A massive cyberattack is hitting organisations around the world

UPDATED: Victims in Ukraine, Russia, Denmark, the UK and the United States have all reported being hit by a cyberattack: authorities are investigating "global ransomware incident".
Written by Danny Palmer, Senior Writer

All you need to know about ransomware in 60 seconds

A number of firms around the world are reporting that they have been impacted by a major cyber attack which the UK's cyber security agency is describing as a "global ransomware incident."

Many of the initial reports of organisations affected came from Ukraine, including banks, energy companies and even Kiev's main airport. But since then more incidents have been reported across Europe, indicating the incident is affecting more organisations more widely.
The National Bank of Ukraine said it has been hit by an "unknown virus" and is having difficulty providing customer services and banking operations as a result, while Kiev's Boryspil International airport is also understood to be suffered from some kind of cyber attack. Even the radiation monitoring facility at the Chernobyl nuclear power plant has been hit.

Ukraine's Interior Ministry has already called the cyberattack the biggest in Ukraine's history
Danish transport and energy firm Maersk has confirmed that its IT systems are down across multiple sites due to a cyberattack, while Russian petroleum company Rosneft has reported a "massive hacker attack" hitting its servers.


The attack has also hit the United States, with American pharmaceutical firm Merck stating that its computer network has been compromised as part of "a global hack".
British advertising firm WPP has also said it has also been affected by a cyberattack and the UK's National Cyber Security Centre is investigating reports of the attack.
"We are aware of a global ransomware incident and are monitoring the situation closely," said an NCSC spokesperson.


EC3, Europol's cybercrime division, is also looking into the global cyberattack. "We are urgently responding to reports of another major ransomware attack on businesses in Europe," Rob Wainwright, Executive Director of Europol said in a Tweet.
Interpol has also confirmed its cyber unit in Singapore is "closely monitoring" the global ransomware attack and is liaising with member countries and other partners.

Many reports are suggesting that many victims are seeing a ransom note, which suggests that systems are being infected with ransomware - if that's the case, it's the second major global ransomware outbreak in as many months following on from the WannaCry epidemic which it hundreds of thousands of PCs around the world.


Indeed, a Twitter account providing updates for the Kiev Metro service appears to show a machine displaying a ransom note demanding $300 in Bitcoin.

Preliminary investigation by cybersecurity researchers at Bitdefender suggests that the malware being spread is an improved version of the GoldenEye ransomware, which in of itself is a variant of the of the Petya ransomware family.


Petya ransom note

Image: Symantec

The Petya ransomware family is particularly vicious, not only encrypting the victims' files using one of the most advanced cryptographic algorithms, but also encrypting the entire hard drive by overwriting the master reboot record, preventing the computer from loading the operating system.

However, while many are suggesting that this is a Petya attack, researchers at Kaspersky Lab say organisations are being targeted by a form of ransomware which hasn't been seen before. They've dubbed this 'NotPetya'.

Kaspersky data suggests 2,000 users have been attacked so far, with organisations Russia and the Ukraine are the most affected

Meanwhile, Analysts at Symantec say the ransomware, like WannaCry, is taking advantage of the EternalBlue Microsoft Windows exploit to spread. This Windows flaw is one of many zero-days which apparently was known by the NSA -- before being leaked by the Shadow Brokers hacking collective. Kaspersky also confirmed that the attack is using a modified version of the EternalBlue exploit which is used to spread within corporate networks.

Microsoft released a patch for the vulnerability earlier this year, but as WannaCry and now this incident is demonstrating, many remain vulnerable.

In addition to this, cybersecurity researchers at firms including Recorded Future say this attack appears to take advanatage of the Windows Management Instrumentation Command-line (WMIC), the command line used to execute system management commands for Windows.

WMIC requires a username and password, suggesting that the payload could also contain a trojan information stealer, meaning attackers can scrape usernames and passwords from the infected machine and jump from one unit to the next- potentially even those patched against EternalBlue.

The economic impact of Russian hacking on the Ukraine economy

This ZDNet executive guide to ransomware details everything you need to know about ransomware: how it started, why it's booming, how to protect against it, and what to do if your PC's infected.


Editorial standards