Government agencies and large companies in the United States and Europe were hit by a major ransomware attack on 27 June 2017, the second such attack in six weeks. In a tweet, Europol — the European Union Agency for Law Enforcement Cooperation — confirmed it was aware of a ransomware attack and said it was “liaising with cyberunits in the EU and key industry partners” to establish the full nature of the attack.
The cyberattack first emerged in Ukraine on the morning of 27 June 2017, taking down much of the country’s Internet infrastructure:
…The government, banks, state power utility and Kiev’s airport and metro system were all affected. The radiation monitoring system at Chernobyl was taken offline, forcing employees to use hand-held counters to measure levels at the former nuclear plant’s exclusion zone.
Among the companies hit by the attack in the U.S. was the Heritage Valley Health System, a network of health care providers in Pennsylvania. In a statement to the Pittsburgh Post-Gazette, a spokesperson said that they had confirmed the ransomware was the same in that attack as in Europe:
Corrective measures supplied by our antivirus software vendor have been developed and are being implemented and tested within the Health System. Additionally, other restorative measures are being undertaken at this time. Heritage Valley continues to implement downtime procedures and make operational adjustments to ensure safe patient care.
Pharmaceutical giant Merck also said that some of its facilities in Pennsylvania and New Jersey had been affected:
We confirm our company’s computer network was compromised today as part of global hack. Other organizations have also been affected. We are investigating the matter and will provide additional information as we learn more.
Others apparently affected by the ransomware attack included DLA Piper, a major global law firm with offices throughout the U.S. and Canada, the food giant Mondelez, which oversees brands such as Cadbury’s and Oreo and has locations throughout the U.S. and Canada, and WPP, one of the world’s biggest advertising and P.R. companies, many of whose subsidiary networks (like Ogilvy & Mather and Millward Brown) have offices in the U.S. and Canada.
In Europe, the attack struck several large industrial firms, including the A.P. Moller-Maersk Group, the world’s largest shipping container conglomerate, the Russian government-owned oil company Rosneft, and the French construction materials manufacturer Saint-Gobain.
Ransomware typically encrypts or blocks access to a user’s personal data and demands payment to reinstall access, but experts said the June 2017 attack went further, taking over an affected computer’s entire hard drive. In a blog post, security software firm Symantec explained that this appears to be a newer and more sophisticated version of a virus that has been in existence since 2016, which included a “ransom note” providing details of how and where users can send $300 in the virtual currency Bitcoin, including an address at the German email service provider Posteo.
However, Posteo confirmed in a blog post that it had shut down that e-mail account at around noon on 27 January (6 am Eastern time).
Midway through today [Central European Time] we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away. There was no press coverage at that time. We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.
This means that the individuals behind the attack can no longer access the email address, and those affected by it cannot receive a key to decrypt their hard drive. Cybersecurity experts warn against paying up in response to a ransomware attack anyway, because access to data is often not reinstalled, despite meeting the demands of the ransom.
It is possible that the ransomware is tied to MEDoc, a tax program that is reportedly mandatory on Ukrainian workplace computers:
Petya “explicitly targets a Ukrainian software package, mandated by Ukrainian government,” tweeted British malware expert Kevin Beaumont. Kaspersky Lab thinks that the malware might have come in the form of a fake MEDoc software update.
The MEDoc company itself gave conflicting statements about the situation. It first posted a message in Ukrainian stating “Our server made a virus attack. We apologize for the inconvenience!” (according to Google Translate), then took that down. A subsequent post on the company’s Facebook page denied that it was the source of the infection.
The Petya worm could have traveled along corporate networks from Ukrainian subsidiaries to enterprise servers in other countries, some experts hypothesized.
However, other experts pointed out that there were still enough computers globally that had not patched against ETERNALBLUE, or closed the pathways that that exploit travels, to explain Petya’s spread.
Amit Serper, a security researcher at Boston-based software company Cybereason, says he found a temporary fix for affected computers:
— Amit Serper (@0xAmit) June 27, 2017