A massive cyberattack that freezes computers and demands a ransom to open them has hit companies in the U.S. and elsewhere around the world today, U.S. officials and private cybersecurity analysts said.
Among the American targets are the giant Merck pharmaceutical company in New Jersey; the Mondelez food company, which produces Oreo cookies; and a major multinational law firm, DLA Piper.
The ransomware attack used a global spam campaign to trick computer users into downloading malicious software that locks them out of their devices until they pay $300 in Bitcoin. According to the cybersecurity firm Kaspersky Lab, the attack has affected about 2,000 users in at least 11 different countries so far, with organizations in Russia and the Ukraine the most affected.
While several researchers identified the virus as a derivative of the “Petya” ransomware, Kaspersky Lab, which congressional sources told ABC News is itself under FBI scrutiny, disputed that assessment, concluding that the virus was “a new ransomware that has not been seen before” and dubbing it “NotPetya.”
Unlike the WannaCry virus attack in May, which seized control of hundreds of thousands of computers and spread disruption around the world, researchers told ABC News that today’s ransomware has no known kill switch, which was used to limit the WannaCry attack.
The virus does, however, appear to be using the leaked hacking tools EternalBlue or DoublePulsar developed by the U.S. National Security Agency to exploit a vulnerability in Microsoft Windows to spread quickly throughout corporate networks with outdated security software.
“Many researchers are seeing evidence that the NSA exploits are being used to propagate this,” John Bambenek of Fidelis Cybersecurity told ABC News. “But in this case it’s a whack-a-mole defense. There’s nothing that would shut it down.”
Early reports indicated the virus affected major companies in Russia and Ukraine as well as the world’s largest shipping firm, Maersk, according to the affected companies and government sources.
Ukraine appears to have been particularly hard hit, with the country’s government reporting that some of its systems, as well as those of key institutions, including banks and telecom providers, were affected.
Merck confirmed on Twitter that its network was infected.
“We confirm our company’s computer network was compromised today as part of global hack,” the company tweeted. “Other organizations have also been affected. We are investigating the matter and will provide additional information as we learn more.”
Mondelez International, a New Jersey–based food and drink company, released a statement saying its networks were down.
“The Mondelez International network is experiencing a global IT outage. Our global special situations management team is in place, and they are working to resolve the situation as quickly as possible. We will update as we have more information.”
A spokesperson for DLA Piper, a global law firm with offices in Washington, D.C., confirmed that malware spread to its system, saying, “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.”
Both the Department of Homeland Security and the FBI issued statements indicating that officials were aware of the attack and working to contain it.
“The Department of Homeland Security is monitoring reports of cyber attacks affecting multiple global entities and is coordinating with our international and domestic cyber partners,” said the agency in a statement. “We stand ready to support any requests for assistance. Upon request, DHS routinely provides technical analysis and support. Information shared with DHS as part of these efforts, including whether a request has been made, is confidential.”
“The FBI is aware of the reported global cyber attacks and takes all potential cyber compromises seriously,” an FBI spokesperson told ABC News. “Threat mitigation, as well as bringing the perpetrators of cyber attacks to justice, are the FBI’s top priorities.”
Photos of screens of affected computers and ATMs sent to ABC News and other media outlets showed the following message: “If you see this text, then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
Maersk reported its IT systems were affected by the attack, with local media showing the same ransom message from the firm’s offices in Rotterdam, Reuters reported.
Russia’s state-owned energy giant Rosneft said it suffered a major attack and in a statement on Twitter said it succeeded in halting it. Workers at another major Russian oil company, Bashneft, told the Russian newspaper Vedomosti that the firm was affected. An analyst at IB-Group told the Russian news site RNS that at least 80 companies were affected in Russia and Ukraine.
In Ukraine the virus struck the country’s government administration. Vice Prime Minister Pavlo Rozenko wrote on Facebook that the Cabinet’s office computers were all locked out. Ukraine’s central bank said a number of banks in the country were hit, as well as a state energy company. Some ATMs in the country were blocked and displayed the lock-out screen. Ordinary Ukrainians reported being unable to use some banking services. Local Ukrainian media reported that the country’s Borispol airport and national rail company were also attacked.
In a post on his Facebook page, Anton Gerashchenko, an adviser to Ukraine’s Interior Ministry, called the cyberattack the worst in the country’s history.
Researchers told ABC News that they do not believe that a nation was behind the attack and suggested that it could have been launched by a lone cybercriminal.
“I think what’s happened here is someone is launching this tool to stock a Bitcoin wallet and is probably just surprised at how effective it is,” said Erik Rasmussen, a former deputy prosecuting attorney and special agent with the U.S. Secret Service who now works for the cybersecurity firm Kroll. “This attack doesn’t have a specific target, so it’s likely ransomware that’s gone awry and is just really good at doing damage.”
Bambenek suggested that the surprise success of the virus has made its creator a top target for law enforcement.
“This individual has just put himself on the top of everybody’s dinner menu,” he said.