Massive ransomware outbreak hits servers worldwide

A ransomware attack has hit computers across the world, taking out servers at Russia's biggest oil company, disrupting operations at Ukrainian banks, and shutting down computers at multinational shipping and advertising firms.

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank (REUTERS/Valentyn Ogirenko)

Infosec experts said those behind the attack appeared to have exploited the same type of hacking tool used in the WannaCry ransomware attack that infected hundreds of thousands of computers in May before a British researcher created a kill-switch.

"It's like WannaCry all over again," said Mikko Hypponen, chief research officer with Helsinki-based cyber security firm F-Secure.

He said he expected the outbreak to spread in the Americas as workers turned on vulnerable machines, allowing the virus to attack. "This could hit the USA. pretty bad," he said.

The US Department of Homeland Security said it was monitoring reports of cyber attacks around the world and coordinating with other countries.

Interpol also tweeted that, together with its "cyber unit IGCI in Singapore", it is "closely monitoring [the] suspected ransomware attack, liaising with member countries, partners."

The first reports of organisations being hit emerged from Russia and Ukraine, but the impact quickly spread westwards to computers in Romania, the Netherlands, Norway, and Britain.

Within hours, the attack had gone global.

Danish shipping giant AP Moller-Maersk, which handles one out of seven containers shipped globally, said the attack had caused outages at its computer systems across the world, including at its terminal in Los Angeles.

Pharmaceutical company Merck said its computer network had been affected by the global hack.

Global law firm DLA Piper confirmed it "experienced issues with some of its systems due to suspected malware."

"We are taking steps to remedy the issue as quickly as possible," a spokesperson for the law firm said. 

A photo from a DLA office in the United States showed a whiteboard message warning employees that "all network services are down" and not to "turn on your computers".

A Swiss government agency also reported computer systems were affected in India, though the country's cyber security agency said it had yet to receive any reports of attacks.

Fast moving consumer goods (FMCG) firm Mondelez International - home to brands such as Cadbury, Milka and Oreo - also reported that employees in different regions were experiencing technical problems, though it was unclear whether this was due to the attack.

"I can confirm that our employees are experiencing difficulties in various geographies. We are investigating the issue," spokeswoman Heidi Hauer said. Hospitals in western Pennsylvania in the United States have also reportedly been hit.

In Australia, Mondelez company Cadbury Australia has been forced to halt its operations over the Petya infection, telling staff of its Claremont facility in Tasmania today to go home.

Similarly the local staff of DLA Piper have been informed the firm's IT systems have been taken down to contain the infection, and were asked not to attempt to log in to their computers.

"Don't waste your time"

After the WannaCry attack, organisations around the globe were advised to beef up IT security.

"Unfortunately, businesses are still not ready and currently more than 80 companies are affected," said Nikolay Grebennikov, vice president for R&D at data protection firm Acronis.

One of the victims of today's cyber attack, a Ukrainian media company, said its computers were blocked and it had a demand for US$300 (A$395) worth of the Bitcoin to restore access to its files.

"If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service," the message said, according to a screenshot posted by Ukraine's Channel 24.

The same message appeared on computers at Maersk offices in Rotterdam and at businesses affected in Norway.

Other companies that said they had been hit by a cyber attack included Russian oil producer Rosneft, French construction materials firm Saint Gobain and the world's biggest advertising agency, WPP - though it was not clear if their problems were caused by the same virus.

"The building has come to a standstill. It's fine, we've just had to switch everything off," said one WPP employee who asked not to be named.

News agency AFP reported that "Chernobyl's radiation monitoring system [was also] affected".

Petya vs NotPetya

Security firms scrambled to understand the scope and impact of the attacks, seeking to confirm suspicions hackers had leveraged the same type of hacking tool exploited by WannaCry, and to identify ways to stop the onslaught.

Some experts claimed the latest ransomware attacks unfolding worldwide is a variant of the existing Petya ransomware family, dubbed GoldenEye.

It uses two layers of encryption which have frustrated efforts by researchers to break the code, according to Romanian security firm Bitdefender.

"There is no workaround to help victims retrieve the decryption keys from the computer," the company said.

Symantec said in a tweet that its analysts had "confirmed Petya ransomware, like WannaCry, is using EternalBlue exploit to spread."

EternalBlue is a Windows Server Message Block (SMB) v1 file sharing protocol exploit linked to the US National Security Agency (NSA).

Payments had already started to be made to unlock computers. A bot set up to track payments had recorded 24 payments by 4.01am AEST.

However, a warning was being widely retweeted - including by former NSA contractor Edward Snowden - not to pay the ransom due to the disabling of a key email address used by the alleged attackers.

Impacted users were told to pay a ransom and email the attacker, but with the address disabled, this is no longer possible.

F-Secure's Mikko Hypponen said he believed a "new variant of the Petya ransom trojan" was to blame. He said the original version of Petya was launched in late 2015.

"There's speculation that this new Petya version would be launched by the same people who were behind WannaCry, but we can't confirm that," Hypponen tweeted.

Russian security software maker Kaspersky, however, said its preliminary findings suggested the virus was not a variant of Petya but a new ransomware not seen before. It has dubbed the malware NotPetya.

Kaspersky said the complex attack involved several vectors. "We can confirm that a modified EternalBlue exploit is used for propagation, at least within the corporate network".

Last's month's fast-spreading WannaCry ransomware attack was crippled after a 22-year-old British security researcher Marcus Hutchins created a so-called kill-switch that experts hailed as the decisive step in slowing the attack.

Any organisation that heeded strongly worded warnings in recent months from Microsoft to urgently install a security patch and take other steps appeared to be protected against the latest attacks.

Ukraine was particularly badly hit, with Prime Minister Volodymyr Groysman describing the attacks on his country as "unprecedented".

An advisor to Ukraine's interior minister said the virus got into computer systems via "phishing" emails written in Russian and Ukrainian designed to lure employees into opening them.

According to the state security agency, the emails contained infected Word documents or PDF files as attachments.

Yevhen Dykhne, director of the Ukrainian capital's Boryspil Airport, said it had been hit. "In connection with the irregular situation, some flight delays are possible," Dykhne said in a post on Facebook.

Ukrainian Deputy Prime Minister Pavlo Rozenko said the government's computer network had gone down and the central bank said a operation at a number of banks and companies, including the state power distributor, had been disrupted by the attack.

"As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations," the central bank said in a statement.

Russia's Rosneft, one of the world's biggest crude producers by volume, said its systems had suffered "serious consequences" from the attack. It said it avoided any impact on oil production by switching to backup systems.

The Russian central bank said there were isolated cases of lenders' IT systems being infected by the cyber attack. One consumer lender, Home Credit, had to suspend client operations.

Additional reporting by iTnews