The virus is believed to have first taken hold on Tuesday in Ukraine where it silently infected computers after users downloaded a popular tax accounting package or visited a local news site, national police and international cyber experts said, according to Reuters.
More than a day after it first struck, companies around the world were still wrestling with the fallout while cyber security experts scrambled to find a way to stem the spread.
Danish shipping giant A.P. Moller-Maersk said it was struggling to process orders and shift cargoes, congesting some of the 76 ports around the world run by its APM Terminals subsidiary.
U.S. delivery firm FedEx said its TNT Express division had been significantly affected by the virus, which also wormed its way into South America, affecting ports in Argentina operated by China’s Cofco.
The malicious code locked machines and demanded victims post a ransom worth $300 in bitcoins or lose their data entirely, similar to the extortion tactic used in the global WannaCry ransomware attack in May.
More than 30 victims paid up but security experts are questioning whether extortion was the goal, given the relatively small sum demanded, or whether the hackers were driven by destructive motives rather than financial gain.
Hackers asked victims to notify them by email when ransoms had been paid but German email provider Posteo quickly shut down the address, a German government cyber security official said.
Ukraine, the epicenter of the cyber strike, has repeatedly accused Russia of orchestrating attacks on its computer systems and critical power infrastructure since its powerful neighbor annexed the Black Sea peninsula of Crimea in 2014.
The Kremlin, which has consistently rejected the accusations, said on Wednesday it had no information about the origin of the global cyber attack, which also struck Russian companies such as oil giant Rosneft and a steelmaker.
“No one can effectively combat cyber threats on their own, and, unfortunately, unfounded blanket accusations will not solve this problem,” said Kremlin spokesman Dmitry Peskov.
ESET, a Slovakian company that sells products to shield computers from viruses, said 80 percent of the infections detected among its global customer base were in Ukraine, with Italy second hardest hit with about 10 percent.
The aim of the latest attack appeared to be disruption rather than ransom, said Brian Lord, former deputy director of intelligence and cyber operations at Britain’s GCHQ and now managing director at private security firm PGI Cyber.
“My sense is this starts to look like a state operating through a proxy … as a kind of experiment to see what happens,” Lord told Reuters on Wednesday.
While the malware seemed to be a variant of past campaigns, derived from code known as Eternal Blue believed to have been developed by the U.S. National Security Agency (NSA), experts said it was not as virulent as May’s WannaCry attack.
Security researchers said Tuesday’s virus could leap from computer to computer once unleashed within an organization but, unlike WannaCry, it could not randomly trawl the internet for its next victims, limiting its scope to infect.
Bushiness that installed Microsoft’s latest security patches from earlier this year and turned off Windows file-sharing features appeared to be largely unaffected.
There was speculation, however, among some experts that once the new virus had infected one computer it could spread to other machines on the same network, even if those devices had received a security update.
After WannaCry, governments, security firms and industrial groups advised businesses and consumers to make sure all their computers were updated with Microsoft security patches.
Austria’s government-backed Computer Emergency Response Team (CERT) said “a small number” of international firms appeared to be affected, with tens of thousands of computers taken down.
Security firms including Microsoft, Cisco’s Talos and Symantec said they had confirmed some of the initial infections occurred when malware was transmitted to users of a Ukrainian tax software program called MEDoc.
The supplier of the software, M.E.Doc denied in a post on Facebook that its software was to blame, though Microsoft reiterated its suspicions afterwards.
“Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process,” it said in a technical blog post.
Russian security firm Kaspersky said a Ukrainian news site for the city of Bakhumut was also hacked and used to distribute the ransomware to visitors, encrypting data on their machines.
A number of the international firms hit have operations in Ukraine, and the virus is believed to have spread within global corporate networks after gaining traction within the country.
Shipping giant A.P. Moller-Maersk, which handles one in seven containers shipped worldwide, has a logistics unit in Ukraine.
Other large firms affected, such as French construction materials company Saint Gobain and Mondelez International Inc, which owns chocolate brand Cadbury, also have operations in the country.
Maersk was one of the first global firms to be taken down by the cyber attack and its operations at major ports such as Mumbai in India, Rotterdam in the Netherlands and Los Angeles on the U.S. west coast were disrupted.
Other companies to succumb included BNP Paribas Real Estate, a part of the French bank that provides property and investment management services.
“The international cyber attack hit our non-bank subsidiary, Real Estate. The necessary measures have been taken to rapidly contain the attack,” the bank said on Wednesday.
Production at the Cadbury factory on the Australian island state of Tasmania ground to a halt late on Tuesday after computer systems went down.
Russia’s Rosneft, one of the world’s biggest crude producers by volume, said on Tuesday its systems had suffered “serious consequences” but oil production had not been affected because it switched to backup systems.