A fast-spreading computer virus that ravaged data systems in Europe and the United States earlier this week has again raised questions about whether United States businesses and organizations are prepared for cyber threats.
The new attack came just a month after the massive “Wanna Cry” ransomware campaign that infected computers across the world using tools believed to have been stolen from the NSA.
Ransomware traditionally renders a system unusable and encrypts data, then requires victims to pay money or perform another action to regain access. "But a growing number of security researchers believe that the new malware merely posed as ransomware to cover up its real goal of destroying data, some concluding that Ukraine was the ultimate target."
“We believe that this was an intentionally destructive attack against the Ukrainian economy,” said Charles Carmakal, vice president at Mandiant, a subsidiary of the cybersecurity firm FireEye. “An attack like this will inevitably happen in the United States.”
The new variant of “Petya,” which has been given several names by cybersecurity experts, first hit Ukraine on Tuesday. The attack spread to the country’s government, banking industry, and the international airport in Kiev. It also affected Russia’s largest oil company, Rosneft.
Later, the malware spread to other areas of Europe and the United States. American pharmaceutical giantMerck, FedEx, and Cadbury all reported disruptions. A hospital in West Virginia is being forced to replace its entire computer system after being struck by the malware.
The malware also stalled operations at the largest terminal at the Port of Los Angeles, prompting localRep. Norma Torres (D-Calif.) to warn of the “massive impact cyber threats pose to our local and national economy.”
The Department of Homeland Security is monitoring the malware developments and working with partners domestically and internationally to manage the damage, according to DHS spokesman Scott McConnell.
“We stand ready to support any requests for assistance,” McConnell said. “Upon request, DHS routinely provides technical analysis and support. Information shared with DHS as part of these efforts, including whether a request has been made, is confidential.”
The virus locks users out of their computers and demands a bitcoin ransom worth $300. But as the virus spread, it quickly became clear that paying the ransom would not recover the files, leading some researchers to conclude that it was in fact a “wiper” — an attack meant to destroy data.
“Fundamentally, this was a wiper campaign,” said Raj Samani, chief scientist and head of McAfee’s Strategic Intelligence Group. “It appears to be a campaign meant for destruction or disruption. To that end, it was successful.”
Some researchers have traced the original infection to a Ukrainian tax software company called MeDoc, which pushed out malicious updates to users. Hackers likely targeted the company, they say, and leveraged it to spread the malicious code. The malware is believed to have spread to other countriesthrough companies doing business in Ukraine that received the software update.
This has led some to conclude that Ukraine was the original target of the malware, fueling speculation that Russia may have been to blame. Moscow is already suspected in cyber attacks against Ukraine’s power grid in 2015 and 2016.
Dalibor Rohac, a research fellow focused on Central and Eastern Europe at the right-leaning American Enterprise Institute, said that such an attack would fit right into Moscow’s playbook.
“That would fit perfectly into the observed pattern of the Kremlin’s behavior, including its constant efforts to see what it can get away with,” Rohac observed. “And if indeed the Kremlin is behind the attack, we should brace ourselves for more of similar moves elsewhere, including in Western Europe … and in the United States — until there is stronger pushback.”
Still, some contend that the attack was more likely exactly what it looked like — malicious code built by cyber criminals to generate a profit.
“There’s not any sort of giant blinking sign pointing to a nation-state actor,” said Kevin Epstein, head of threat operations at cybersecurity company Proofpoint.
The Petya outbreak is the second ransomware campaign to produce global shockwaves in less than two months. Wanna Cry, which broke out in mid-May, infected thousands of machines in over 150 countries and prompting the Trump administration to convene emergency meetings.
Cybersecurity firm Symantec has tied Wanna Cry to a hacker group associated with North Korea.
The viruses both rely on an exploit called “Eternal Blue” that is widely believed to have been developed by the National Security Agency. The hacking tool, which leverages a software vulnerability in Microsoft Windows, was released by the anonymous ShadowBrokers group earlier this year.
The Petya variant stood out because of its use of multiple mechanisms to spread quickly across a network, even reaching machines that had patched the Microsoft “Eternal Blue” vulnerability.
Carmakal said that he was contacted this week by one organization that had seen tens of thousands of its systems affected by the malware.
“You didn’t see that scale of impact with Wanna Cry within single organizations,” Carmakal said.
The latest attack’s spread has slowed down for now, though Carmakal observed that it could take heavily impacted organizations weeks or months to recover their systems.
There is widespread agreement in the security community that global businesses need to step up securing and defending their networks, since these types of attacks are expected to continue.
“It’s a lot of lessons that haven’t been learned from Wanna Cry,” said Amit Serper, a security researcher at Cybereason who discovered a “vaccine” to protect unaffected machines from the latest malware outbreak. “A lot of unpatched machines, a lot of machines without updates.”
“Point number one is, absolutely this is going to happen again,” said Epstein. “We have seen new variants of ransomware spread every two to three days for the last 18 months — and that’s just ransomware.”