more insidious damage in the future.
- https://www.nytimes.com/2017/06/28/business/ramsonware-hackers-cybersecurity-petya-impact.html
- https://www.nytimes.com/2017/06/27/technology/global-ransomware-hack-what-we-know-and-dont-know.html
- http://money.cnn.com/2017/06/28/technology/ransomware-attack-petya-what-you-need-to-know/index.html
- https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe