A major ransomware attack has struck Europe and the US for the second time in as many months, with serious disruption at large firms including the advertising giant WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft.
The attack was first reported in Ukraine, where its government, banks, state power utility and Kiev’s airport and metro system all particularly badly affected. The radiation monitoring system at Chernobyl was taken offline, forcing employees to use hand-held counters to measure levels at former nuclear plant’s exclusion zone.
The food giant Mondelez, legal firm DLA Piper and Danish shipping and transport giant AP Moller-Maersk also said their systems had been hit by the malware.
WPP said in a statement that the computer systems at several of its subsidiary companies had been affected, adding that it was “assessing the situation and taking appropriate measures”.
In an internal memo to staff, one WPP firm said it was the target of “a massive global malware attack, affecting all Windows servers, PCs and laptops”. It warned employes to turn off and disconnect all machines using Windows.
Some technology experts said the attack appeared consistent with an “updated variant” of a virus known as Petya or Petrwrap, a ransomware that locks computer files and forces users to pay a designated sum to regain access.
But analysts at cyber security firm Kaspersky Labs said they had traced the infections to “a new ransomware that has not been seen before”. The “NotPetya” attack had hit 2,000 users in Russia, Ukraine, Poland, France, Italy, the UK, Germany and the US, Kaspersky said.
Last month’s WannaCry or WannaCrypt ransomware attack affected more than 230,000 computers in over 150 countries, with the UK’s national health service, Spanish phone giant Telefónica and German state railways among those hardest hit.
Symantec cyber security experts said they had confirmed the ransomware in the current attack was using the same exploit – a program that takes advantage of a software vulnerability – as WannaCry.
The exploit – called EternalBlue – was leaked by the Shadow Brokers hacker group in April and is thought to have been developed by the US National Security Agency.
Pictures circulating on social media on Tuesday of screens purportedly affected by the attack showed a message stating, “Your files are no longer accessible because they have been encrypted,” and demanding a $300 ransom in the Bitcoin digital currency.