Hackers launched blistering ransomware attacks Tuesday against companies and agencies across the world, particularly targeting Ukrainian businesses.
Major global firms reported that they had been targeted, including British advertising agency WPP, Russian oil and gas giant Rosneft, global shipping company FedEx and Danish shipping firm Maersk.
On Wednesday, FedEx said operations of its TNT Express subsidiary were disrupted by a virus.
“Like many other companies worldwide, TNT Express operations have been significantly affected by an information system virus,” Patrick Fitzgerald, SVP FedEx integrated marketing and communications, said. “No data breach is known to have occurred.”
Maersk issued a similar statement on Tuesday, saying its tech systems “are down across multiple sites and business units due to a cyberattack.”
The U.S.-based pharmaceutical company Merck also said it was hit.
“We confirm our company’s computer network was compromised today as part of global hack,” Merck said on Twitter.
Mondelez, the company that owns Oreos, Cadbury and many other global snack brands, reported a computer outage across its global operations. And law firm DLA Piper said it had taken down its systems in response to “a serious global cyber incident.”
The source of the attack is not yet clear. It is similar to WannaCry, which spread globally in May, but there are differences. Both asked victims to pay Bitcoin to get their files back, and both use a similar flaw to spread through networks.
The Moscow-based cybersecurity firm Group IB estimated Tuesday that the virus affected about 80 companies in Russia and Ukraine.
Group IB said the ransomware infects and locks a computer, and then demands a $300 ransom to be paid in Bitcoins.
Many firms, including Symantec, have suggested the ransomware is a variant of Petya, a known ransomware. But according to security firm Kaspersky Lab, preliminary findings indicate the attacks are from a new ransomware that it’s now calling “ExPetr.”
Either way, researchers say Tuesday’s attacks use a Windows flaw called EternalBlue to spread through corporate networks. WannaCry also leveraged the EternalBlue exploit, which was leaked as part of a trove of hacking tools believed to belong to the NSA. Microsoft issued a patches for the exploits in March.
Microsoft said it found that the ransomware is using multiple techniques to spread, including one that was addressed by the security patch released in March. It is continuing to investigate.
The U.S. Department of Homeland Security is also monitoring the cyberattacks.
Spokesman Scott McConnell said DHS is “coordinating with our international and domestic cyber partners. We stand ready to support any requests for assistance.”
Europol said it is investigating the attack as well.
Ukrainian companies and government agencies seem to have been hit particularly hard.
Ukraine’s central bank warned financial firms across the country that an unknown virus hit the sector, creating problems for banks and customer service.
According to security firm Cisco Talos, the ransomware initially infected MeDoc, a piece of Ukranian accounting software. MeDoc then sent an infected file to customers. It spread to other computers on companies’ networks by leveraging software holes.
Ukrainian officials confirmed a possible link to MeDoc. But the company denied its software spread the infection, saying in a Facebook post that an update sent out last week was free of viruses.
This ransomware was much more advanced than WannaCry, according to Craig Williams, senior tech lead and security outreach manager at Cisco Talos.
Officials at Ukraine’s postal service and metro system in Kiev also reported hacking problems.
Ukraine’s vice prime minister, Pavlo Rozenko, tweeted a screenshot of his malfunctioning computer saying computers at the Cabinet of Ministers had been affected.
The Chernobyl nuclear power plant was also hit by the cyber attack, according to a Ukrainian federal agency. In a statement, the agency said that “in connection with the cyber attack, the Chernobyl nuclear power plant website is not working.” Its Microsoft Windows systems were temporarily disconnected, and radiation monitoring in the area of the industrial site is being carried out manually, it said.
Ransomware victims are always advised not to pay the ransom to get their files back because it encourages the attackers. The best way to mitigate damage from ransomware is to update operating systems and backup data.
–CNN’s Marilia Brocchetto, Mary Ilyushina, David Shortell, Bex Wright and Victoria Butenko contributed to this report.