Companies worldwide struggled to recover Wednesday after a wave of powerful cyberattacks crippled computer systems in Europe, Asia and the United States with a virus similar to the ransomware assault in May that infected computers around the world.
Danish shipping giant A.P. Moller-Maersk said on Wednesday that it was working to recover its operations a day after being hit by a cyberattack linked to malware called Petya.
“We have contained the issue and are working on a technical recovery plan with key IT partners and global cybersecurity agencies,” Maersk, which handles one in every seven containers shipped worldwide, said in a stock exchange announcement. The Copenhagen-based group said its APM Terminals were affected “in a number of ports,” but said that its vessels with Maersk Line were “maneuverable, able to communicate, and crews are safe.”
Russia’s largest oil company, Ukrainian banks and multinational firms were brought to a standstill Tuesday in a wave of ransom demands. The virus even downed systems at the site of the former Chernobyl nuclear power plant, forcing scientists to monitor radiation levels manually.
Cyberattacks also spread as far as India and the United States, where the pharmaceutical giant Merck reported on Twitter that “our company’s computer network was compromised today as part of a global hack.” The New Jersey-based company said it was investigating the attack.
Cyber researchers say that the virus, which was linked to malware called Petrwrap or Petya, used an “exploit” developed by the National Security Agency that was later leaked onto the internet by hackers. It is the second massive attack in the past two months to turn powerful U.S. exploits against the IT infrastructure that supports national governments and corporations.
The onslaught of ransomware attacks may be the “new normal,” said Mark Graff, the chief executive of Tellagraff, a cybersecurity company.
“The emergence of Petya and WannaCry really points out the need for a response plan and a policy on what companies are going to do about ransomware,” he said. WannaCry was the ransomware used in the May attack. “You won’t want to make that decision at a time of panic, in a cloud of emotion.”
The attack mainly targeted Eastern Europe, but also hit companies in Spain, Denmark, Norway and Britain. Victims included the British advertising and marketing multinational WPP. India’s biggest container port was also crippled when a Maersk-run terminal in Mumbai was hit.
The hacks’ scale and the use of ransomware recalled the massive cyberattack in May in which hackers possibly linked to North Korea disabled computers in more than 150 nations using a flaw that was once incorporated into the National Security Agency’s surveillance tool kit.
Cyber researchers have tied the vulnerability exploited by Petya to the one used by WannaCry – a weakness discovered by the NSA years ago that the agency turned into a hacking tool dubbed EternalBlue. Petya, like WannaCry, is a worm that spreads quickly to vulnerable systems, said Bill Wright, senior policy counsel for Symantec, the world’s largest cybersecurity firm. But that makes it difficult to control – or to aim at anyone in particular, he said.
“Once you unleash something that propagates in this manner, it’s impossible to control,” he said.
Although Microsoft in March made available a patch for the Windows flaw that EternalBlue exploited, Petya uses other techniques to infect systems, said Jeff Greene, Symantec government affairs director. “It’s a worm that has multiple ways to spread,” he said, which could explain why there are victims who applied the EternalBlue patch and still were affected.
The initial infection was in Ukraine and spread to Europe, said Paul Burbage, a malware researcher with Flashpoint, a cyberthreat analysis firm. Petya differs from WannaCry in that it does not appear to reach out to the internet and scan for vulnerable systems, he said. It limits itself to the computers linked to the same router.
The ransomware used in the attacks is a variant of Petya called GoldenEye, which was sold on underground forums used mainly by Russian-speaking criminal hackers, he said.