Another big malware attack ripples across the world
Posted June 27
Updated June 28
Hackers launched blistering ransomware attacks Tuesday against companies and agencies across the world, particularly targeting Ukranian businesses.
Major global firms reported that they had been targeted, including British advertising agency WPP, Russian oil and gas giant Rosneft and Danish shipping firm Maersk.
"IT systems in several WPP companies have been affected by a suspected cyber attack," WPP said on its Twitter account.
Maersk issued a similar statement, saying its tech systems "are down across multiple sites and business units due to a cyberattack."
Related: What is ransomware?
The U.S.-based pharmaceutical company Merck also said it was hit.
"We confirm our company's computer network was compromised today as part of global hack," Merck said on Twitter.
Mondelez, the company that owns Oreos, Cadbury and many other global snack brands, reported a computer outage across its global operations. And law firm DLA Piper said it had taken down its systems in response to "a serious global cyber incident."
The source of the attack is not yet clear. It is similar to WannaCry, which spread globally in May, but there are differences. Both asked victims to pay Bitcoin to get their files back, and both use a similar flaw to spread through networks.
Related: Why WannaCry took down so many businesses
The Moscow-based cybersecurity firm Group IB estimated Tuesday that the virus affected about 80 companies in Russia and Ukraine.
Group IB said the ransomware infects and locks a computer, and then demands a $300 ransom to be paid in Bitcoins.
Many firms, including Symantec, have suggested the ransomware is a variant of Petya, a known ransomware. But according to security firm Kaspersky Lab, preliminary findings indicate the attacks are from a new ransomware that it's now calling "ExPetr."
Either way, researchers say Tuesday's attacks use a Windows flaw called EternalBlue to spread through corporate networks. WannaCry also leveraged the EternalBlue exploit, which was leaked as part of a trove of hacking tools believed to belong to the NSA. Microsoft issued a patches for the exploits in March.
Microsoft said it found that the ransomware is using multiple techniques to spread, including one that was addressed by the security patch released in March. It is continuing to investigate.
Related: Attack sparks debate on when spy agencies should disclose cyber holes
The U.S. Department of Homeland Security is also monitoring the cyberattacks.
Spokesman Scott McConnell said DHS is "coordinating with our international and domestic cyber partners. We stand ready to support any requests for assistance."
Europol said it is investigating the attack as well.
Ukrainian companies and government agencies seem to have been hit particularly hard.
Ukraine's central bank warned financial firms across the country that an unknown virus hit the sector, creating problems for banks and customer service.
According to security firm Cisco Talos, the ransomware initially infected MeDoc, a piece of Ukranian accounting software. MeDoc then sent an infected file to customers. It spread to other computers on companies' networks by leveraging software holes. Ukranian officials confirmed the MeDoc link.
This ransomware was much more advanced than WannaCry, according to Craig Williams, senior tech lead and security outreach manager at Cisco Talos.
Related: The hero who accidentally stopped the WannaCry cyberattack from spreading
Officials at Ukraine's postal service and metro system in Kiev also reported hacking problems.
Ukraine's vice prime minister, Pavlo Rozenko, tweeted a screenshot of his malfunctioning computer saying computers at the Cabinet of Ministers had been affected.
The Chernobyl nuclear power plant was also hit by the cyber attack, according to a Ukrainian federal agency. In a statement, the agency said that "in connection with the cyber attack, the Chernobyl nuclear power plant website is not working." Its Microsoft Windows systems were temporarily disconnected, and radiation monitoring in the area of the industrial site is being carried out manually, it said.
Ransomware victims are always advised not to pay ransom to get their files back because it encourage the attackers. The best way to mitigate damage from ransomware is to update operating systems and backup data.
--CNN's Marilia Brocchetto, Mary Ilyushina, David Shortell, Bex Wright and Victoria Butenko contributed to this report.