A significant ransomware attack is spreading across Europe, Russia, Ukraine and elsewhere. Sophos is investigating the attack and will continue to provide updates here throughout the day.
What we know right now
- Victims so far include British advertising agency WPP (WPPGY), Danish shipping firm Maersk, Russian oil/gas company Rosneft and U.S.-based pharmaceutical firm Merck. WPP said on Twitter, “IT systems in several WPP companies have been affected by a suspected cyber attack.” Maersk announced its IT systems “are down across multiple sites and business units due to a cyber attack.” Merck said in a tweet that “Our company’s computer network was compromised today as part of global hack.”
- Various media reports say the ransomware bares similarities to the Petya ransomware family that encrypts Master File Tables (MFT) and overwrites the MBR (Master Boot Record), dropping a ransom note and leaving victims unable to boot their computer. Because it blocks boot efforts and prevents affected systems from working altogether, it’s considered more dangerous than typical ransomware strains.
- Various media reports suggest the attacker took inspiration from last month’s WannaCry outbreak, which infected hundreds of thousands of computers across the globe by exploiting NSA code leaked by Shadow Brokers. Specifically, it used a variant of the Shadow Brokers’ APT EternalBlue Exploit (CC-1353), which targeted a flaw in the Windows Server Message Block (SMB) service.
- Attackers are demanding payment of a $300 ransom in Bitcoins to regain control, according to various reports.
Defensive measures
Here’s what we urge you to do right now:
- Patch your systems, even if you’re using an unsupported version of XP, Windows 8 or Windows Server 2003
- Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands
- Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job.
- Download the free trial of Sophos Intercept X and, for home (non-business) users, register for the free Sophos Home Premium Beta, which prevents ransomware by blocking the unauthorized encryption of files and sectors on your hard disk.
- To defend against ransomware in general, see our article How to stay protected against ransomware
- To get a better understanding of phishing, read our explainer article
- To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad
- To protect against misleading filenames, tell Explorer to show file extensions
- To learn more about ransomware, listen to our Techknow podcast
- To protect your friends and family against ransomware, try our free Sophos Home for Windows and Mac
