“We are urgently responding to reports of another major ransomware attack on businesses in Europe,” Rob Wainwright, executive director of Europol, Europe’s police agency, said on Twitter.
Computer experts were calling the virus Petya, and said that it was similar to the WannaCry attack, which spread quickly across much of Asia and Europe. Others cautioned, however, that it could be yet another type of ransomware.
At least nine European countries had been targeted in the latest attack, said Dan Smith, an information security researcher at Radware, a cybersecurity firm. “I first saw reports of this attack around 8 a.m. Eastern time coming from Ukraine, but it’s too early to tell who’s behind this,” Mr. Smith said.
Researchers at the computer security company Symantec said the new attack was using the same hacking tool created by the National Security Agency that was used in the WannaCry attacks. Called Eternal Blue, the tool was among dozens leaked online last April by a group known as the Shadow Brokers. The N.S.A. has not acknowledged its tools were used in WannaCry or other attacks.
The vulnerability used by Eternal Blue was patched by Microsoft last April, but as the WannaCry attacks demonstrated, hundreds of thousands of organizations around the world failed to properly install the patch. But researchers at F-Secure, the Finnish cybersecurity firm, also noted that the ransomware used at least two other vectors to spread, beyond Eternal Blue, which suggests even those who used the Microsoft patch could be vulnerable.
“Just because you roll out a patch doesn’t mean it’ll be put in place quickly,” said Carl Herberger, vice president of security at Radware. “The more bureaucratic an organization is, the higher chance it won’t have updated its software.”
Immediate reports that the computer virus was a variant of Petya suggest the attackers will be hard to trace. Petya was for sale on the so-called dark web, where its creators made the ransomware available as “ransomware as a service” — a play on Silicon Valley terminology for delivering software over the internet, according to the security firm Avast Threat Labs.
That means anyone can launch the ransomware with the click of a button, encrypt someone’s systems and demand a ransom to unlock it. If the victim pays, the authors of the Petya ransomware, who call themselves Janus Cybercrime Solutions, get a cut of the payment.
That distribution model means that pinning down the individuals responsible for Tuesday’s attack could be difficult, if nearly impossible.
The attack is actually “an improved and more lethal version of WannaCry,” according to Matthieu Suiche, a security researcher who helped contain the spread of the WannaCry ransomware last month when he created a so-called kill switch that stopped the attacks from spreading.
Over just the past seven days, Mr. Suiche noted that WannaCry had attempted to hit an additional 80,000 organizations, but was prevented from executing attack code because of the kill switch.
On Tuesday, Mr. Suiche said there was no kill switch for the Petya attacks.
The Petya attacks could be worse than WannaCry, said Chris Hinkley, a researcher at Armor, the security firm, because these attacks encrypt and lock entire hard drives, while the earlier ransomware attacks locked only individual files.
But researchers at the security company Kaspersky Labs questioned whether the attack was something other than what has been described as the Petya attacks. The company’s data indicates around 2,000 users have been attacked so far.
In Ukraine, the Infrastructure Ministry, the postal service, the national railway company, and one of the country’s largest communications companies, Ukrtelecom, have been affected, Volodymyr Omelyan, the country’s infrastructure minister, said in a Facebook post.
Officials for the metro system in Kiev, the country’s capital, said card payments could not be accepted at the moment because of the attack. The national power grid company Kievenergo had to switch off all of its computers because of the attack, but the situation was under control, according to the Interfax-Ukraine news agency. Metro Group, a German company that runs wholesale food stores, said its operations in Ukraine had been affected, and that it was “analyzing the possible effects.”
Computer systems at the Chernobyl nuclear plant were also shut down. The computers collected data on radiation levels, and were not connected to industrial systems at the site, where, though all reactors have been decommissioned, huge volumes of radioactive waste remain. Operators said radiation monitoring was being done manually.
In Russia, Home Credit bank, one of the country’s top 50 lenders, was paralyzed, with all of its offices closed, according to the RBC news website.
“All offices can only offer consultations to clients, no banking operations are now possible,” said Artyom Moskvin, a bank teller at Home Credit’s central office in Moscow, though he denied the situation was connected to the hacking attack. “The bank is currently checking its security systems. Everything should go back to normal tomorrow.”
The attack also affected Evraz, a steel manufacturing and mining company that employs around 80,000 people, the RBC website reported.
A spokeswoman for Maersk confirmed that computer systems were down because of the attack. She said the company had been hit across different business units and sites, but declined to confirm Spanish media reports that Maersk’s operations at Spanish ports, including Algeciras and Valencia, were shut down by the attack.
Analysts have been warning that hackers are increasingly likely to use such ransomware attacks to gain access to people’s computers, both in a bid to cause major global disruption and for financial gain.
That was the case with the recent WannaCry computer virus, which attacked networks at hospitals in the United Kingdom, automakers’ production facilities and German train stations.
The recent attacks appear to evade popular antivirus software. In a test of 61 antivirus solutions, only four successfully identified the ransomware.