Petya cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down

  • Huge cyber attack cripples firms, airports, banks and government departments in Ukraine
  • Hack may have spread to Britain, with the advertising firm WPP affected
  • Danish and Spanish multinationals also paralysed by attack
  • Virus 'a form of ransomware' known as Petya 
  • How does ransomware work?

Major firms, airports and government departments in Ukraine have been struck by a massive cyber attack which began to spread across Europe on Tuesday afternoon. 

In Ukraine, government departments, the central bank, a state-run aircraft manufacturer,  the airport in Kiev and  the metro network have all been paralysed by the hack.

In the UK, the advertising firm WPP said its systems had also been struck down, while in the Netherlands a major shipping firm confirmed its computer terminals were malfunctioning. 

The virus is believed to be ransomware - a piece of malicious software that shuts down a computer system and then demands an extortionate sum of money to fix the problem. 

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank
A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank

It comes just a few weeks after the WannaCry hack which affected more than 150 countries and crippled parts of the NHS. 

American and British analysts believe that attack, which unfolded in May, was carried out by North Korea. It remains unclear who is responsible for Tuesday's attack. 

"The National Bank of Ukraine has warned banks... about an external hacker attack on the websites of some Ukrainian banks... which was carried out today," Ukraine's central bank said in a statement. 

A spokesman for Ukraine's Presidential Administration said it was paying "a high level of attention" to the situation.

Maersk, a Danish transport and logistics company with branches worldwide, announced that "multiple sites and business units" had been shut down after the cyber attack. 

It came as Russian oil giant Rosneft said that its servers had suffered a "powerful" cyberattack, as the company is locked in a bitter court fight with the Russian conglomerate Sistema.

 

                                                                                                    

2,000 computers hit in a dozen countries 

Security firm Kaspersky Lab said the attack has hit around 2,000 computers so far in around a dozen countries. The most affected organisations are located in Russia and the Ukraine, with systems in the UK, Germany, France, Italy, the US and Poland also hit. 

The researchers confirmed that one of the ways the virus spread was using the Eternal Blue tool, but that there are likely other ways too.

The company added that the ransomware might not be a variation of Petya but a new strain of the virus. 

"Kaspersky Lab's analysts are investigating the new wave of ransomware attacks targeting organisations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before," the researchers said. 

Michael Fallon warns UK could respond to cyber attacks with military force 

The Defence Secretary has said the UK would be prepared to retaliate against future cyber attacks using military force such as missile strikes. 

He warned cyber attacks against UK systems “could invite a response from any domain - air, land, sea or cyberspace".

Michael Fallon made the comments at a conference in London Credit: Jason Alden

 

Ukraine says Chernobyl systems working normally

The Ukrainian state news agency has said all technology systems at the nuclear plant are working normally. It reportedly switched its radiation monitoring system to manual after reports a cyber attack had hit organisations in the country including the National Bank of Ukraine. 

More companies hit as attack spreads to Israel 

DLA Piper, a global law firm with offices in the UK, and Merck, a Netherlands-based pharmaceutical company, have both confirmed that they have been hit by the Petya ransomware.

The confirmations come as reports are surfacing of the first instance of the attack in Israel. The most affected countries so far are Ukraine, Russia, Poland, Italy, Germany and Belarus, according to a researcher at Kaspersky. 

No 'kill switch' for Petya

Security experts are warning there is no kill switch for the Petya ransomware, dispelling hopes that a quick fix could stop the attack as it did with WannaCry.  

Petya inflicts more damage on machines than WannaCry as it targets the hard drive rather than individual files. "This attack doesn't just encrypt data for a ransom - but instead hijacks computers and prevents them from working altogether," said Ken Spinner, vice president of Varonis. "The implications of this type of cyberattack spread far and wide: and can affect everything from government to banks to transportation."

Experts said separately that people using Windows computers at home should be safe from the attack if they have installed all updates. 

'Several cases' of Petya reported in Lithuania 

Details of which firms are affected are yet to emerge, but there are reports coming from Lithuania that several companies have been infected by Petya. 

UK's chief cyber security agency 'monitoring situation'

“We’re aware of the global ransomware incident and are monitoring the situation closely,” a spokesman said. 

Shipping terminals across the world shut down 

More detail has emerged about Danish shipping firm Maersk, which said earlier that its terminals in Rotterdam had been shut down. 

Seventeen shipping container terminals run by APM Terminals have been hacked, including two in Rotterdam and 15 in other parts of the world, according to Dutch broadcaster RTV Rijnmond.

Maersk shipping containers

APM Terminals is a subsidiary of shipping giant Maersk , which has confirmed it is suffering from a cyber attack.

APM's website was difficult to reach and phones at its headquarters in The Hague and offices in Rotterdam went unanswered.

A spokeswoman for the company in Copenhagen confirmed its systems were "impacted" as part of Maersk's IT infrastructure.

Chernobyl nuclear plant affected by hack - local media 

Pravda, a Ukrainian broadsheet newspaper, reports that computers at Chernobyl  nuclear plant have been infected by the virus. 

Staff were told to shut down their computers after several were infected by what appeared to be a virus, shift director Vladimir Ilchuk told Ukrainskaya Pravda.

There was no threat of a radiation leak as a result, he added. 

Virus 'almost impossible to stop,' says expert 

 “With the severity of this attack and the degree to which the virus has already spread on an international scale across major business and infrastructure, it is now almost impossible to stop it from spreading further," said Robert Edwards, a barrister and cybercrime specialist at  St John’s Buildings.

"The fallout of this is likely to be severe, and raises serious questions about the security of devices and the ease in which hackers are able to commit such attacks.

An employee sits next to a payment terminal out of order in Ukraine

"We are seeing a worrying trend where variants of ransomware such as Petya are becoming more complex and are spreading faster, and, as we saw with the NHS attack, many businesses simply aren’t doing enough to secure their data. When the safeguards can be as simple as updating software, businesses and employees must do more to protect themselves from this new threat." 

Ransomware is 2016-programme 'Petya' 

 Ransomware known as Petya seems to have re-emerged to affect computer systems across Europe, causing issues primarily in Ukraine, Russia, England and India, a Swiss government information technology agency has told Reuters. 

"There have been indications of late that Petya is in circulation again, exploiting the SMB (Server Message Block) vulnerability," the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) said in an e-mail.

It said it had no information that Swiss companies had been impacted, but said it was following the situation. The Petya virus was blamed for disrupting systems in 2016.

Russia's top oil producer Rosneft said a large-scale cyber attack hit its servers on Tuesday, with computer systems at some banks and the main airport in neighbouring Ukraine also disrupted.

'A multi-pronged attack'

"This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine," said Allan Liska, a security analyst at Recorded Future. 

"There is some speculation that, like WannaCry, this attack is being spread using the EternalBlue exploit which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to the Ukraine).

The hack is spreading across Europe

"Our threat intelligence also indicated that we are now starting to see US victims of this attack. 

"This attack not only could make the victim's machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion."

 

'We were told to turn off our computers'

An employee at WPP quoted by MailOnline said they were told to switch off their computers - at which point many workers decided to nip out for a drink. 

"We were told to turn our computers off straight away and not to use the WiFi or servers," the unnamed employees said. 

"Most people just left the building and went to the pub."

WPP employs around 250,000 workers worldwide. 

 

Spanish firms affected

The attack may have spread to Spain, with several multi-nationals reporting issues, according to local media. 

 

Cyber security expert: Ransomware to blame

"We are looking into the ransomware activity that has reportedly disrupted organizations in Ukraine and elsewhere," said John Miller, a security expert at FireEye.

At this point, we are investigating whether the activity constitutes a significantly novel threat or an extension of known issues, as widespread ransomware campaigns are a regular occurrence at this time.

Victims are reporting that a variant of the Petya ransomware is responsible; Petya is a well-understood ransomware type that we have reported on since 2016.

Shipping container terminals in Rotterdam shut down

Maersk, a Danish shipping firm, has confirmed that 17 of its shipping container terminals have been crippled by the same cyber attack which hit Ukraine. 

Russian oil giant hacked

Russian oil giant Rosneft has said that its servers had suffered a "powerful" cyberattack, as the company is locked in a bitter court fight with the Russian conglomerate Sistema.

"A powerful hacking attack has been carried out against the company's servers," Rosneft said on Twitter, adding that it "hopes" the incident was "not connected to current legal proceedings".

A tweet from an account belonging to Ukraine deputy prime minister,  Rozenko Pavlo,  appeared to show first-hand the effects of the hack. 

WPP confirms hack

A spokesman for WPP has confirmed that the British advertising firm is also a victim of the hack. 

License this content