Computer systems across the world were hit by a widespread ransomware attack this week (27 June), with victims spanning Russia, Ukraine, Spain, France, UK and India. The malware appeared to be linked to Petya, which locked down system files and demanded money for their return.
"Russia, Ukraine, Spain, France - confirmed reports about Petya ransomware outbreak. Good morning, America," tweeted Aleks Gostev, chief security expert at Kaspersky Lab as infections spiked. Reports indicated the attacks impacted large businesses, banks and even airports.
"If you see this text then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking to recover your files but don't waste your time," the ransom read.
It demanded a total of $300 worth of Bitcoin be sent directly to the hackers.
Tass, Russia's primary state news outlet, reported the country's top oil producer – Rosneft – reported suffering a "powerful hacker attack" on its servers.
"The hacker attack could have led to serious consequences, but thanks to switching to the reserve management system neither oil production nor oil treatment have been halted," one official said.
Costin Raiu, another Kaspersky Lab cyber expert tweeted the ransomware appeared to be "spreading worldwide" with a "large number of countries affected."
In the UK, world-leading marketing firm WPP tweeted: "IT systems in several WPP companies have been affected by a suspected cyberattack.
"We are taking appropriate measures & will update asap."
Meanwhile, a spokesperson from the UK National Cyber Security Centre (NCSC), an off-shoot of signals intelligence agency GCHQ responsible for probing attacks and breaches, said: "We are aware of a global ransomware incident and are monitoring the situation closely."
Major banks reported being attacked, however it remained unclear if incidents were targeted in nature. In May, another worldwide outbreak caused by a ransomware, dubbed "WannaCry", impacted more than 250,000 machines in 150 countries but was not targeted by design.
The National Bank of Ukraine (NBU) released a statement confirming it was infected.
"The National Bank of Ukraine has warned banks and other financial market participants about an external hacker attack on the websites of some Ukrainian banks, as well as commercial and public enterprises, which was carried out today," it said on 27 June.
"As a result of these cyberattacks, banks experience difficulty in servicing customers and performing banking operations. All the financial market participants have taken steps to tighten security measures to counteract these hacker attacks.
"The NBU is confident that the banking infrastructure is securely protected from cyberattacks and any attempts to perform hacker attacks will be efficiently warded off."
Other institutions in the region - Sberbank, Ukrsotsbank, Ukrgasbank, OTP Bank and PrivatBank – were also infected, reports indicated. Maersk, a Danish logistics firm, tweeted: "IT systems are down across multiple sites and business units. We are currently assessing the situation."
RT, another Russian state news outlet, revealed an airport in Ukraine was also at risk.
In an embedded Facebook post, Ukraine's International Boryspil airport in Kiev wrote: "Dear passengers! The official airport website and the board with the flight schedule DO NOT WORK!
"The actual information on the time of departure you can read only on the scoreboard in the departure zone in terminal D!" continued Pavel Ryabikin, deputy head of Ukraine's Ministry of Transport and Communications. "Before departure to the airport, check the flight details with your airline or travel agent. We apologise and ask [you] to be tolerant!"
Links to NSA exploits?
Security experts found the previous global outbreak back in May was super-powered by two leaked National Security Agency (NSA) exploits – and speculation quickly emerged asking if the new variant took similar approach.
Matthieu Suiche, a security researcher at UAE-based Comae Technologies, said an initial investigation indicated Eternal Blue, a known NSA exploit, was involved.
"This smells like ETERNALBLUE/DOUBLEPULSAR all over again," he tweeted.
The speculation was later confirmed by researchers from Symantec, however the experts indicated the initial route of infection was "not yet known."
According to Forbes, Matthew Hickey, chief executive of Hacker House, said the attack may have spread by exploiting a known Office vulnerability.
The exploits in question were previously leaked by a mysterious group known as Shadow Brokers.
John Miller, senior analyst at cybersecurity firm FireEye said: "We are looking into the ransomware activity that has reportedly disrupted organisations in Ukraine and elsewhere.
"At this point, we are investigating whether the activity constitutes a significantly novel threat or an extension of known issues, as widespread ransomware campaigns are a regular occurrence at this time. Victims are reporting that a variant of the Petya ransomware is responsible; Petya is a well-understood ransomware type that we have reported on since 2016."
But Kaspersky Lab, a Russian cybersecurity firm, revealed later in the day the malware may not be the core version of Petya. It said it had infected 2,000 victims in a matter of hours.
"Organisations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, Germany and several other countries. The attack vector is not yet known," said Vyacheslav Zakorzhevsky, head of anti-malware team.
"Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before.
"We advise all companies to update their Windows software, to check their security solution and ensure they have back up and ransomware detection in place."
At the time of writing, the hackers' Bitcoin wallet had received payments.
The culrpit of the ransomware attack remains unknown.
Update: Security researcher MalwareTech, who is credited with stopping the previous WannaCry attack, released a blog post on the latest ransomware attacks. He echoed the thoughts of a number of other experts - including from Cisco Talos and ESET - by saying initial infections may have spread via a software update for Ukrainian tax accounting software called 'MeDoc'.
The investigation continues.