A massive ransomware attack has hit businesses around the world, causing major companies to shut down their computer systems.
Researchers are still investigating the software behind the attack, warning that it’s more sophisticated than the WannaCry worm that struck hundreds of thousands of computers across the globe last month.
“WannaCry was a tremendous failure. It was a lot of noise, very little money, and everyone noticed it,” said Craig Williams, an expert at cybersecurity firm Cisco Talos. “What we’re seeing today is a much more intelligent worm.”
Big global brands — like Mondelez (MDLZ), the maker of Oreos, and British advertising giant WPP (WPPGF) — say their IT systems are experiencing problems.
The ransomware infects computers and locks down their hard drives. It demands a $300 ransom in the anonymous digital currency Bitcoin.
The email account associated with the ransomware has been blocked, so even if victims pay, they won’t get their files back.
Law enforcement and cybersecurity experts agree that victims should never pay ransoms for such attacks.
Researchers say the ransomware virus is a worm that infects networks by moving from computer to computer. It uses a hacking tool called EternalBlue, which takes advantage of a weakness in Microsoft Windows.
EternalBlue was in a batch of hacking tools leaked earlier this year that are believed to have belonged to the US National Security Agency.
Regular consumers who have up-to-date Windows computers are safe from this attack, experts say. However, if there’s one out-of-date machine on a company’s network, it could infect other connected computers.
Researchers are still figuring out exactly what happened. But Cisco Talos says one way the ransomware got into computer systems was through software in Ukraine, a country that was hit especially hard by the attacks.
A Ukrainian company called MeDoc sent out a compromised update to its tax software that contained the malware, infecting computers that were running it, said Williams, the security expert at Cisco Talos.
Ukrainian officials confirmed a possible link to MeDoc. But the company denied its software spread the infection, saying in a Facebook post that the update was sent out last week and was free of viruses.
Top international businesses headquartered in Europe and the US have come under attack. They include Russian oil and gas giant Rosneft, Danish shipping firm Maersk, US-based pharmaceutical company Merck and law firm DLA Piper.
Ukrainian organizations took a particularly heavy blow. Banks, government offices, the postal service and Kiev’s metro system were experiencing problems, officials said. The ransomware also caused problems with the monitoring system the Chernobyl nuclear power plant.
It’s still too early to say who might be responsible for unleashing the virus.
Intelligence agencies and security researchers have linked last month’s WannaCry attack to a group associated with North Korea. But it’s unclear if the new ransomware worm is connected.
Like WannaCry, the new ransomware attack uses the EternalBlue tool to spread. But researchers say it also uses other parts of Windows to infect computers, including seizing user credentials.
Unlike WannaCry, it locks down a computer’s entire hard drive instead of just the files. And it didn’t shoot across the internet the way WannaCry did — instead, it spreads inside company networks.
“It seems that the ones in charge of this campaign have learned quite a lot from the WannaCry campaign,” said Itay Glick, the CEO of Israeli cybersecurity company Votiro.