While some anti-virus companies say it may be a new strain of the Petya ransomware, others are not so sure.
Among the big names to be hit were the US pharmaceutical company Merck, Russia's state oil company Rosneft, the shipping conglomerate Maersk and the UK-based advertising and public relations firm WPP.
Also badly hit were the banking, electric and gas sectors in Ukraine, with the malware spreading to the UK, Denmark and Spain.
The notice appearing on Windows computers that were hit by ransomware overnight.
State enterprises Ukrtelecom, Ukrzaliznytsia, Ukrposhta, Kievvodokanal, and state-run aircraft manufacturer Antonov all had also been attacked, it said, adding that The Boryspil international airport, Kiev subway, computer networks of the cabinet and the website of the Ukrainian government were also hit.
Researchers from Cisco said early reports of an email vector could not be confirmed. "Based on observed in-the-wild behaviours, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc."
They said that there appeared to be three vectors once a device was infected: EternalBlue – the same exploit used by WannaCry; PsExec – a legitimate Windows administration tool; and WMI – Windows Management Instrumentation, a legitimate Windows component.
Another security firm, Trend Micro, said it believed the ransomware was using both the EternalBlue exploit — which was used by WannaCry — and the PsExec tool as infection vectors.
The PsExec tool is a light-weight replacement for telnet that lets a user execute processes on other systems.
The Trend Micro researchers advised: "Users and organisations are thus advised to perform the following mitigation steps immediately in order to prevent and avoid infection:
- "Apply the security patch MS17-010;
- "Disable TCP port 445;
- "Restrict accounts with administrator group access."
Microsoft issued a patch for the vulnerability that was taken advantage of by EternalBlue, an exploit created by the NSA and leaked online in April by a group known as Shadow Brokers.
Graphics: courtesy Kaspersky Lab.