The "Petya" cyberattack that has now struck computers in at least 65 countries can be traced to a Ukrainian company's tax accounting software, Microsoft says.
"We saw the first infections in Ukraine — more than 12,500 machines encountered the threat," Microsoft says. "We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States."
The complexity of the attack has fueled debate over whether the malware is a new threat or a more sophisticated version of the Petya malware that was used in an attack last spring.
But Microsoft says the ransomware is "a new variant" of Petya, adding that it has issued new security updates to protect computers running its Windows software. Other anti-virus companies have also updated their software, in an attempt to limit the damage.
The initial infection can be traced to tax accounting software from a Ukrainian company called M.E.Doc, Microsoft says. That connection was the subject of speculation Tuesday, but Microsoft now says it "has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process."
Petya is still affecting airports and ATMs in Ukraine and hampering international businesses from the shipping giant Maersk to the drug company Merck. Its victims also include hospitals in Pennsylvania's Heritage Valley Health System.
The malware is being compared to the WannaCry outbreak that struck computers in more than 150 countries last month — but so far, at least, Petya seems to be spreading more slowly.
Like WannaCry, the Petya ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives. As of Wednesday morning Eastern time, the account had received around $10,000. But in a move that has caused some controversy, German email company Posteo blocked the email address the Petya hackers were using to confirm ransom payments. While some cybersecurity experts have praised the approach, others note that users whose files are held hostage have now lost their sole point of contact.
WannaCry was largely undone by the discovery of a "kill switch" that could shut it down. No such kill switch has been found so far with Petya, and experts are still working to find a way to stop it.
But security researcher Amit Serper of Boston's Cybereason has identified a method that essentially acts as a vaccine for computers infected by the malware. His method tricks the ransomware into thinking that it's already operating on a machine. Serper is being widely praised for the innovation — but he says the fix is "a temporary workaround."
Security experts also are divided on what to call the ransomeware. Some analysts have dubbed the malware "NotPetya," to reflect the differences from the original. Others call it "Goldeneye" — the name of another recent strain of the Petya ransomware. Polish researcher Hasherezade says that because core elements of the malware's code still resemble the original, "it is fair to call it a new step in the evolution of Petya."
WannaCry was based on exploits stolen from the National Security Agency — including a program called EternalBlue, which exploited a Microsoft vulnerability. Using some of the same exploits, Petya has the ability to worm through computer networks, gathering passwords and credentials and spreading itself.
After a self-imposed delay of at least 10 minutes, the malware uses a reboot to encrypt files. At that point, users see a fake black-and-white "CHKDSK" message on their screen that claims an error has occurred and that the system is checking the integrity of the disk. This is the last chance, security experts say, for users to power down their computers and protect their files before they're encrypted and held for ransom.
The WannaCry outbreak prompted many network administrators to update their security patches. But as the story of an IT worker in Scotland shows, Petya can still sometimes find a way into those machines, by collecting passwords and credentials from an unpatched computer and using them to log into patched machines.
"We were pretty patched up against [Microsoft's EternalBlue security patch] MS17-010, obviously mustn't have been 100 percent," Colin Scott wrote, "but even then, if one single PC gets infected and the virus has access to Domain Admin credentials then you're done already."
On his blog, Scott doesn't identify his employer, but he says: "So far we've lost many servers and clients, as you can imagine it's carnage."