What to know about this global cyber attack

Researchers think it could be a malware that's been sold on the dark web's black market.

There's another global cyber attack happening, and so far it's hit airports, power companies, banks, a hospital, a Russian oil giant and others.

This is once again a ransomware – so when the malware gets into a computer it encrypts the files, takes over, and tells the user they need to pay up to get their files back. So it's like the WannaCry ransomware that hit more than 200,000 computers last month.

But this one also overwrites a key portion of your main hard drive, Symantec explains – meaning it's more complicated.

This newly unleashed malware then forces the computer to restart, ByteDefener says, and when it boots back up you get this:

It's a demand to send $300 in Bitcoin (that's about .12 Bitcoins) to a digital wallet. And then the hackers will let you unlock all your files ... allegedly. Though people have doubts.

You can actually track Bitcoin wallets to see activity. Blockchain says that particular address has received more than 2.786 Bitcoins – which is over $6,500.

Where it's hit so far

Most of the infections recorded so far have been in the Ukraine and Russian Federation, with Poland, Germany and Italy behind it, according to Kaspersky analyst Costin Raiu. It's showed up on ATMs, at grocery stores, and a hospital system in Pittsburgh.

Maybe the biggest U.S. company hit is Merck: a pharma business based in New Jersey.

But there are rumblings about more infections, like this leading law firm based in Washington, D.C.

Kaspersky Lab said at 12:12 p.m. that it had detected more than 2,000 users attacked with this ransomware so far Tuesday, and called it a "complex attack."

Update: It's worth noting, as Malware Tech points out, this attack only spreads to computers on the same local network – it doesn't appear to get sent over the internet to random users.

"I.e. you are extremely unlikely to be infected if you’re not on the same network as someone who was already infected," the site writes.

Nobody's quite sure what it is yet

A lot of researchers and cybersecurity groups, such as Symantec, think it's some variant of Petya, aka PetrWrap – a malware that first popped up in 2016 and has been sold on the dark web's black market. ByteDefender also refers to it as Goldeneye.

But there are still questions about what it is, and Kaspersky is one of the firms tweeting #NotPetya to try to make that point.

Researchers (such as Talos Intelligence), though, seem pretty sure that it manages to infect computers using an exploit called EternalBlue (the same security hole that WannaCry used). EternalBlue is said to have been developed by the NSA, then leaked publicly by a group of hackers.

Then there's the question of how it got to a user's computer in the first place. Email might have been involved, well-known researcher MalwareTechBlog tweeted. But there were likely other ways in, possibly including a financial software known as MeDOC.

So ... what should I do?

If you're using a Windows computer, make sure you've downloaded all the security updates. Microsoft patched that EternalBlue issue months ago.

But there's some worry about how far this might spread.

WannaCry was only slowed down when a researcher – the above-mentioned MalwareTechBlog – accidentally found the kill switch.

But as WIRED notes, this Petya/PetrWrap/Goldeneye ransomware doesn't appear to have any type of kill switch built in.

"After a host is infected, there is no communication from the malware back to the attacker," PaloAlto Networks writes.

Next Up

Anthony Edwards

Ant's rally not enough to save Timberwolves

Edwards' third-quarter explosion came too late in a loss to the Pelicans.

Rent, mortgage, house, key, door

Victims of property manager's sexual harassment to get $736,000

It's part of a consent decree announced by the Department of Justice Monday.

The Liffey Pub Facebook

St. Paul's Irish pub The Liffey reveals it won't reopen

The beloved pub has been closed since the start of the pandemic.

Proctor football

Proctor football investigation: Case goes to county attorney

The office will review the evidence and consider possible criminal charges.

kirsten mitchell screegrab

'I’m heading home!': CA reporter announces return to WCCO

Kirsten Mitchell interned at WCCO years ago. Now, she's coming back as a reporter.


As part of price gouging settlement, farm to donate 1M eggs to food nonprofits

The egg producer will donate more than 1 million eggs to nonprofits fighting hunger.

plane, Piper PA-32

Sheriff: Witnesses saw plane 'performing aerial maneuvers' before fatal crash

The single-engine aircraft went down in northern Wisconsin, killing a brother and sister.

Screen Shot 2021-10-25 at 8.51.02 AM

Community rallies around Minnetonka HS dancer battling brain tumor

A fundraiser raised more than $44,000 of its $60,000 goal in the first two days.

twin city gardens

In rare move, MDH takes control of Minneapolis nursing home

The temporary receivership is to ensure resident safety.

Sen Mark Koran crop

Lawmaker deletes post encouraging donations to family charged in Capitol riot

Sen. Mark Koran, in his Facebook post, described them as "a good family!"


'Accidental hero' slowed the global ransomware attack – but it might not be over

The malware locks up your computer and threatens to wipe your files, unless you pay $300 in bitcoin.

A cyber attack is holding computers around the world for ransom

One malware site says this WannaCry attack has been detected in 99 countries.

How safe from a ransomware attack are Minnesota's government computers?

WannaCry ransomware has been detected across more than 200,000 computers in 100-plus countries. So how protected is Minnesota?

Video: What you need to know about ransomware and protecting your stuff

WannaCry isn't the only one out there, so it's best to be prepared.

Russian hacker admits to helping infect thousands of servers – including in MN

Get ready to learn about Ebury malware, and how it was used to get millions of dollars.

Minnesota internet provider says it will never sell your browsing history

"We have never sold member web browsing history and have no plans to do so in the future," said the ISP's CEO.

Do you know when Uber is tracking your location?

We know apps collect data about us. But how much, and how is it being used?

How big a deal is this hack of Minnesota government and MSU Moorhead servers?

Email addresses, encrypted passwords, user IDS – what someone could do with the information.