Malicious program appears not to be ransomware, but simply wipes hard drives.
Microsoft announced Wednesday the Petya cyberattack that appeared a day earlier has now spread to 65 countries.
The virus was detected in just six countries Tuesday.
“We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat.,” Microsoft wrote in a blog post. “We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.”
Petya was initially described as ransomware, in which hackers use a vulnerability to shut down computer networks and extract a ransom from targeted users. Affected users noted the virus asked for $300.
Security researchers noticed Wednesday, however, not only did hackers behind the virus not unlock computers after payment was sent, the virus’ programming appears not to have a mechanism to accept payment. Instead, the program is a “wiper” that automatically erases the hard drive of the infected computer.
“The goal of a wiper is to destroy and damage,” cybersecurity researcher Matt Suiche wrote in a blog post. “The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification — a wiper would simply destroy and exclude possibilities of restoration.”
Microsoft said the initial infection of Petya was tracked to an accounting software used by Ukrainian company M.E.Doc. The virus continues to cause problems with ATMs and airports in multiple counties, as well as giant companies like FedEx and Merck.
Petya comes just a few weeks after WannaCry, a massive international ransomware attack. WannaCry was first detected in May and, like Petya, exploited vulnerabilities in old versions of Microsoft’s Windows operating system.
But WannaCry spread much more rapidly. It struck 150 countries in a matter of days but researchers were able to find a relatively simple piece of programming to stop its spread.
No such “kill switch” has been found for Petya.