NSA Software Behind Latest Global Ransomware Attack

Tyler Durden's picture

"It's like WannaCry all over again," said Mikko Hypponen, chief research officer with Helsinki's cybersecurity firm F-Secure, when discussing today's latest outbreak of the WannaCry-like ransomeware attack, which as we reported earlier started in Ukraine, and has since spread to corporate systems across the world, affecting Russian state oil giant Rosneft, the international shipping and energy conglomerate Maersk, and the UK public relations company WPP, before jumping across the Atlantic and going global, by infecting the US-based division of global pharma giant Merck, which this morning confirmed it has been hit by the "Petya" attack.

“We confirm our company’s computer network was compromised today as part of global hack,” Merck said in a statement on Tuesday. “Other organizations have also been affected. We are investigating the matter and will provide additional information as we learn more.”

Merck employees were instructed to disconnect all mobile devices from the company network and advised not to speak to reporters or post messages on social media accounts.

Computers at Merck facilities in Pennsylvania and New Jersey locked up Tuesday morning around 8am local time, according to the Inquirer.

Back in mid-May, when WannaCry spread with tremendous speed around the globe, many said that it's only a matter of time before the virus returns in a more advanced, weaponized version. Sure enough, cyber security experts quoted by Reuters said those behind the attack appeared to have exploited the same hacking tool used in the WannaCry ransomware attack that infected hundreds of thousands of computers in May before a British researcher created a temporary kill-switch.

Hypponen said he expected the outbreak to spread in the Americas as workers turned on vulnerable machines, allowing the virus to attack. "This could hit the U.S.A. pretty bad," he said. And, as Merck confirmed, it already has.

Within hours of the first attack, the U.S. Department of Homeland Security said it was monitoring reports of cyber attacks around the world and coordinating with other countries.

The first reports of organizations being hit emerged from Russia and Ukraine, but the impact quickly spread westwards to computers in Romania, the Netherlands, Norway, and Britain.

Within hours, the attack had gone global.

In addition to the US, a Swiss government agency also reported computer systems were affected in India, though the country's cyber security agency said it had yet to receive any reports of attacks according to Reuters.

For those infected, there may be just one option: pay the ransom. One victims of the cyber attack, a Ukrainian media company, said its computers were blocked and it had a demand for $300 worth of the Bitcoin crypto-currency to restore access to its files.

"If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service," the message said, according to a screenshot posted by Ukraine's Channel 24. The same message appeared on computers at Maersk offices in Rotterdam and at businesses affected in Norway.

Other companies that said they had been hit by a cyber attack included Russian oil producer Rosneft, French construction materials firm Saint Gobain and the world's biggest advertising agency, WPP - though it was not clear if their problems were caused by the same virus. "The building has come to a standstill. It's fine, we've just had to switch everything off," said one WPP employee who asked not to be named.

The virus was seen on various Ukraine ATMs, leading to jokes that while normally you ask ATMs for money, in hacked Ukraine, ATMs ask you.


Cyber security firms scrambled to understand the scope and impact of the attacks, seeking to confirm suspicions hackers had leveraged the same type of hacking tool exploited by WannaCry, and to identify ways to stop the onslaught. Experts said the latest ransomware attacks unfolding worldwide, dubbed GoldenEye, were a variant of an existing ransomware family called Petya.

It uses two layers of encryption which have frustrated efforts by researchers to break the code, according to Romanian security firm Bitdefender. "There is no workaround to help victims retrieve the decryption keys from the computer," the company said.

Russian security software maker Kaspersky Lab, however, said its preliminary findings suggested the virus was not a variant of Petya but a new ransomware not seen before

As noted earlier, Ukraine was quick to accuse Russia. An advisor to Ukraine's interior minister said the virus got into computer systems via "phishing" emails written in Russian and Ukrainian designed to lure employees into opening them. According to the state security agency, the emails contained infected Word documents or PDF files as attachments.

But whatever the origin of the geographic hacking operation, the actual software used is the same that was created by the NSA and subsequently leaked by a disgruntled non-Russian employee. Now we are just waiting for the confirmation.

As a reminder, the quick proliferation of the original WannCry malware, which infected nearly 300,000 computers worldwide within a day, was due entirely to its use of two powerful software exploits that were released to the public in April by the anonymous hacker group calling itself the Shadow Brokers, which said the exploits were developed by the US National Security Agency (NSA).

On Tuesday, Edward Snowden asked "How many times does @NSAGov's development of digital weapons have to result in harm to civil infrastructure before there is accountability?"

Apparently, not enough.

Meanwhile, governments and so-called experts had laughably come to the conclusion that the North Korean government was behind the original WannaCry attack. We just can't wait for the those same "experts" to again blame this latest global malware attack on Kim and his team of crack blackhats.

Finally, for thnose who want to keep track of how many people have made the ransom payment, there is a twitter for that: there is now a Twitter bot, @petya_payments, that will tweet each time a new ransom payment is made to the bitcoin wallets associated with the Petya attack.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Raffie's picture

Demonize them BITCOINs..

DEEP STATE hard at work.

Get everyone back into the safe Central Banks.

Truther's picture

The fucking assholes will blame Putin again. Watch.

All a prelude to the upcoming Syria strike.

SoilMyselfRotten's picture

By 'Syrian strike' you must be referrencing the gas attack Syria is 'intending' to emply on its own people. 

Save the Syrians, let the bombs fly! <ack>

BuddyEffed's picture

Regarding cyber attacks :
Were there back doors involved?
What are the ethics covering that?
Would it be a betrayal of ones customer base in including those back doors in the first place?
Would it be a betrayal of goodwill and peace towards men and fellow humans?
Would it be wrong?

SoilMyselfRotten's picture

Were there back doors involved?


What back door hasn't the US molested, I know mine is sore.

Never One Roach's picture

That's why God made middle class workers with, "back doors...."

So the Democrats can sodomize them!

Lurk Skywatcher's picture

Or more importantly, who do you sue? The NSA? M$? The US Government?

In this modern touchy feely liberal world, there has to be someone that must be to blame.

White middle aged men in general?

FixItAgainTony's picture

right, and especially the Amish.

nmewn's picture

"Impeach Colt45!!" - Maxine "Brain Dead" Waters 

Miffed Microbiologist's picture

I wish someone would encrypt her account of ill gotten gains and send the key to a Nigerian prince.


38BWD22's picture


O ho, nice one!

+ a maxie green

Never One Roach's picture
Maxine "Welfare Queen" Waters Gets Shredded By Black Trump Supporter — 'You Have Destroyed The Black Community!'

bimmerfan's picture

"We had to kill them all to save them."

caconhma's picture

The USA has 17 Intelligent/Spy Agencies! Why? What are they doing? 

Stalin had just two who have penetrated the White House, the State Department, CIA, FBI as well as Hitler's inner circle, and had their spy as British Counterintelligence chief Kim Philby).

During the WWII, British also had just two (MI 5 and MI 6) and knew all Hitler's plans.

asteroids's picture

It's Obama's fault! He was in charge when these hacks were developed!

dasein211's picture

Wait until one of them gets to a major bank or central bank and wipes it the fuck out. Digital fiat will be worthless. Real Cash will be king. Actual money printing is a lot more difficult than digital printing. Then the real fun begins.

Raffie's picture

The world will go into a digital currency and the cryptos we see today at the building blocks of it.

If you referring to PM as real cash then you want the utter destruction of the global economy and ultra high inflation.

You sure you want to live in a world where gold is $5k and up? How much will that loaf of bread cost?

Ya, would be nice if Pm showed a more realistic price, but so far only places like Venezuela shows the real value of PM, but the whole country has to be in ruin to see it.

Be careful what you wish for.


Tejano's picture

I wish that these networks of computers were not so fragile. Episodes like this will only continue to get worse. Why wouldn't they? They will get worse to the point where this technology that your global economy is so dependent on will be seriously degraded.

Does anyone think that there will be less malicious activity going forward? That these "attacks" will not continue and worsen until there is a real - not just headline -  effect on the globalist ability to deliver the goods? Who is going to stop them?

Disclaimer: all in pm's

adanata's picture

That's how you know the Deep State is behind it; or freelance thieves, because they NEVER hit the Fed, the Fed owned Gov, the Fed's enforcement arm; the IRS or the Fed's mother ship; the BIS and so on. If it would be good for the people, it doesn't happen. Robin Hoodwink.

Lurk Skywatcher's picture

And its funny how the last one was magically stopped just before it infected the "homeland".

Erek's picture

Never bite the hand that feeds you.

AlexCharting's picture

Pedocoins do not have a future

Raffie's picture

I'm for TacoCoins and BurritoTokens.

Nom nom..

Crypto-World-Order's picture

I agree so stop buying them, kermit.

JackMeOff's picture

Must of been another "fat finger" over at Ft Meade.

BorisTheBlade's picture

IT security consultancy companies are red hot regarless. Some of them playing both sides of the equation, case in point Cr0wd6trike. Cool if I spell it this way?

el buitre's picture

Better Fort Meade than Fort Detrich with another virus like ebola.

jimijon's picture

Ah the joys of "Windoze." Here I am safely working away with my Mac, and looking to get back in with my dry powder on GDAX. I'm thinking maybe this weekend.


Duc888's picture



I'm safely working away on LINUX...and didn't have to spend a penny on ICrap.

a Smudge by any other name's picture

You guys have trouble reading, comprehending or both. The Vault7 hacks have tools for both Linux and Apple OSs. Not to mention Solaris, HPvax, BSD, IBM Z systems (and legacy). And your precious phones too. Pretty much everything that runs anything.

Remain in your illusion but don't drag that magic blanket over other people's eyes.

Duc888's picture



Well I guess no one has bothered messing with Linux yet.

FixItAgainTony's picture

Mac users are p0wned already by Apple.

CRM114's picture

I'll bet the NSA could figure out who's doing it.

If the USA really wants to be the World's Policeman, they could start with The Dark Side of cyberspace.

I don't think anyone would have a problem with that.

Maybe the FSB, or Mossad, could be the enforcement arm. ;)

Shemp 4 Victory's picture


I'll bet the NSA could figure out who's doing it.

Yeah, on a first name basis, too.

If the USA really wants to be the World's Policeman, they could start with The Dark Side of cyberspace.

They are the Dark Side of cyberspace.

BorisTheBlade's picture

NSA, as brilliant and evil as it is. Could've lost control over its own code that it spent billions nurturing and developing. That's the scariest shit.

el buitre's picture

Ya think it's HAL needing BitCoin for blow and hookers?

PrivetHedge's picture

Or even scarier, maybe it's deliberate to get people off the internet...

TePikoElPozo's picture

... next, we hit the EBT's (BWAHAHAHAHAHAHAHA!!!!)

Pigeon's picture

That would be THE MOST BRILLIANT terrorist attack. You saw people go ape-shit a couple years back when the EBT went down in Alabama or something? The animals tore apart a Wal-Mart. Not that I feel badly for rent-seeking Wal-Mart. 

But even if 1/3 of the 47 million on food stamps went off, imagine the chaos. It must hit on the 5th of the month, I think, to be most effective.

Crypto-World-Order's picture

Yea bitchez, bitcoin is the threat. 

gregga777's picture

It's NOT the Russians. It's the Americans! Yo, way to go NSA maroons!!!

Jack McGriff's picture

This is why bitcoin will soon be shut down.  Moneylaundering and competing against the USD has always been its achilles heel.

cherry picker's picture

Dear Billy Gates and Zuckenberg

I would like a refund for all you did to help the criminals in government hack our systems, including selling them back doors.

What you did was sell out your customers for money.

BuddyEffed's picture

Legacy is a lot more than just the money, isn't it.
Sneaky in the business model is never a good choice.

smacker's picture

A Class Action lawsuit against Micro$oft.

It should include their imposition of technical changes to the e-mail system (SMTP & POP3) to allow use of HTML coding in e-mails to replace its original plain text format. HTML introduced a new opening for malware to be spread via e-mail because hackers can imbed auto-executable scripts in an e-mail which run when you open it without the users knowledge. Typically, the script will go off and connect to a malware server somewhere and the rest is history.

jimmy c korn's picture

Check out Hushmail. It will not let a HTML to open in any email unless the user clicks an approval to allow it. The basic service is free, which is good enough for me!

smacker's picture

Yeah, I know about Hushmail. I actually use an e-mail client which doesn't render HTML at all "Forté Agent"(v3.3). My version's a tad old now but still works wonders and is 100% portable for when I'm travelling.

If I really need to read an HTML e-mail I can easily use Universal Viewer.

Later versions of Agent have internal support to render HTML optionally.