Merck rocked by ransomware attack - The Washington Post

Here is what you need to know about ransomware: software that locks down your files and demands payment to release them. (Sarah Parnass,Dani Player,Daron Taylor/The Washington Post)

Merck, a U.S.-based pharmaceutical giant, was among dozens of businesses affected by a sprawling cyberattack Tuesday, with victims across the globe facing demands to hand over a ransom or have their computer networks remain locked and inaccessible.

The widespread intrusion that hit the New Jersey-based drug company was similar to a massive ransomware attack last month that deployed a virus dubbed WannaCry. Merck also has a European presence, with an office in Ukraine, where many of the ransomware attacks were concentrated.

The extent of the Merck hack is not yet known.

Merck employees arrived at their offices Tuesday morning only to find a ransomware note on their computers. The company confirmed via Twitter soon afterward that “its network was part of a global hack.”

Employees were told to get off their computers and go home, said one scientist who works at a Merck lab in New England. “Some people looked like they had their hardware wiped — it just shut down the whole network site,” said the employee, who spoke on the condition of anonymity because she was not authorized to speak on the record.

All U.S. offices of Merck were affected, she said. “Without computers these days you can’t do anything,” the employee said. As a scientist, her instruments are connected to a computer, her data is stored on central servers, and the safety data sheets are all online. “There’s not much you can do without access,” she said. “It’s one thing to have our laptop be corrupted. We’re really hoping that all the data [in the central servers] is protected. But we don’t know that.”

She said employees at her office were informed over a public address system, and people spread the word to colleagues by cellphone. Employees were told to call a number used for snow emergencies to find out whether they should report to work Wednesday. Beyond the inconvenience of not being able to work, the employee said she fears that critical information tied to Merck drug research could be lost.

Merck didn't immediately respond to a request for comment.

Tuesday's attack utilized a virus similar to one known as Petrwrap or Petya, security researchers said, and exploits a vulnerability discovered years ago by the National Security Agency.

“The emergence of Petya and WannaCry really points out the need for a response plan and a policy on what companies are going to do about ransomware,” said Mark Graff, chief executive of Tellagraff, a cybersecurity company. “You won’t want to make that decision at a time of panic, in a cloud of emotion,” he said.

For companies that choose to pay the ransom, Graff said there is no guarantee that the people behind the attacks will make good on their word. “Even if you are paying the ransom, you are dealing with crooks,” he said. “Plus the ethical quandary: Every time somebody pays, it gives the criminals more reason to go off and hurt more people.”

DLA Piper, a multinational law firm with an office in Washington, was also hit by the ransomware, according to a statement on its website.

Hamza Shaban covers tech news for The Washington Post. Prior to joining The Post, he worked at Buzzfeed, where he covered tech policy for the past two years, writing about antitrust, free speech, surveillance, cybersecurity and the tension between privacy and security interests.

Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties.