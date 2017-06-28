The "Petya" cyberattack that has struck computers in 65 countries can be traced to a Ukrainian company's tax accounting software, Microsoft says. The ransomware is being called a more sophisticated version of the Petya malware that was used in an attack last spring.

"We saw the first infections in Ukraine - more than 12,500 machines encountered the threat," Microsoft says. "We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States."

The ransomware is "a new variant" of Petya, says Microsoft, adding that it has issued new security updates to protect computers running its Windows software. Other anti-virus companies have also updated their software, in an attempt to limit the damage.

The initial infection can be traced to tax accounting software from a Ukrainian company called M.E.Doc, Microsoft says. That connection was the subject of speculation Tuesday, but Microsoft now says it "has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process."

Affecting airports and ATMs in Ukraine and hampering international businesses from the Maersk shipping giant to the Merck drug company. Its U.S. victims also include hospitals in Pennsylvania's Heritage Valley Health System.

The malware is being compared to the WannaCry outbreak that struck in more than 150 countries last month — but so far, at least, Petya seems to be spreading more slowly.

The ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives. As of Wednesday morning ET, the account had received around $10,000. But in a move that has caused some controversy, German email company Posteo blocked the email address the Petya hackers were using to confirm ransom payments. While some have praised the approach, others note that users whose files are held hostage have now lost their sole point of contact.

Unlike WannaCry, a "kill switch" for Petya has yet to be identified. But a method that essentially acts as a vaccine has been put forth to save computers infected by the malware, after security researcher Amit Serper of Boston's Cybereason identified a way to shut Petya down — by convincing it that the ransomware was already operating on a machine. Serper is being widely praised for the innovation — but he says the fix is "a temporary workaround."

As security experts analyze the complex attack and try to thwart it, they have also debated what to call it. Some analysts dubbed the malware NotPetya, to reflect the differences from the original. Others call it Goldeneye — the name of another recent strain of the Petya ransomware. Polish researcher Hasherezade says that because key portions still resemble its predecessor, "it is fair to call it a new step in the evolution of Petra."

Using some of the same exploits as the WannaCry ransomware that struck last month, this version of Petya has the ability to worm through computer networks, gathering passwords and credentials and spreading itself.

After a self-imposed delay of at least 10 minutes, the malware uses a reboot to encrypt files. At that point, users see a fake black-and-white "CHKDSK" message on their screen that claims an error has occurred and that the system is checking the integrity of the disk. This is the last chance, security experts say, for users to power down their computers and protect their files before they're encrypted and held for ransom.

