Security experts believe the attack originated from an update of a Ukrainian tax accounting package called
It was shown that the domain used for updating
The cyberattack was based on a modified version of the Petya ransomware. Like the WannaCry ransomware attack in May 2017, Petya uses the EternalBlue exploit previously discovered in older versions of the Microsoft Windows operating system. When Petya is executed, it encrypts the Master File Table of the hard drive and forces the computer to restart. It then displays a message to the user, telling them their files are now encrypted and to send US$300 in bitcoin to one of three wallets to receive instructions to decrypt their computer. At the same time, the software exploits the Server Message Block protocol in Windows to infect local computers on the same network, and any remote computers it can find.
The EternalBlue exploit had been previously identified, and Microsoft issued patches in March 2017 to shut down the exploit for the latest versions of Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016. However, the WannaCry attack progressed through many computer systems that still used older Windows operating systems or previous releases of the newer ones, which still had the exploit, or that users had not taken the steps to download the patches. Microsoft issued new patches for Windows XP and Windows Server 2003 as well as previous versions of the other operating systems the day after the WannaCry attack.
Security experts found that the version of Petya used in the