Home Security Huge ransomware attack hits Europe and spreads

Huge ransomware attack hits Europe and spreads

Another big Windows ransomware attack has hit Europe and is spreading to other parts of the world, with security firms yet to reach consensus on the causative agent.

While some anti-virus companies say it may be a new strain of the Petya ransomware, others are not so sure.

Among the big names to be hit were the US pharmaceutical company Merck, Russia's state oil company Rosneft, the shipping conglomerate Maersk and the UK-based advertising and public relations firm WPP.

Also badly hit were the banking, electric and gas sectors in Ukraine, with the malware spreading to the UK, Denmark and Spain.

The Russian security firm Global-IB said in Ukraine, large banks and enterprises, namely, Oschadbank, Ukrgasbank, Pivdenny Bank, OTP Bank, TASKombank, The Epicenter chain store, Kovalska industrial and construction group, three major Ukrainian telecom operators, Kyivstar, LifeCell, Ukrtelecom, were among those affected.


The notice appearing on Windows computers that were hit by ransomware overnight.

State enterprises Ukrtelecom, Ukrzaliznytsia, Ukrposhta, Kievvodokanal, and state-run aircraft manufacturer Antonov all had also been attacked, it said, adding that The Boryspil international airport, Kiev subway, computer networks of the cabinet and the website of the Ukrainian government were also hit.

Researchers from Cisco said early reports of an email vector could not be confirmed. "Based on observed in-the-wild behaviours, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc."

They said that there appeared to be three vectors once a device was infected: EternalBlue – the same exploit used by WannaCry; PsExec – a legitimate Windows administration tool; and WMI – Windows Management Instrumentation, a legitimate Windows component.

Another security firm, Trend Micro, said it believed the ransomware was using both the EternalBlue exploit — which was used by WannaCry — and the PsExec tool as infection vectors.

The PsExec tool is a light-weight replacement for telnet that lets a user execute processes on other systems.

The Trend Micro researchers advised: "Users and organisations are thus advised to perform the following mitigation steps immediately in order to prevent and avoid infection:

  • "Apply the security patch MS17-010;
  • "Disable TCP port 445;
  • "Restrict accounts with administrator group access."

Microsoft issued a patch for the vulnerability that was taken advantage of by EternalBlue, an exploit created by the NSA and leaked online in April by a group known as Shadow Brokers.

Graphics: courtesy Kaspersky Lab.


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.