NEWS

Petya cyberattack spreads, hitting U.S. and European businesses

Jon Swartz, and Rachel Sandler
USA TODAY

SAN FRANCISCO — A virulent new strain of ransomware named Petya wreaked havoc on some of the most-established companies in Europe and North America on Tuesday, capitalizing on the same vulnerabilities that froze hundreds of thousands of computers a month ago. .

The logo of the 'Rosneft' petroleum company on the wall of its headquarters in Moscow, Russia, 17 July 2014 (reissued 27 June 2017). According to media reports on 27 June 2017, Rosneft was affected by a large-scale cyber attack on 27 June 2017.

Computer-security company Kaspersky Lab said about 2,000 systems worldwide were affected.

The cyberattack appeared to target Ukraine, where government officials and businesses reported intrusions to the power grid, government offices, banks and stores.

It also spread through the digital operations of some of the planet's biggest companies. Danish shipping giant A.P. Moller-Maersk, the world's largest overseas cargo carrier, and Russian oil behemoth Rosneft were among the high-profile corporate victims in at least six countries.

Merck, one of the largest pharmaceutical companies in the world, and British media company WPP tweeted they had been hit by Petya, as did Rosneft.

Global law firm DLA Piper said it "experienced issues with some of its systems due to suspected malware" and was working on a solution, company spokesman Josh Epstein said in an emailed statement.

By late Tuesday, the cyberattack had spread to North American divisions of European companies, said Justin Harvey, managing director of global incident response at Accenture. Petya is "really preying on organizations without proper patching hygiene" of the Windows operating system, he said.

Container ship terminals in Rotterdam run by a unit of Maersk were affected, the company confirmed. “The hacking attack could have led to serious consequences but neither the oil production nor the processing has been affected thanks to the fact that the company has switched to a reserve control system,” the company said.

Petya is a ransomware attack that renders files and data inaccessible until the user pays a ransom. In this case, those behind Petya demanded $300 via bitcoin. They claimed to have received more than $8,000 so far, according to Accenture. The email address victims were asked to send proof of payment to, though, has been shut down by the German email service Posteo, the company said. So even if a victim pays, there is no way for the person or group behind Petya to send victims the code to decrypt their files.

"We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases," Posteo said in a statement.

How to protect your Windows computer from the Petya ransomware attack

It remains unclear who is responsible for Petya (a nickname for Russian boys named Peter), but cybersecurity experts said the attack is along the lines of WannaCry, an outbreak of ransomware that rapidly spread worldwide, using digital break-in tools computer companies say was created by the U.S. National Security Agency. It infected hundreds of thousands of computers in 150 countries last month.

"It's the same level of severity as WannaCry in terms of global reach and havoc," says Bill Conner, CEO of cybersecurity firm SonicWall. He said Petya is the latest example of "exponential growth" in ransomware that has surged from 3.8 million incidents in 2015 to 638 million last year, according to SonicWall research.

Both WannaCry and Petya used a vulnerability in Microsoft Windows systems called EternalBlue, according to Kaspersky and Symantec. The exploit was leaked online in April by a group called the Shadow Brokers. Microsoft released a fix for EternalBlue, but some companies still failed to patch their systems, making them easy targets for the cyberattack.

"A lot of companies don't think they're going to be a victim," said Robert Anderson, managing director of Information Security at Navigant Consulting and previously an executive assistant director of the FBI responsible for investigating cyberattacks. "You don't have to be a defense contractor or a bank — these ransomware attacks are designed purely to hold your data hostage, so it doesn't matter what type of data you have."

Microsoft said in a statement that, "initial analysis found that the ransomware uses multiple techniques to spread, including one which was addressed by a security update previously provided for all platforms from Windows XP to Windows 10 (MS17-010). As ransomware also typically spreads via email, customers should exercise caution when opening unknown files. We are continuing to investigate and will take appropriate action to protect customers."

The newest cyberattack may prove more difficult to stop than WannaCry, security experts say. Even though Petya hit fewer machines, it appears to be a more solid attack. For one, WannaCry had a kill switch, or a way to shut down the attack. Petya does not, which allows the malware to spread faster and cause more damage, said Ryan O'Leary, vice president of the threat research center at WhiteHat Security. Without a kill switch, no one knows how to stop the attack from spreading — so its breadth remains unseen, O'Leary added.

"WannaCry was dangerous, but it had poor implementation," O'Leary said. "It looks to be a much more robust attack."

An email message sent to the address listed on the ransom page was not immediately returned.

Contributing: Associated Press

Follow USA TODAY's San Francisco Bureau Chief Jon Swartz @jswartz in Twitter.