Mediaboss Marketing

PARIS The cyberattack that has locked up computers around the world while demanding a ransom may not be an extortion attempt after all, but an effort to create havoc in Ukraine, security experts say.

There may be a more nefarious motive behind the attack, Gavin OGorman, an investigator with U.S. antivirus firm Symantec, said in a blog post. Perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations.

The rogue program landed its heaviest blows on the Eastern European nation, where the government, dozens of banks and other institutions were sent reeling. It disabled computers at government agencies, energy companies, cash machines, supermarkets, railways and communications providers. Many of these organizations had recovered by Thursday.

The program, known by a variety of names, including NotPetya, initially appeared to be ransomware, a type of malicious software that encrypts its victims data and holds it hostage until a payment is made, usually in bitcoins, the hard-to-trace digital currency often used by criminals.

But OGorman and several other researchers said the culprits would have been hard-pressed to make money off the scheme. They appear to have relied on a single email address that was blocked almost immediately and a single bitcoin account that has collected the relatively puny sum of $10,000.

Others, such as Russian anti-virus firm Kaspersky Lab, said clues in the code suggest the programs authors would have been incapable of decrypting the data, further indicating the ransom demands may have been a smoke screen.

The timing was intriguing too: The attack came the same day as the assassination of a senior Ukrainian military intelligence officer and a day before a national holiday celebrating the new Ukrainian constitution signed after the breakup of the Soviet Union.

Tensions have been running high between Russia and Ukraine, with Moscow seizing Crimea in 2014 and pro-Russian separatists fighting government forces for control of eastern Ukraine.

Russia has long been suspected of engineering earlier cyberattacks against Ukraine, including the hack of its voting system ahead of 2014 national elections and an assault that knocked its power grid offline in 2015.

Ransomware or not, computer specialists worldwide were still wrestling with its consequences, with varying degrees of success.

Danish shipping giant A.P. Moller-Maersk, one of the global companies hit hardest, said Thursday that most of its terminals are running again, though some are operating in a limited way or more slowly than usual.

Problems have been reported across the shippers global business, from Mobile, Alabama, to Mumbai in India. At Mumbias Jawaharlal Nehru Port, hundreds of containers could be seen piled up.

See the article here:
Russia may have directed cyberattack against Ukraine - The Recorder

News & Observer

Ports recover, but Ukraine still disrupted by cyberattack News & Observer In a statement posted to its website , A.P. Maersk-Moller said Friday it is "pleased to report that our operations are now running close to normal again." But back in Ukraine, the pain continues. Officials have assured the public that the malware ... and more »

Read more from the original source:
Ports recover, but Ukraine still disrupted by cyberattack - News & Observer

BBC News

Eurovision: Ukraine facing fine over Russia row BBC News Eurovision Song Contest bosses are fining Ukraine over its organisation of this year's competition in Kiev. The European Broadcasting Union (EBU) said Ukraine's state broadcaster UA:PBC should pay a "substantial" fine because of "severe delays which ... Ukraine faces big fine after Russia Eurovision rowReuters Ukraine faces Eurovision finePOLITICO.eu Eurovision Song Contest: Ukraine face MASSIVE fines for 'endangering' show over Russia rowExpress.co.uk RT -esctoday.com all 15 news articles »

Read the original:
Eurovision: Ukraine facing fine over Russia row - BBC News

PARIS -- A new and highly virulent outbreak of malicious data-scrambling software appears to be causing mass disruption across Europe, hitting Ukraine especially hard.

Company and government officials reported serious intrusions at the Ukrainian power grid, banks and government offices, where one senior official posted a photo of a darkened computer screen and the words, "the whole network is down."

The attack was reportedly affecting websites in Great Britain, Norway and India, as well, and at least one major U.S. company said it was affected. The New Jersey-based pharmaceutical company Merck confirmed that its computer network was compromised as part of what it called a "global hack," and said it was investigating.

Ukraine's government said the cyberattack was the biggest ever to hit the country, and an adviser to the Minister of Internal Affairs was quick to suggest the attacks appeared to have originated from Russia.

However, Russia's Rosneft energy company also reported falling victim to the hacking, saying it had narrowly avoided major damage.

Play Video

CNET's Dan Ackerman joins CBSN to explain the steps computer owners need to take to help keep their data secure from hackers and ransomware.

"The hacking attack could have led to serious consequences but neither the oil production nor the processing has been affected thanks to the fact that the company has switched to a reserve control system," the company said.

U.S. cybersecurity expert Chris Hadnagy, CEO of Social-Engineer Inc., told CBS News, "We've been following it very closely and it is ... massive. It's attacking a lot of industrial areas, airports, banks, power grids in the Ukraine and in Russia."

The U.S. Department of Homeland Security issued a statement saying it is monitoring reports of attacks "affecting multiple global entities" and is "coordinating with our international and domestic cyber partners," offering confidential analysis and technical support.

The number of companies and agencies reportedly affected by the ransomware campaign piled up fast, as the electronic rampage appeared to be rapidly snowballing into a real-world world crisis.

Shipping company A.P. Moller-Maersk said every branch of its business was affected. "We are responding to limit impact on customers and to uphold operations," the company said in a statement posted on Twitter.

"We are talking about a cyberattack," said Anders Rosendahl, a spokesman for the Copenhagen-based shipping group. "It has affected all branches of our business, at home and abroad."

Dutch daily Algemeen Dagblaad said container ship terminals in Rotterdam run by a unit of Maersk were also affected.

The Ukrainian Interior Ministry adviser said the cyberattacks were using a modified version of the "WannaCry" malware that was found to be at the heart of a massive, global attack by hackers earlier this year -- one that cost companies billions of dollars.

Technology experts said in May that there was evidence North Korean hackers could have been behind that malware assault.

Play Video

Cybersecurity experts say North Korea may be to blame for the unprecedented global "ransomware" attack. The hacking has crippled computer systems...

Ukrainian Deputy Prime Minister Pavlo Rozenko on Tuesday posted a picture of a darkened computer screen to Twitter, saying that the computer system at the government's headquarters had been shut down.

There was very little information on Tuesday about who might be behind the latest disruption, but technology experts who examined screenshots circulating on social media said it bears the hallmarks of ransomware, the name given to programs that hold data hostage by scrambling it until a payment is made.

"A massive ransomware campaign is currently unfolding worldwide," said Romanian cybersecurity company Bitdefender. It said the malicious program appeared to be nearly identical to GoldenEye, one of a family of rogue programs that has been circulating for months. It's not clear whether or why the ransomware had suddenly become so much more potent.

In Switzerland, a government cybersecurity agency said the attacks appeared to employ ransomware known as "Petya."

"There have been indications of late that Petya is in circulation again, exploiting the SMB (Server Message Block) vulnerability," the Swiss Reporting and Analysis Center for Information Assurance (MELANI) told the Reuters news agency in an e-mail.

Reuters said the Petya virus was behind a widespread attack in 2016.

CNET reports the malware encrypts crucial computer files and holds them hostage, demanding $300 in bitcoin to regain access.

Screenshot of a computer affected by the Petya ransomware cyberattack.

Ukraine Prime Minister's Office via CNET

What can computer users do to protect themselves? ZDNet security editor Zack Whittaker said it's important to keep software up to date by installing the latest security patches, but even that may not be enough.

"There's some conflicting reports that even backed-up computers may be affected," he said. "We'll see what happens in the next few hours as we have more information."

In addition to software updates, he advised, "You should carry out regular backups of your data to make sure it's safe and secure, and make sure that backed-up data is never connected to the internet."

Many systems are still recovering from the WannaCry outbreak this spring, which spread rapidly using digital break-in tools originally created by the U.S. National Security Agency (NSA) that wereleaked to the web by a group calling itself the Shadow Brokers.

Max Everett, a cybersecurity expert and managing director at Fortalice Solutions, told CBSN on Monday that the world was simply not prepared for the more widespread attacks expected in the future.

See the article here:
Cyberattack hits Ukraine, Europe, U.S.; hackers use suspected ...

Like the WannaCry attacks in May, the latest global hacking took control of computers and demanded digital ransom from their owners to regain access. The new attack used the same National Security Agency hacking tool, Eternal Blue, that was used in the WannaCry episode, as well as two other methods to promote its spread, according to researchers at the computer security company Symantec.

The National Security Agency has not acknowledged its tools were used in WannaCry or other attacks. But computer security specialists are demanding that the agency help the rest of the world defend against the weapons it created.

The N.S.A. needs to take a leadership role in working closely with security and operating system platform vendors such as Apple and Microsoft to address the plague that theyve unleashed, said Golan Ben-Oni, the global chief information officer at IDT, a Newark-based conglomerate hit by a separate attack in April that used the agencys hacking tools. Mr. Ben-Oni warned federal officials that more serious attacks were probably on the horizon.

The vulnerability in Windows software used by Eternal Blue was patched by Microsoft in March, but as the WannaCry attacks demonstrated, hundreds of thousands of groups around the world failed to properly install the fix.

Just because you roll out a patch doesnt mean itll be put in place quickly, said Carl Herberger, vice president for security at Radware. The more bureaucratic an organization is, the higher chance it wont have updated its software.

Because the ransomware used at least two other ways to spread on Tuesday including stealing victims credentials even those who used the Microsoft patch could be vulnerable and potential targets for later attacks, according to researchers at F-Secure, a Finnish cybersecurity firm, and others.

A Microsoft spokesman said the companys latest antivirus software should protect against the attack.

Governments and companies in Europe and the United States have been impacted. Here are several:

The Ukrainian government said several of its ministries, local banks and metro systems had been affected. A number of other European companies, including Rosneft, the Russian energy giant; Saint-Gobain, the French construction materials company; and WPP, the British advertising agency, also said they had been targeted.

Ukrainian officials pointed a finger at Russia on Tuesday, although Russian companies were also affected. Home Credit bank, one of Russias top 50 lenders, was paralyzed, with all of its offices closed, according to the RBC news website. The attack also affected Evraz, a steel manufacturing and mining company that employs about 80,000 people, the RBC website reported.

In the United States, the multinational law firm DLA Piper also reported being hit. Hospitals in Pennsylvania were being forced to cancel operations after the attack hit computers at Heritage Valley Health Systems, a Pennsylvania health care provider, and its hospitals in Beaver and Sewickley, Penn., and satellite locations across the state.

The ransomware also hurt Australian branches of international companies. DLA Pipers Australian offices warned clients that they were dealing with a serious global cyber incident and had disabled email as a precautionary measure. Local news reports said that in Hobart, Tasmania, on Tuesday evening, computers in a Cadbury chocolate factory, owned by Mondelez International, had displayed ransomware messages that demanded $300 in bitcoins.

Qantas Airways booking system failed for a time on Tuesday, but the company said the breakdown was due to an unrelated hardware issue.

The Australian government has urged companies to install security updates and isolate any infected computers from their networks.

This ransomware attack is a wake-up call to all Australian businesses to regularly back up their data and install the latest security patches, said Dan Tehan, the cybersecurity minister. We are aware of the situation and monitoring it closely.

A National Security Agency spokesman referred questions about the attack to the Department of Homeland Security. The Department of Homeland Security is monitoring reports of cyberattacks affecting multiple global entities and is coordinating with our international and domestic cyber partners, Scott McConnell, a department spokesman, said in a statement.

Computer specialists said the ransomware was very similar to a virus that emerged last year called Petya. Petya means Little Peter, in Russian, leading some to speculate the name referred to Sergei Prokofievs 1936 symphony Peter and the Wolf, about a boy who captures a wolf.

Reports that the computer virus was a variant of Petya suggest the attackers will be hard to trace. Petya was for sale on the so-called dark web, where its creators made the ransomware available as ransomware as a service a play on Silicon Valley terminology for delivering software over the internet, according to the security firm Avast Threat Labs.

That means anyone could launch the ransomware with the click of a button, encrypt someones systems and demand a ransom to unlock it. If the victim pays, the authors of the Petya ransomware, who call themselves Janus Cybercrime Solutions, get a cut of the payment.

That distribution method means that pinning down the people responsible for Tuesdays attack could be difficult.

The attack is an improved and more lethal version of WannaCry, said Matthieu Suiche, a security researcher who helped contain the spread of the WannaCry ransomware when he created a kill switch that stopped the attacks.

In just the last seven days, Mr. Suiche noted, WannaCry had tried to hit an additional 80,000 organizations but was prevented from executing attack code because of the kill switch. Petya does not have a kill switch.

Petya also encrypts and locks entire hard drives, whereas the earlier ransomware attacks locked only individual files, said Chris Hinkley, a researcher at the security firm Armor.

The hackers behind Petya demanded $300 worth of the cybercurrency Bitcoin to unlock victims machines. By Tuesday afternoon, online records showed that 30 victims had paid the ransom, although it was not clear whether they had regained access to their files. Other victims may be out of luck, after Posteo, the German email service provider, shut down the hackers email account.

In Ukraine, people turned up at post offices, A.T.M.s and airports to find blank computer screens, or signs about closures. At Kievs central post office, a few bewildered customers milled about, holding parcels and letters, looking at a sign that said, Closed for technical reasons.

The hackers compromised Ukrainian accounting software mandated to be used in various industries in the country, including government agencies and banks, according to researchers at Cisco Talos, the security division of the computer networking company. That allowed them to unleash their ransomware when the software, which is also used in other countries, was updated.

The ransomware spread for five days across Ukraine, and around the world, before activating Tuesday evening.

If I had to guess, I would think this was done to send a political message, said Craig Williams, the senior technical researcher at Talos.

One Kiev resident, Tetiana Vasylieva, was forced to borrow money from a relative after failing to withdraw money at four automated teller machines. At one A.T.M. in Kiev belonging to the Ukrainian branch of the Austrian bank Raiffeisen, a message on the screen said the machine was not functioning.

Ukraines Infrastructure Ministry, the postal service, the national railway company, and one of the countrys largest communications companies, Ukrtelecom, had been affected, Volodymyr Omelyan, the countrys infrastructure minister, said in a Facebook post.

Officials for the metro system in Kiev said card payments could not be accepted. The national power grid company Kievenergo had to switch off all of its computers, but the situation was under control, according to the Interfax-Ukraine news agency. Metro Group, a German company that runs wholesale food stores, said its operations in Ukraine had been affected.

At the Chernobyl plant, the computers affected by the attack collected data on radiation levels and were not connected to industrial systems at the site, where, although all reactors have been decommissioned, huge volumes of radioactive waste remain. Operators said radiation monitoring was being done manually.

Cybersecurity researchers questioned whether collecting ransom was the true objective of the attack.

Its entirely possible that this attack could have been a smoke screen, said Justin Harvey, the managing director of global incident response at Accenture Security. If you are an evildoer and you wanted to cause mayhem, why wouldnt you try to first mask it as something else?

An earlier version of this article referred incorrectly to the occupation of Justin Harvey. He is the managing director of global incident response at Accenture Security, not the chief security officer for the Fidelis cybersecurity company.

Reporting was contributed by Liz Alderman, Andrew E. Kramer, Iuliia Mendel, Ivan Nechepurenko and Isabella Kwai.

A version of this article appears in print on June 28, 2017, on Page A1 of the New York edition with the headline: A Cyberattack Hits Ukraine, Then Spreads.

Go here to see the original:
Cyberattack Hits Ukraine Then Spreads Internationally - The ...