The seals of the U.S. Cyber Command, the National Security Agency and the Central Security Service are pictured outside the campus the three organizations share in Fort Meade, Maryland. | Patrick Semansky/AP Photo NSA-linked tools help power second global ransomware outbreak

A potent ransomware attack has gripped organizations around the world for the second time in less than two months.

And like the first outbreak in mid-May — which claimed hundreds of thousands victims in a game-changing cyberattack — Tuesday's outburst is spreading via a Microsoft flaw originally exposed in a leak of apparent NSA hacking tools.


The latest malicious software battered companies in Russia, Ukraine and many other countries in Europe, according to cybersecurity researchers, sending law enforcement officials scrambling and sparking fears about how the world would contain the outbreak of the malware, which locks up computer systems and demands ransom payments.

While the U.S. has been largely unscathed to this point, major multinational energy, shipping, banking, pharmaceutical and law firms, as well as government agencies, have confirmed they are fighting off cyberattacks.

Security firm Kaspersky Lab estimated it had seen 2,000 victims, and counting, throughout the day. While the estimate is significantly lower than the massive numbers tied to May's attack — which relied on malware dubbed WannaCry — some researchers noted technical details of the new malware that might make it harder to kill.

Researchers have also not yet linked the latest attack to any specific hacking group or nation-state, unlike May's digital ambush, which technical specialists and reportedly intelligence officials in the U.S. and U.K. traced to North Korean-backed hackers.

But security specialists have been warning for weeks that the recent WannaCry ransomware virus was only the beginning of these fast-spreading digital sieges.

WannaCry was powered by a variant of apparent NSA cyber weapons that were dumped online, raising questions about whether the secretive hacking agency should sit on such powerful tools instead of alerting companies like Microsoft to the deficiencies in their software.

Experts say hackers have likely been working to tweak the WannaCry malware, potentially allowing new versions to skirt the digital defenses that helped stall the first global assault.

POLITICO Playbook newsletter Sign up today to receive the #1-rated newsletter in politics Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Indeed, the virus that proliferated Tuesday shares many similarities with WannaCry, but contains some striking differences.

For starters, Tuesday's virus proliferated using the same Microsoft Windows flaw as WannaCry, according to digital security firms Symantec and Bitdefender Labs. But researchers noted the malware is also capable of hopping around using multiple Microsoft flaws, not just the most famous one exposed in the online dump of the purported NSA cyber weapons.

Additionally, like WannaCry, this new malware demands that victims pay a ransom using the digital currency Bitcoin before their files can be unlocked. As of Tuesday evening, 32 victims had paid a ransom, with the number steadily climbing.

Unlike WannaCry, however, the rapidly spreading malware does not merely encrypt files as part of its ransom scheme. Rather, it changes critical system files so that the computer becomes unresponsive, according to John Miller, a senior manager for analysis at the security firm FireEye, which reviewed the malware.

Some researchers identified the infection as a novel variation of the so-called Petya malware, which has been around since 2016. But researchers at Kaspersky believe it is a totally new strain they are dubbing ExPetr.

A sample of the malware initially went undetected by nearly all antivirus software.

The digital weapon cloaks itself as a file that Microsoft has already approved as safe, helping it avoid detection, Costin Raiu, director of global research efforts at Kaspersky, said on Twitter.

The malware was written on June 18, according to a sample that Kaspersky has analyzed.

Most of the infections on Tuesday were in Ukraine, with Russia the next hardest hit, according to Kaspersky’s analysis. Russia was also a major victim during the WannaCry outbreak. Raiu told POLITICO that Belarus, Brazil, Estonia, the Netherlands, Turkey and the United States were also affected, but that those countries accounted for less than 1 percent of all victims.

A Department of Homeland Security spokesman said the agency was "monitoring reports" of the ransomware campaign and coordinating with international authorities.

Researchers suspect that Ukraine became the nexus of the outburst after companies using a popular tax program unknowingly downloaded an update that contained the ransomware. From there, the virus could have spread beyond those companies using various flaws in Windows.

The ransomware eruption may be responsible for several major cyber incidents that began Tuesday.

The global shipping and logistics firm Maersk — which is based in Denmark — confirmed that it was dealing with a intrusion affecting "multiple sites and business units." And the Russian oil company Rosneft said it was responding to "a massive hacker attack."

Ukraine's central bank and its capital city's main airport also said they were dealing with cyberattacks. The virus appeared to be hitting the country's government computers as well.

The cyberattack also forced the Ukraine-based Chernobyl nuclear power plant to revert to manual radiation monitoring, according to a Ukrainian journalist citing the country's state news service.

Elsewhere, the German pharmaceutical giant Merck said its network was “compromised” in the outbreak and that it was still investigating the incident.

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

But the U.S. has been largely spared so far.

The American Gas Association said in a statement that no U.S. natural gas utilities have reported infections.

However, in Pennsylvania, the Heritage Valley Health System — which operates two hospitals and 60 physician offices — said it was grappling with a cyberattack. “The incident is widespread and is affecting the entire health system,” said spokeswoman Suzanne Sakson.

Multinational law firm DLA Piper was also experiencing computer and phone outages in multiple offices, including in Washington, D.C. The company did not respond to a request for comment.

But a photo shared with POLITICO showed a sign outside the firm's Washington office that read, "All network services are down, do not turn on your computers! Please remove all laptops from docking stations and keep turned off. No exceptions."

DLA Piper’s secure document storage system for clients also went down, though the firm may have done that as a precaution. “A bit stressed at moment as I am unsure if our docs there are safe,” one client told POLITICO.

Tim Starks contributed to this report.

This article tagged under: Cyber Security

NSA

Europe