MEDoc, a tax-filing software developed in the Ukraine, is seemingly to blame for the cyber-attack that struck firms in 65 countries earlier this week.
As explained by tech experts, computers worldwide were infected via corrupted updates for the tax software in a way similar to the Petya attack that first afflicted computers in March 2016.
Marcus Hutchins, a malware expert in the UK, told the BBC he had evidence that the attack originated from the Ukrainian tax-filing software.
“It looks like the software's automatic update system was compromised and used to download and run malware rather than updates for the software,” Hutchins said.
Additionally, Microsoft ran an analysis that confirmed this claim, writing in a company blog post that “initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc.”
However, Mark Taylor, a technical manager with ICAEW, doubts that MEDoc was the attack’s sole source.
“I think its use would be pretty limited since it is obviously software that is only used in Ukraine and Russia as far as I can tell.”
“The trouble with all these things is you get quite a lot of misinformation floating around and people confuse the symptoms when they look at one outbreak and they think it’s responsible and it’s not. So it’s difficult to track how it got out there. I suspect it was delivered through more than one means and that’s key here,” Taylor said.
Will NotPetya Attack Provide New Template for Hackers?
This recent attack might serve as a new template for criminals looking to hack into computers as it involves using software updates instead of the more traditional infected email attachments.
Alan Woodward, a computing expert at the University of Surrey, found this attack rather interesting.
“The ironic thing about this situation (if it proves to be the case) is that we always advise users to keep their software up to date, ideally using automated updates. However, it assumes hackers can't take over the update process and misuse it. This process is normally a very tightly controlled process, so this is unusual. I can imagine many vendors are now triple-checking to make sure they don't end up being an attack vector," he explained.
As reported by NPR, this ransomware “demands a $300 Bitcoin payment to retrieve encrypted files and hard drives” and has received (as of Thursday morning) close to $10,500.
More specifically, NPR explains in detail how this new attack takes place:
“Petya has the ability to worm through computer networks, gathering passwords and credentials and spreading itself. After a self-imposed delay of at least 10 minutes, the malware uses a reboot to encrypt files. At that point, users see a fake black-and-white "CHKDSK" message on their screen that claims an error has occurred and that the system is checking the integrity of the disk. This is the last chance, security experts say, for users to power down their computers and protect their files before they're encrypted and held for ransom.”
Was It Ransomware or a Politically Motivated Attack?
Given the low amounts of ransom requested from infected computers, however, analysts suspect this attack was politically motivated.
For instance, anonymous Information Security Researcher the grugq believes the attack was not intended to collect ransom due to its poorly designed “payment pipeline.”
“This was a straight forward cyber attack with a target space of basically every company that does business in Ukraine,” he writes.
Additionally, Anton Ivanov and Orkhan Mamedov, blogging for AO Kapersky Lab, explain that, taking into account the malware campaign’s design, “this is the worst-case news for the victims – even if they pay the ransom they will not get their data back,” and it “reinforces the theory that the main goal of the [Petya] attack was not financially motivated, but destructive.”
Fortune summarized these thoughts nicely: “A growing consensus among security researchers, armed with technical evidence, suggests the main purpose of the attack was to install new malware on computers at government and commercial organizations in Ukraine. Rather than extortion, the goal may be to plant the seeds of future sabotage, experts said.”
Victims of this latest malware attack include Ukrainian banks, American law firm DLA Piper, Russian oil company Rosneft, BNP Paribas Real Estate, shipping company A.P. Moller-Maersk, port operators in Rotterdam, Mumbai and Los Angeles, and UK-based advertising firm WBB, among a host of others.
However, as reported by The Washington Post, “researchers at Kaspersky Lab’s Global Research and Analysis Team, in Russia, estimated that 60 percent of infected computers were in Ukraine and 30 percent in Russia.”