A widespread cyberattack apparently targeting Ukraine rippled across Europe on Tuesday and spread to computer systems of banks and major companies in Russia, Britain and elsewhere — mirroring a crippling ransomware assault a month ago.
Merck & Co., a U.S. pharmaceutical company, tweeted that its computer network "was compromised ... as part of the global hack." U.S.-based food giant Mondelēz International also reported a "global IT outage," telling CNBC that all of its phone lines were out because they're connected to its computer network.
The Ukrainian government's computer network went down in a campaign that Prime Minister Volodymyr Groysman called "unprecedented." But "vital systems haven't been affected," he said.
Many security researchers initially linked the attack to ransomware known as Petya, which was previously advertised for sale on top-tier Russian criminal forums. But Kaspersky Lab, a leading Russian security software company, said Tuesday night that it was, in fact, "a new ransomware that has never been seen before."
"While it has several strings similar to Petya, it possesses entirely different functionality," said Kaspersky, which dubbed the malware "ExPetr" and "NotPetya."
A message on a cash machine for Ukraine's state-owned bank Oschadbank demanded $300 worth of Bitcoin — and taunted victims not to "waste your time" looking for another fix.
"If you see this text, then your files are no longer accessible, because they have been encrypted," the message read in English, according to an image taken by a Reuters photographer in Kiev. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our encryption service."
The message then went on to say how to pay the ransom in Bitcoin.
The German email provider Posteo told NBC News that it was able to cut off access to the email address provided in the ransom note before the problem became widely known. As a likely result, only about 32 ransom payments had been attempted by late Tuesday afternoon — not all of them successfully — totaling about US$8,000, according to the address' public account record.
The downside is that anyone who tries to pay can't get their files decrypted because the hackers have no way to communicate with victims to provide the decryption key.
Despite the Ukranian focus of the initial attack, researchers said they think that it's unlikely that the attack is state-sponsored.
"A state actor won't specifically use an exploit that is already distributed. It's not likely it's a state actor, more likely someone from a cybercrime organization," said Itay Glick, chief executive of the Israel-based cybersecurity firm Votiro.
The number of companies and agencies affected Tuesday was piling up quickly as the electronic rampage appeared to be snowballing into a real-world crisis:
- Operations were affected at the Chernobyl nuclear site in Ukraine, forcing some radiation checks to be carried out manually at the facility, which famously exploded in 1986.
- WPP, the world's biggest advertising agency, said it had been hit by a cyberattack.
- In Germany, the postal and logistics company Deutsche Post said systems of its Express division in the Ukraine had been disrupted.
- The global shipping company A.P. Moller-Maersk in Copenhagen, Denmark, said it had suffered a computer system outage also caused by a cyberattack.
The Russian metals giant Evraz said its IT systems had been affected, as well, Russia's RIA news agency reported.
In Ukraine, Yevhen Dykhne, director of Boryspil International Airport, east of Kiev, said it had been hit by a cyberattack. "In connection with the irregular situation, some flight delays are possible," Dykhne said on Facebook.
The initial point of attack appears to have exploited MeDoc, a Ukrainian accounting software package that is used by the Ukrainian government, said Paul Burbage, a malware researcher for Flashpoint Intelligence, which analyzes security issues for NBC News. Late Tuesday night, MeDoc acknowledged that there were reports that the software was used in the attack, but it stressed that its latest service pack update, dated June 22, wasn't infected.
Any computer that requested software updates from a compromised system could then silently receive the ransomware loader, Burbage said. That allowed the malware to jump rapidly from system to system, similar to how the worldwide "WannaCry" malware attack spread and affected about 300,000 computers in May.
But the new attack is far more sophisticated and robust, security analysts said, suggesting that experienced code experts were involved, possibly with third-party funding. According to a U.S. government security bulletin reviewed by NBC News, it uses methods that once came from a National Security Agency database of cyber exploits and is more difficult to defeat than WannaCry.
While WannaCry victims had to take action to download malicious software via email, Tuesday's victims became infected silently. That's because the payload was delivered when a computer or system simply requested software updates from a compromised system, Burbage said, a process that takes place automatically millions of times a day.
WannaCry was halted from spreading when a 22-year-old British security researcher named Marcus Hutchins created a so-called kill-switch that experts hailed as the decisive step in slowing its progress.
That malware "had all kinds of stupid bugs and issues," Kevin Beaumont, a respected British security architect and researcher, said Tuesday. "This has no kill switch, and it looks like they had a development budget."
Meanwhile, law enforcement agencies strongly urged victims not to try to pay the ransom, which Europol warned only "proves to the cybercriminals that ransomware is effective."
"As a result, cybercriminals will continue their activity and look for new ways to exploit systems that result in more infections and more money on their accounts," it said.