[BreachExchange] This Ukrainian Company Is Likely Behind the Ransomware Wave

Thu Jun 29 02:28:28 EDT 2017

http://fortune.com/2017/06/27/petya-ransomware-ukraine-medoc/

MeDoc, a little-known Ukrainian firm, is likely the primary source for
the global ransomware attack that tore through corporate networks on
Tuesday, according to cybersecurity researchers.

MeDoc is a financial tech company that makes accounting software to
help people and businesses process taxes. Security researchers said
that hackers seemed to have breached the company's computer systems
and compromised a software update that was pushed to its customers on
June 22.

"Attention! Our server made a virus attack," the company wrote Tuesday
in an update on its website (translated from Russian to English via
Google Translate). "We apologize for the inconvenience!"

(The company did not immediately respond to Fortune's request for comment.)

The ransomware wave paralyzed computer systems at Danish shipping
giant Maersk, British ad agency WPP, Russian oil giant Rosneft, U.S.
pharma giant Merck (MRK, -0.58%), and others.

After landing on victims' machines, the malicious software then spread
stealthily across networks through a vulnerability in Microsoft
Windows, which Microsoft (MSFT, +0.85%) released patches for in March.
Companies that did not apply the patch—sealing a hole exploited by a
leaked hacking tool associated with the U.S. National Security
Agency—were vulnerable.

Additionally, the malware spread by harvesting usernames and passwords
from infected computers. Should one of these computers happen to have
had administrative privileges, that login information could be used
that to take over other machines on the network managed under the same
credentials.

The timing and initial target of the attack, MeDoc, is sure to provoke
speculation that an adversary of Ukraine might be to blame. The
ransomware hid undetected for five days before being triggered a day
before a public Ukrainian holiday that celebrates the nation's
ratification of a new constitution in 1996.

"Last night in Ukraine, the night before Constitution Day, someone
pushed the detonate button," said Craig Williams, head of Cisco's
(CSCO, +1.07%) Talos threat intelligence unit. "That makes this more
of a political statement than just a piece of ransomware."

"It's very clear that whoever was behind this would somehow benefit
from causing significant amount of negative business impact on
Constitution Day," Williams added.

Obvious candidates come to mind—including Moscow or pro-Russian
hackers, for example—though it is still too early to begin pointing
fingers in terms of attribution. More details are sure to come to
light in coming days as security researchers continue digging into the
attack code and search for its perpetrators.

Williams added that his team has found no other initial vector than
MeDoc as yet. Researchers at Kaspersky Labs, a Russian antivirus firm,
also noted the link to MeDoc in its write-up of the incident, as did
several other researchers.