Employees at WPP and Mondeléz, among other companies, arrived at work Tuesday to a rude suprise: A digital ransom note on their locked PCs that demanded they pay up or lose all of their files.
Staffers with infected computers were greeted with a message saying that the user's files had been encrypted -- and that it would cost more than 300 in bitcoin (around $600,000) to free them -- in part of a worldwide cyberattack. The ransomware ground businesses to a halt for at least a day.
The attacks on their computer systems were likely related to similar ones that exploited a Microsoft vulnerability earlier this year.
So, what exactly happened?
WPP and Mondeléz were among thousands of companies attacked with "ransomware," which can infect computer systems, phones, e-mail and other services. In this type of attack, the hacker typically asks for money to go away, and they are not looking to hack e-mails or steal data, according to Tom Pageler, chief risk and information security officer at Neustar.
The attackers usually ask for payment in Bitcoin, a digital currency that can't be traced, but paying the hackers is the last thing a company wants to do.
"If you pay the ransom it will likely get unlocked," Pageler said. "But you don't want to be in this position again."
So what do you want to do?
"Business continuity is the most critical issue in the C-Suite," Pageler said. "If you can't even conduct bare bones business then it all breaks down."
Ideally companies have planned for such an attack, and they have backup systems for their software, data, phones and internet technology.
"Secure your data make sure it's always available for yourself and your customer," Pageler said.
If a company has planned for this type of break-in, then it would have a disaster recovery plan in place, with contingencies to access its most critical systems.
Is any data at risk for WPP clients or Mondeléz consumers?
Not as much as people would think. WPP does work with major brands and advertisers, but this type of attack does not typically look to steal data.
"A lot of ransomware does not do this, does not let the hackers in in the meantime, but there's no absolute," said Justin Cappos, professor in the computer science and engineering department at the NYU Tandon School of Engineering.
That's reassuring, but how did this even happen? Can it happen to me?
The type of attack exploits a vulnerability through Microsoft servers. Last month, there was a similar attack called "Wannacry," which hit hospitals in the U.K. That ransomware hack came with a "kill switch" and was poorly written, according to Pageler.
Security experts warn many companies to update their systems.
How do you insulate yourself?
The National Security Agency allegedly discovered an exploit called "EternalBlue" in Microsoft servers earlier this year. Microsoft released a patch in March, however clearly not everyone updated their servers. The EternalBlue exploit was used in May during the "Wannacry" attack in the U.K. and elsewhere. The latest attack resembled a variant of "Wannacry" dubbed Petya, though some security groups have said the attack is not the same as Petya and are calling it NotPetya. It could take time to sort out.
So this was preventable?
Large organizations like WPP and Mondeléz have many offices, and many servers, and more vulnerabilities -- and may not have had time to update their Microsoft servers.
Should a company have some emergency Bitcoin on hand, and just pay these people?
No. That's the last resort, and a company can get Bitcoin quickly if needed.
How do you know these hackers will do what they say?
There is some honor among thieves, security experts say, and the hackers know if they get a company to pay they should hold up their end of the bargain -- otherwise, no one would pay them again.
Still, don't pay them.