A new, highly virulent strain of malicious software that is crippling computers globally appears to have been sown in Ukraine, where it badly hobbled much of the government and private sectors on the eve of a holiday celebrating a post-Soviet constitution, reports the Associated Press.
The fresh cyberassault on Tuesday leveraged the same intrusion tool as a similar attack in May and proved again just how disruptive to daily life sophisticated cyberassaults can be in this age of heavy reliance on computers.
Hospitals, government offices and major multinationals were among the casualties of the ransomware payload, which locks up computer files with all-but-unbreakable encryption and then demands a ransom for its release.
Ukraine and Russia appeared to be hit the hardest. In the US, it affected companies such as the drugmaker Merck and Mondelez International, the conglomerate of food brands such as Oreo and Nabisco. Multinationals, including the global law firm DLA Piper and Danish shipping giant AP Moller-Maersk, were also affected.
The virus’ pace appeared to slow by on Wednesday, in part because the malware appeared to require direct contact between computer networks, a factor that may have limited its spread in regions with fewer connections to Ukraine.
Ukraine suffered more than 60% of the attacks, followed by Russia with more than 30%, according to initial findings by cybersecurity firm Kaspersky Lab. It listed Poland, Italy and Germany, in that order, as the next-worst affected.
Like last month’s outbreak of ransomware, dubbed WannaCry, the new attack spread by using digital lock picks originally created by the NSA and later published to the web by a still-mysterious group known as the Shadowbrokers.
The attacks appeared to slow down in part because the ransomware appears to spread only when a direct contact exists between two networks, said Ryan Kalember, a security expert at Proofpoint.
“It’s not randomly spreading over the internet like WannaCry. It’s somewhat contained to the organisations that were connected to each other,” he said.
Bogdan Botezatu, an analyst with Bitdefender, compared the new program to a contagious disease. It appeared nearly identical to GoldenEye, a variant of a known family of hostage-taking programs known as “Petya,” he said.
It demanded $300 in Bitcoin. But unlike typical ransomware, which merely scrambles personal data files, this program does more. It overwrites a computer’s master boot record, making it tougher to restore even a machine that has been backed up, Kalember said.
Emails sent on Tuesday to an address posted to the bottom of ransom demands went unreturned. That might be because the email provider hosting that address, Berlin-based Posteo, pulled the plug on the account before the infection became widely known.
In an email, a Posteo representative said it had blocked the email address immediately after learning that it was associated with ransomware. The company added that it was in contact with German authorities “to make sure that we react properly.”