Security Market Segment LS
Wednesday, 28 June 2017 06:18

Huge ransomware attack hits Europe and spreads


Another big Windows ransomware attack has hit Europe and is spreading to other parts of the world, with security firms yet to reach consensus on the causative agent.

While some anti-virus companies say it may be a new strain of the Petya ransomware, others are not so sure.

Among the big names to be hit were the US pharmaceutical company Merck, Russia's state oil company Rosneft, the shipping conglomerate Maersk and the UK-based advertising and public relations firm WPP.

Also badly hit were the banking, electric and gas sectors in Ukraine, with the malware spreading to the UK, Denmark and Spain.

The Russian security firm Global-IB said in Ukraine, large banks and enterprises, namely, Oschadbank, Ukrgasbank, Pivdenny Bank, OTP Bank, TASKombank, The Epicenter chain store, Kovalska industrial and construction group, three major Ukrainian telecom operators, Kyivstar, LifeCell, Ukrtelecom, were among those affected.


The notice appearing on Windows computers that were hit by ransomware overnight.

State enterprises Ukrtelecom, Ukrzaliznytsia, Ukrposhta, Kievvodokanal, and state-run aircraft manufacturer Antonov all had also been attacked, it said, adding that The Boryspil international airport, Kiev subway, computer networks of the cabinet and the website of the Ukrainian government were also hit.

Researchers from Cisco said early reports of an email vector could not be confirmed. "Based on observed in-the-wild behaviours, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc."

They said that there appeared to be three vectors once a device was infected: EternalBlue – the same exploit used by WannaCry; PsExec – a legitimate Windows administration tool; and WMI – Windows Management Instrumentation, a legitimate Windows component.

Another security firm, Trend Micro, said it believed the ransomware was using both the EternalBlue exploit — which was used by WannaCry — and the PsExec tool as infection vectors.

The PsExec tool is a light-weight replacement for telnet that lets a user execute processes on other systems.

The Trend Micro researchers advised: "Users and organisations are thus advised to perform the following mitigation steps immediately in order to prevent and avoid infection:

  • "Apply the security patch MS17-010;
  • "Disable TCP port 445;
  • "Restrict accounts with administrator group access."

Microsoft issued a patch for the vulnerability that was taken advantage of by EternalBlue, an exploit created by the NSA and leaked online in April by a group known as Shadow Brokers.

Graphics: courtesy Kaspersky Lab.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments