Berlin – A massive new cyberattack via a ransomware virus initially dubbed Petya paralyzed businesses across Europe on Tuesday before spreading to the United States.
The attack came just six weeks after more than 150 countries were affected by the so-called ransomware known as WCry, WannaCry or WannaDecrypt0r, which exploited vulnerabilities in the most widely used operating system in the world: Microsoft Windows.
Moscow-based anti-virus provider Kaspersky Lab said it had detected 2,000 attacks on Tuesday, mostly in Russia and Ukraine but also in Poland, Italy, Britain, France, the US and Germany.
It was not immediately clear who was behind the virus, which, like WannaCry, took over computer systems and demanded a ransom payment in the bitcoin digital currency to unlock them.
“It seems one of the initial Petya vectors was a Ukrainian software company. Attackers must have compromised their infrastructure,” Chris Wysopal, founder of software security firm Veracode, wrote on Twitter.
Ukrainian ministries, radiation monitoring at the Chernobyl nuclear facility, banks and energy companies were reportedly affected, as well as big companies including Danish shipping conglomerate Maersk, British advertising agency WPP and Dutch shipping company TNT Express.
Ukrainian Prime Minister Volodymyr Groysman described the attack as “unprecedented” in a post on Facebook.
“Our IT specialists are doing their job and protecting critical infrastructure,” he said. “Important systems have not suffered. The attack will be repelled, and the attackers will be detected.”
“We are urgently responding to reports of another major ransomware attack on businesses in Europe,” Rob Wainwright, executive director of Europol, the European Union’s law enforcement agency, said on Twitter.
A French judicial source said that Paris prosecutors had opened an investigation into the case, with French police’s cybercrime division probing possible offences including fraudulent access to a database and extortion.
Kaspersky said those behind the attack were asking for 300 dollars in Bitcoin, which is untraceable, to deliver the key that encrypts the ransom data.
By late Tuesday, 24 payments totalling 2.54 bitcoin, or just less than 6,000 dollars, had been made to the attacker’s account, it said.
Kaspersky also said that despite similarities to Petya, preliminary findings suggested it was not in fact a Petya variant as first reported but “a new ransomware that has not been seen before.”
It dubbed the virus “ExPetr” and advised companies to update their Windows software and install the MS17-010 security patch as well as to back up their data.
Berlin-based email provider Posteo also said it had blocked an account that was being used by attackers.
US-based cyber security firm Cybereason said its researcher Amit Serper had found a way to stop the virus, though it was only a “vaccination” rather than a “killswitch.”
This is because the method requires each user to create a file on their own computer to prevent the virus from starting to encrypt files, unlike a “killswitch” which could stop the virus spreading altogether.
Like WannaCry, the virus was using a cyber tool called Eternal Blue to propagate itself, according to cyber security company Symantec.
The tool is believed to have been created by the US National Security Agency and leaked online by hackers in April.
Security firms had afterwards urged all users to update their Windows software with a Microsoft patch but many companies failed to do so and the WannaCry attacks caused widespread disruption.
Other companies affected by Tuesday’s attack included: US-based pharmaceuticals giant Merck; French industrial manufacturer Saint-Gobain; US food giant Mondelez, maker of Milka chocolate and Oreo cookies; the US offices of the law firm DLA Piper; Kiev’s Boryspil Airport; Russian state oil companies Rosneft and Bashneft.