Where did ransomware Petya originate? Microsoft knows

Companies across the globe are reporting that they have been struck by a major ransomware cyber-attack. It is not yet known if the malware is a new threat or a more sophisticated version of the Petya malware that was used in an attack last spring. The virus freezes the user’s computer and demands an untraceable ransom be paid in the digital Bitcoin currency.

The “Petya” cyberattack that has struck computers in at least 65 countries. Ukrainian firms, including the state power company and Kiev’s main airport, were among the first to report issues. The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down.

The attack can be traced to a Ukrainian company M.E.Doc’s tax accounting software, Microsoft says. “We saw the first infections in Ukraine — more than 12,500 machines encountered the threat,” Microsoft says. “We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.”

The US Department of Homeland Security advised victims not to pay the ransom, saying there was no guarantee that access to files would be restored.

The Russian anti-virus firm Kaspersky Lab claims that there had been about 2,000 attacks – most in Ukraine, Russia and Poland. Kaspersky had detected suspected attacks in Poland, Italy, Germany, France and the US in addition to the UK, Russia and Ukraine.The firm has dubbed it NotPetya based on its analysis that the malware was a “new ransomware that has not been seen before” despite its resemblance to Petya.

However, Microsoft says the ransomware is “a new variant” of Petya. The company has (as have other anti-virus companies) issued new security updates to protect computers running its Windows software.

Petya ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives. As of Wednesday morning EST, the account had received around $10,000 around $10,000. German email company Posteo blocked the email address that the Petya hackers were using to confirm ransom payments.

Petya is still affecting airports and ATMs in Ukraine and hampering business in the shipping giant Maersk, drug company Merck as well as hospitals in Pennsylvania’s Heritage Valley Health System.