Security Market Segment LS
Wednesday, 28 June 2017 06:18

Huge ransomware attack hits Europe and spreads


Another big Windows ransomware attack has hit Europe and is spreading to other parts of the world, with security firms yet to reach consensus on the causative agent.

While some anti-virus companies say it may be a new strain of the Petya ransomware, others are not so sure.

Among the big names to be hit were the US pharmaceutical company Merck, Russia's state oil company Rosneft, the shipping conglomerate Maersk and the UK-based advertising and public relations firm WPP.

Also badly hit were the banking, electric and gas sectors in Ukraine, with the malware spreading to the UK, Denmark and Spain.

The Russian security firm Global-IB said in Ukraine, large banks and enterprises, namely, Oschadbank, Ukrgasbank, Pivdenny Bank, OTP Bank, TASKombank, The Epicenter chain store, Kovalska industrial and construction group, three major Ukrainian telecom operators, Kyivstar, LifeCell, Ukrtelecom, were among those affected.


The notice appearing on Windows computers that were hit by ransomware overnight.

State enterprises Ukrtelecom, Ukrzaliznytsia, Ukrposhta, Kievvodokanal, and state-run aircraft manufacturer Antonov all had also been attacked, it said, adding that The Boryspil international airport, Kiev subway, computer networks of the cabinet and the website of the Ukrainian government were also hit.

Researchers from Cisco said early reports of an email vector could not be confirmed. "Based on observed in-the-wild behaviours, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc."

They said that there appeared to be three vectors once a device was infected: EternalBlue – the same exploit used by WannaCry; PsExec – a legitimate Windows administration tool; and WMI – Windows Management Instrumentation, a legitimate Windows component.

Another security firm, Trend Micro, said it believed the ransomware was using both the EternalBlue exploit — which was used by WannaCry — and the PsExec tool as infection vectors.

The PsExec tool is a light-weight replacement for telnet that lets a user execute processes on other systems.

The Trend Micro researchers advised: "Users and organisations are thus advised to perform the following mitigation steps immediately in order to prevent and avoid infection:

  • "Apply the security patch MS17-010;
  • "Disable TCP port 445;
  • "Restrict accounts with administrator group access."

Microsoft issued a patch for the vulnerability that was taken advantage of by EternalBlue, an exploit created by the NSA and leaked online in April by a group known as Shadow Brokers.

Graphics: courtesy Kaspersky Lab.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments