Belfast Telegraph

Major organisations among those affected by worldwide cyber attack

A raft of organisations including big business and government offices in eastern Europe have been hit by a worldwide cyber attack.

The "massive ransomware campaign" has affected organisations ranging from global law firm DLA Piper, to advertising giant WPP and US pharmaceutical company Merck.

The hack has caused widespread disruption, with company and government officials reporting major disruption to the Ukrainian power grid, banks and government offices.

The latest attack comes just weeks after ransomware downed systems across the globe, including the NHS in the UK.

More than 200,000 victims in around 150 countries were infected by the WannaCry or Wanna Decryptor ransomware, which originated in the UK and Spain last month, before spreading globally.

The current ransomware, the name given to programmes that hold data hostage by scrambling it until a payment is made, is known as GoldenEye or Petya, according to Bogdan Botezatu, a senior e-threat analyst at Bitdefender.

Victims of the malware can be asked to pay a 300 dollar ransom after their hard drive is encrypted, crashing their computer.

Mr Botezatu said on Tuesday evening that malware operators received 13 payments totalling 3,500 US dollars in digital currency in almost two hours.

He said: "Bitdefender has identified a massive ransomware campaign that is currently unfolding worldwide.

"Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family."

The National Cyber Security Centre, which is part of intelligence agency GCHQ, said there was a "global ransomware incident".

A spokesman said: "We are aware of a global ransomware incident and are monitoring the situation closely.

"The NCSC website provides advice to the public and business on how to protect your digital systems."

WPP, the world's biggest advertising business, confirmed it had been hit, while DLA Piper has taken its email system down as a preventative measure.

Russia's Rosneft energy company also reported falling victim, as did shipping company AP Moller-Maersk, which said every branch of its business was affected.

Ukrainian deputy prime minister Pavlo Rozenko posted a picture of a darkened computer screen on Twitter, saying the computer system at the government's headquarters has been shut down.

In reference to the attack, the State Agency of Ukraine on Exclusion Zone Management said Chernobyl's radiation monitoring system has been switched to manual and is operating normally.

Experts have raised questions around the suspected exploit, named EternalBlue, which is thought to be being used to spread the ransomware from one computer to another.

The same exploit is said to have been used in the WannaCry attack.

Marco Cova, senior security researcher at anti-malware company Lastline said: "The Petya attack looks very similar in its dynamics and techniques to the WannaCry ransomware that caused large disruption just a few weeks ago.

"In particular, like WannaCry, it seems to rely on the EternalBlue exploit to automatically spread from one machine to another.

"It's still early in the infection lifecycle, but obviously, if it is confirmed that the EternalBlue is the only spreading mechanism, there will be inevitable questions about how organisations could still fall to this attack after all the publicity and support tools (patches, scanning tools, etc.) that were produced as part of the WannaCry response."

Mr Botezatu said GoldenEye, a more advanced version of Petya, may have a number of exploits, meaning even those who patched their systems against EternalBlue after the WannaCry attack may still be vulnerable to the latest hack.

He said: "GoldenEye has a couple more exploits that allow it to go from one computer to another.

"EternalBlue is not the only spreading mechanism inside."

He said experts will work on trying to find a flaw in the ransomware in order to create a decryption tool, but there is no guarantee victims will get their information back.

Despite this, he warned people against paying the money demanded by those behind the attack.

He said: "I would strongly advise against paying the ransom, because this keeps this vicious circle in which hackers get enough money to fuel even more complex malware and this is why ransomware has become so popular in just three years.

"It's a billion dollar business and the more customers they have, the more advanced the future ransomware attacks will be."

The attack is "still spreading at a very high rate", he said.

Following last month's WannaCry incident some of the blame was directed at US intelligence agencies the CIA and the National Security Agency (NSA) who were accused of "stockpiling" software code which could be exploited by hackers.

Brad Smith, Microsoft's president and chief legal officer, said that attack had used data stolen from the NSA earlier this year, which contained information on software vulnerabilities the government had hoped to hoard, and subsequently leaked them online.

Dr David Day, a senior lecturer in cyber security at Sheffield Hallam University, said he believed the latest attack is the "tip of the iceberg " and said he is frustrated at how it has been able to unfold.

He said: " Basically what they (the NSA) have done is they have created something which can be used as a weapon, and that weapon has been stolen and that weapon is now being used.

"And I think it underlines the whole need for debate over privacy versus security.

"The NSA will argue that the tool was developed with a need to ensure privacy, but actually what it's being used for is a weapon against security."

Weekly Business Digest Newsletter

This week's business news headlines, directly to your inbox every Tuesday.