Police terminates servers responsible for NotPetya/Petya rampage

by Julie Splinters - - 2017-07-05

Servers have been taken down, but it is too early to celebrate victory

M.E.Doc servers are finally terminated

Right after Petna/ExPetr/GoldenEye went on a rampage a couple of weeks ago, investigation presented intriguing details. Besides the stonishing news that the malware was indeed a variation of Petya and the fact that it acts as a data wiper^[1] rather than ransomware, another analysis revealed that the very destination and the source of the infection were Ukraine. After the news had broken out that M.E.Doc, accounting software, was the main culprit for the malware outbreak, Ukraine Police has finally made a move – terminated its servers.^[2]

Time of confession has finally come

Intellect Service, the owner of M.E.Doc, has finally confirmed the allegations that their servers were hacked. The perpetrators infiltrated the servers and corrupted the update network with un unpleasant surprise – ExPetr/NotPetya virus. Thus, companies which have been using this software, unsuspected installed the prompted update only to face destructive consequences later on.

For a while, the company maintained the policy of silence and negation. However, when one after another evidence linking to the company’s corrupted update system started to surface^[3], the company has finally made the long-awaited statement of unauthorized access.

A victim or a wolf in sheep’s clothing?

Though it seems that the accounting software, which shares a special popularity among Ukrainian companies, to have was a victim, its overall stance, and behavior spark speculations. It received continuous and several warnings from cyber security companies and individual experts about flaws in the system. Nonetheless, it did not take immediate measures to prevent the hack.

Furthermore, further investigation revealed another ransomware made use of security holes in M.E.Doc servers. Dubbed as Fake ransomware^[4], the threat is said to have spread in Ukraine via the servers of the company.

The threat wrapped in the veil of ed.exe was loaded into the servers with Petya simultaneously. The latter is written in the .NET programming language drags behind WNCRY string. Obviously, one might suspect that it is linked with WannaCry cyber plague. However, taking into account the number of fake versions sprung after the outbreak of the original threat, it is too early to state that it is an alternative version of the malware, even though it possesses full technical capabilities of a full-fledged virus.

To sum up, the servers are finally terminated, and the Police of Ukraine will present the criminal charges for the company for not taking immediate preventive measures. Nonetheless, it does not mean that the virtual community can finally sigh with relief. Continuous cyber terror attacks emphasize that there is still a long way to sufficient global cyber security.

About the author

Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

^ Robert Hackett. Why You Shouldn’t Pay the Petya Ransomware. Fortune. Fortune 500 Daily and Breaking News.
^ Ukraine cyber-attack: Software firm MeDoc's servers seized. BBC News.
^ My Online Security. Petya it is highly likely that medoc was the original vector . Twitter. Online source for communication and news.
^ Anton Ivanov, Orkhan Mamedov. In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine. Securelist. Information about viruses, hackers,and spam.