Petya/GoldenEye Virus racketeer

Distribution in Russia

Britain, the USA and Australia officially accused Russia of NotPetya distribution

On February 15, 2018 the Ministry of Foreign Affairs of Great Britain made the official statement in which it accused Russia of the organization of cyber attack using the NotPetya virus encoder.

The government of the United Kingdom came to a conclusion that the Russian government institutions, namely — the Russian military, bear responsibility for destructive cyber attack of NotPetya in June, 2017.

Deputy head of the British Foreign Ministry concerning cyber security Tarik Ahmad

According to the British authorities, this attack showed further neglect in relation to sovereignty of Ukraine, and as a result of these reckless actions work of a set the organization for the whole Europe was broken that led to multimillion losses.

The Kremlin opposes Russia to the countries of the West, but it shall not be so. We urge Russia to be the responsible participant of the international community which it considers itself, but not to try to undermine secretly its foundations, said in the statement on behalf of the deputy head of the British Foreign Ministry concerning cyber security Tariq Ahmad.[1]

The Ministry noted that the output about participation in cyber attack of the Russian government and the Kremlin was made on the basis of the conclusion of the National center of cyber security of Great Britain (UK National Cyber Security Centre) which "is almost completely confident that behind the attack of NotPetya there are Russian military". Also in the statement it is said that Great Britain and its allies will not undergo harmful cyberactivity.

According to the Minister of cases of law enforcement agencies and cyber security of Australia Angus Taylor, on the basis of these Australian intelligence agencies and also consultations with the USA and Great Britain, the Australian government concluded that responsibility for an incident is born by the malefactors supported by the Government of the Russian Federation. "The Australian government condemns behavior of Russia which creates serious risks for world economy, government transactions and services, business activity and also security and wellbeing of individuals", - follows from the statement.

The Kremlin which was earlier already repeatedly denying any participation of Russian authorities in the hacker attacks called the statement of the British Foreign Ministry a part of "a Russophobic campaign"

We absolutely reject similar charges, we consider them unproved, groundless. It nothing else as continuation besides Russophobic campaign which is not based on any proofs, - the Russian President's Press Secretary Dmitry Peskov told journalists.[2]

The monument "Lies the computer virus of Petya defeated by people 6/27/2017 here"

Monument to a computer virus of Petya set in December, 2017 near the Technopark building Skolkovo. A two-meter monument, with a text: "Here the computer virus of Petya defeated by people 6/27/2017 lies". executed in the form of the bitten hard drive, it was created with assistance of Invitro company, among other companies of the massive cyber attack which was injured from effects. The robot by the name of Niu who works in Fiztekhparka and the Moscow Institute of Technology (MIT) specially arrived to a ceremony to deliver a solemn speech.

Attack to the government of Sevastopol

Specialists of Head department of informatization and communication of Sevastopol successfully reflected an attack of the network Petya virus encoder on servers of the regional government. On July 17, 2017 at a hardware meeting of the government of Sevastopol the head of department of informatization Denis Timofeev reported about it.

He said that the malware Petya did not influence the data which are stored on computers in public institutions of Sevastopol in any way.

The attack of a virus was ineffectual in many respects because we use solutions based on Linux, - Timofeev explained. - The problem was quickly contained, all defects it was succeeded to eliminate, and data did not suffer.

The official added that some users on screens had a terrible warning, but in general it was succeeded to get off "light"^[3].

The Petya virus attacked the government of Sevastopol

Focus on use of the free software is put in the concept of the informatization of Sevastopol approved in 2015. In it it is specified that during the purchasing and development of basic software and also software of information systems for automation it is reasonable to analyze a possibility of use of the free products allowing to cut down budgeted expenses and to reduce dependence on suppliers and developers.

Earlier, at the end of June, within a large-scale attack to medical company "Invitro" also the branch its branch located in Sevastopol suffered. Because of damage of a virus of a computer network the branch temporarily suspended issue of analysis results before elimination of the reasons.

Invitro announced suspension of acceptance of analyses because of cyber attack

The medical company "Invitro" suspended collecting of biomaterial and issue of analysis results of patients because of the hacker attack on June 27. This RBC was declared by the director of corporate communications of the company Anton Bulanov.

As stated in the message of the company, in the nearest future Invitro will pass into the normal mode of work. Results of the researches conducted after this time will be brought to patients after elimination of technical failure. At the moment the laboratory information system is recovered, there is a process of its setup. ​ "We regret for the developed force majeur situation and we thank our clients for understanding" — concluded in Invitro.

According to these data, the attack of a computer virus clinics in Russia, Belarus and Kazakhstan underwent.

Attack to Gazprom and other oil and gas companies

On June 29, 2017 it became known of global cyber attack to computer systems of Gazprom. Thus, one more Russian company suffered from the Petya virus racketeer.

According to Reuters news agency with reference to a source in the Russian government and the person who was involved in investigation of an incident, Gazprom suffered from distribution of the malware Petya which attacked computers in total more than in 60 countries of the world.

According to media, the Petya virus infected computer systems of Gazprom

Interlocutors of the edition did not provide details about that how many and what systems were infected in Gazprom and also about the extent of damage caused by hackers. The company refused comments at the request of Reuters.

Meanwhile, the high-ranking source of RBC in Gazprom reported the edition that computers at the central office of the company worked trouble-free when the large-scale hacker attack began (on June 27, 2017), and continue two days later. Two more sources of RBC in Gazprom were also assured that in the company "everything is quiet" and there are no viruses.

In an oil and gas sector Bashneft and Rosneft suffered from the Petya virus. The last said on June 28 that the company operates normally in, and "separate problems" are quickly solved.

Rosneft stated that its servers underwent "the powerful hacker attack". About it the company wrote^[4] On June 27, 2017 on the Twitter. Upon cyber attack the company addressed to law enforcement agencies.

Computers of Rosneft were affected by the virus similar on the action to WannaCry, told^[5] of RBC the interlocutor in law enforcement agencies. He added that networks of under control Rosneft of Bashneft underwent the same attack.

Sources of Vedomosti add that all computers in Bashneft Oil Refinery, Bashneft Production and management of Bashneft "at one time rebooted then downloaded the unspecified software and displayed a WannaCry virus welcome screen". The edition notes that on the screen users had a message with the offer to transfer $300 in bitcoins to the specified address then the key for an unblocking of computers will be sent to users on e-mail. Also it is emphasized that the virus ciphered all data on the user computers.

The source of RBC in Rosneft confirmed information that on screens of computers of staff of the company the message with a virus appeared. In Bashneft such screen is highlighted only on a part of computers. Bashneft also asked all to switch off computers.

In the same day the attacks the Arbitration court of Bashkiria completed a meeting at which considered the claim of Rosneft and Bashneft under control of it to AFK "Sistema" and Sistema-Invest for collecting 170.6 billion rubles which as the oil company claims, Bashneft incurred in the form of losses as a result of reorganization in 2014.

According to RBC, the situation in Bashneft was not normalized by June 29, 2017.^[6]

Banks and industry

It became known of infection of computers in Evraz, the Russian department of Royal Canin company (the form makes for animals) and the Russian division of Mondelez company (the producer of Alpen Gold chocolate and Milka).

The Bank of Russia also announced cyber attacks to the Russian credit institutions which did not lead to violations in work of banks.

On June 27, 2017 Home Credit detected attempts of violation of the cyber defense "on a limited number of bank computers". However based on check it became known that the main banking and payment system of bank was not affected by the Petya virus racketeer.

Distribution in Ukraine

The virus attack in Ukraine. In one picture

The Petya virus infected computer systems of the large Ukrainian companies and organizations, including Oschadbank Ukrgazbank, Pivdenny bank, OTR bank Taskombank. Also main Ukrainian mobile operators Ukrainian railroads, state enterprise Antonov, Ukrpochta and Kiyevvodokanal Boryspil airport Kiev subway, computer systems of the cabinet and the website underwent the attack governments of Ukraine.

The Petya virus encoder infected computers of the Chernobyl nuclear power station. As a result of the hacker attack the website of ChASE was unavailable, electronic document management ceased to work, and radiation monitoring was transferred to the manual mode. At the same time the shift supervisor of the CNPP Vladimir Ilchuk reported that there is no radiation threat because of cyber attack.

The Ukrainian cyberpolice identified the distributor of NotPetya

Staff of department of counteraction of cyber crime in the Chernihiv region of the Kiev Management of cyberpolice of Department of cyberpolice of NP of Ukraine announced identification of the malefactor extending racketeering NotPetya software (it is also known as Petya.A). The 51-year-old resident Nikopol of the Dnipropetrovsk^[7] was him^[8][9].

According to the message of the Ministry of Internal Affairs of Ukraine, the man on file exchange platforms and on social networks posted video with the detailed description of process of start of racketeering software on computers. In comments on a roller the man posted the link to the page in social network on which he loaded the malware. During searches in the apartment of "hacker" law enforcement authorities withdrew the computer equipment used for NotPetya distribution. Also police officers detected files with the malware after which analysis its similarity to the racketeer of NotPetya was confirmed. As the staff of cyberpolice set, the racketeering program, the link to which published nikopolchanin, was loaded by users of social network of 400 times.

Among the loaded NotPetya law enforcement authorities revealed the companies intentionally infecting the systems with racketeering software for concealment of criminal activity and deviation from payment of penalties to the state. It should be noted that the police do not connect activity of the man with the hacker attacks on June 27 this year, i.e., about his any participation in authors of NotPetya the speech does not go. The acts imputed to it concern only the actions made in July of the current year - after a wave of large-scale cyber attacks.

Concerning the man criminal case according to Part 1 of Article 361 (unauthorized intervention in work of a computer) is brought by UK of Ukraine. Threatens Nikopolchanin up to 3 years of imprisonment.

Distribution in the world

Spread of the Petya virus racketeer is recorded in Spain, Germany, Lithuania, China and India. For example, because of the malware in India technologies of management of a cargo flow of container port of Jawaharlal Nehru which operator is A.P. Moller-Maersk ceased to distinguish accessory of loads.

Cyber attack was announced by the British advertizing WPP group, the Spanish representative office of one of the world's largest law companies DLA Piper and food giant Mondelez. Among the construction materials Cie which were injured also French producer. de Saint-Gobain and Merck & Co pharmaceutical company.

According to Eset, the Petya virus gained the greatest distribution in Ukraine. Ten the countries which were affected most sensitively by a virus included also Italy, Israel, Serbia, Hungary, Romania, Poland, Argentina, the Czech Republic and Germany. Russia appeared on the 14th place.

The Petya virus racketeer reduced Saint-Gobain revenue by 1%

Saint-Gobain expects falling of revenue for January — June, 2017 for 1% because of the attack of the computer Petya virus racketeer. It is said in the official statement of the French producer and distributor of building materials. The damage in absolute digits is not reported yet, the called assessment also not final.

The group recognized that it fell a victim of the attack on June 27. As a result of an incident no personal data are opened, and the company does not expect its any influence on a business activity in the future, noted in Saint-Gobain. After the attack of Petya all were closed 11 hardware stores of Ehituse ABC network belonging to concern in Estonia, wrote RIA Novosti. Most likely, the damage was not limited to it.

According to the results of the first quarter of this year revenue Saint-Gobain made 9.937 billion euros. In comparison with the same period of last year the indicator grew by 8.8%, the company reported earlier. Revenue size for the first half of the year of the 2017th will be sounded on July 27.

Mitigation of consequences

Mondelez

In January, 2019 the producer of Mondelzz food submitted a claim to the insurance company Zurich Insurance for failure to pay $100 million for the damage caused by the NotPetya virus. This case will become the first serious jurisdictional dispute about a covering of expenses on cyber attack. Read more here.

Merck

The American pharmaceutical giant Merck strongly injured with the June attack of the NotPetya virus encoder cannot still recover all systems and return to a normal operation mode. It is reported in the report of the company on form 8-K submitted in the U.S. Securities and Exchange Commission (SEC) at the end of July, 2017. Read more here.

Moller-Maersk and Rosneft

On July 3, 2017 it became known that the Danish navigable   giant Moller-Maersk and Rosneft recovered the IT systems infected with the Petya virus racketeer only nearly a week later after the attack which happened on June 27.

Today at last we can resume work of our key applications. We can tell with big confidence that we never faced anything similar therefore are very glad that reached before completely to return to online. We thank those many people who offered the help. The flexibility shown by them was Maersk shaking, said in the statement of July 3, 2017 (the quote by Reuters).

The Danish navigable giant Moller-Maersk recovered the infected Petya of the IT system only in a week

The Maersk shipping company to which share every seventh cargo container sent in the world falls also added that all 1500 applications injured with cyber attack will return to full-time job at most by July 9, 2017.

IT systems of the belonging Maersk of APM Terminals company which manages work of dozens of cargo ports and container terminals in more than 40 countries suffered mainly. A day over 100 thousand cargo containers, pass through APM Terminals ports which their work was completely paralyzed because of spread of a virus. The Maasvlakte II terminal in Rotterdam recovered deliveries on July 3.^[10]

On August 16, 2017 A.P. Moller-Maersk called the approximate amount of damage from cyberattack by means of the Petya virus, infection with which as noted in the European company, passed through the Ukrainian program. According to predesigns of Maersk, financial losses from action of the encoder of Petya in the second quarter of 2017 were from 200 to 300 million dollars.

Meanwhile, nearly a week on recovery of computer systems from the hacker attack was required also to Rosneft what on July 3 announced in the press service of the company reported Interfax:

The retail network of the company operates normally. Operation of the cash equipment on implementation of oil products at all gas stations of the company is completely recovered.

Emphasized with several days before Rosneft that does not undertake to assess the cyber attack consequences yet, but production did not suffer.

There are separate problems which quickly are solved. The company operates normally. The situation is under control. Assess the cyber attack consequences still prematurely — the company stated.[11]

Petya operation principle

The new generation of viruses is dangerous that the ordinary antivirus will not always be able to save from it the computer. The matter is that malefactors extend malwares bypassing an antivirus, using critical vulnerability in SMBv1 protocol of a security system MS17-010. Also the antivirus can ignore the malware if the user independently activates the file with the .exe expansion which under the guise of the working letter came on June 27 from the address: wowsmith123456@posteo.net

The analysis of a sample of the racketeer which is carried out by experts of Positive Technologies showed that the operation principle of Petya is based on enciphering of the master boot record (MBR) of the boot sector of a disk and replacement its own. This record — the first sector on the hard drive, in is mute the partition table and the program loader which is reading out information on from what hard drive partition there will be a loading of a system from this table is located. Initial MBR remains in 0×22-ом the sector of a disk and is ciphered using the byte transaction XOR with 0×07.

After start of the harmful file the task on restart of the computer postponed for 1-2 hours is created, at this time it is possible to manage to start the bootrec/fixMbr command for recovery of MBR and to recover operability of OS. Thus, it is possible to start a system even after its compromise, however it will not be possible to decrypt files. For each disk the AES key which exists in memory before completion of enciphering is generated. It is ciphered on public key of RSA and is removed. Recovery of contents after end requires knowledge of private key, thus, without knowledge of a key given it is impossible to recover. Presumably, the malware ciphers files at most on depth of 15 directories. So the files attached deeply are in security (at least for this modification of the encoder).

If disks were successfully ciphered after reset, the window with the message about the requirement to pay the redemption of $300 (for June 27, 2017 — about 0.123 bitcoins) for receiving a key of an unblocking of files is displayed. For money transfer bitcoin wallet 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX is specified. In several hours after the beginning of the attack on a purse transactions already arrive, multiple to the requested amount — some victims preferred to pay the redemption, without waiting until researchers study a malware and will try to find a recovery tool of files.

Petya uses 135, 139, 445 TCP ports for distribution (using services SMB and WMI). Distribution in network on other nodes happens by several methods: using Windows Management Instrumentation (WMI) and PsExec and also using the exploit using vulnerability of MS17-010 (EternalBlue). WMI is a technology for centralized operation and tracking work of different parts of computer infrastructure running the Windows platform. PsExec is widely used for administration of Windows and allows to execute processes in the remote systems. However for use of these utilities it is necessary to have the privileges of the local administrator on the computer of the victim, so, the encoder can continue the distribution only from those devices which user has the maximum privileges of OS. The EternalBlue exploit allows to receive the maximum privileges on a vulnerable system. Also the encoder uses the public Mimikatz utility for obtaining in open form credentials of all users of Windows OS, including local administrators and domain users. Such set of tools allows Petya to save working capacity even in those infrastructures where the lesson WannaCry was considered and the corresponding security updates for this reason the encoder is so effective are set.

Thus, Petya has the functionality allowing it to extend to other computers, and this process avalanche. It allows the encoder to compromise including the domain controller and to develop the attack before receiving control over all nodes of the domain that is equivalent to a complete compromise of infrastructure.

Who in a risk zone

By estimates of DriverPack, more than 35% of users in Russia are still defenseless against a virus. Users of operating systems are subject to the greatest threat Windows 10, not set the last update from Microsoft and leaving opened SMB ports is younger. According to analytical data of the company, more than 18% of users work at non-licensed Windows OS that automatically threatens them, at 23% the Windows Update service is disconnected, and for 6% of computers outdated operating systems for which updates are not released in principle are installed.

The widespread myth says that the purpose of a virus is only the corporate sector. And it is valid, the wave of the attacks affected on June 27 only large banks, the oil companies and the international corporations. However all this does not mean that normal users in security. Just the opposite, in corporations there are already adjusted security systems, fayervola and own IT specialists while most of ordinary users do not pay due attention to the network security and can become an easy mark for criminals.

It will not be possible to decipher

At victims of the new Petya virus chances to recover files were not initial. Experts from Kaspersky Lab say about it.

Really, victims of a virus cannot unblock the files after infection. The matter is that his creators did not provide such opportunity in general. So the ciphered disk a priori does not give in to decoding. In the identifier of the malware there is no information necessary for interpretation.

Initially experts ranked the virus which affected about two thousand computers in Russia, Ukraine, Poland, Italy, Great Britain, Germany, France, the USA and other countries as already famous family of racketeers of Petya. However it turned out that it is about new family of the malware. Kaspersky Lab christened the new encoder of ExPetr.

How to fight

Fight against cyberthreats requires consolidation of efforts of banks, IT-Business and the state

The Central Bank of the Russian Federation declared high degree of protection against cyberthreats of a banking system of the country in general. As noted in FinCERT (FINTSERT) of the Bank of Russia, as a result of the attacks of the WannaCry and Petya viruses encoders isolated cases of "a compromise of information resources of credit institutions" which effects were quickly eliminated were recorded.

According to the statistical data published by the Central Bank of the Russian Federation according to the results of the first half of the year 2017 from accounts of individuals about 4 times less funds, than for the same period of last year were stolen; at the same time plunders from accounts of legal entities decreased more than three times.

The Central Bank of the Russian Federation expects to minimize within three years losses from embezzlement by cyberswindlers. However, to perform promised, the regulator should make efforts as, according to the experts in the field of cyber security, the number of the attacks to banks will grow approximately for 30% annually in the nearest future, specified in Tserikh Capital Management.

"The digital nature of economy creates additional risks of business as possibilities of cybercriminals constantly extend, and methods of their work are from year to year improved. Thus, counteraction to cyberthreats becomes that direction of security which needs to be developed first of all" — Oleg Yakushev, the expert of Tserikh Capital Management considers.

In questions of information security banks should pay special attention to work with personnel as today the person remains the most vulnerable link in IT infrastructure, first of all — because of insufficiently high level of awareness on the existing threats. According to experts, not less than a quarter of employees of financial institutions are inclined to open potentially dangerous investments received by e-mail and also to perform operations which threaten information security of the company.

According to representatives of Tserikh Capital Management, successful solving of tasks of ensuring cyber security requires consolidation of efforts of the banking sector, IT developer and the state on behalf of the Central Bank of the Russian Federation as coordinator of all work.

It should be noted that the first steps are already taken in this direction: The Central Bank together with a number of profile departments works on creation of the online platform providing information and technical support for banking systems of cyber defense. The platform is going to start at the end of 2017 (read in article the National biometric platform in more detail).

Data recovery method from Positive Technologies

On July 7, 2017 the expert of Positive Technologies Dmitry Sklyarov provided a method of data recovery, ciphered by the NotPetya virus. According to the expert, the method is applicable if the NotPetya virus had administrative privileges and ciphered a disk entirely.^[12]

The possibility of data recovery is connected with the mistakes in implementation of encryption algorithm Salsa20 made by malefactors. The operability of a method is checked both on the test carrier, and on one of the ciphered hard drives of the large company which appeared among the victims of epidemic.

The companies and the independent developers specializing in data recovery can freely use and automate the provided scenario of interpretation.

"Data recovery from the hard drive by this technique requires application evristik and can take several hours — Dmitry Sklyarov, the head of department of the analysis of the Positive Technologies applications told. — Extent of recovery depends on many factors (from the size of a disk, extent of its filling and fragmentation) and can reach 100% for the disks of large volume containing many "public" files (the components of the operating system and software products identical by many machines)".

Recommendations of players of the market of security

On June 28, 2017 the American producer of antiviruses Symantec issued recommendations about fight against the Petya virus racketeer. According to the company, users need to imitate computer infection, having created the perfc file in "notepad" and having placed it in the Windows folder on disk C. When the virus gets to a system, it looks for this file and, having found it, stops work. The file name in a directory of C:\Windows\perfc should have no expansion.

The same recommendation is made by experts of Positive Texhnologies company. Besides, they note that the virus ciphers the master boot record (MBR) and gives a command to reboot in 1-2 hours and if to manage to start the bootrec/fixMbr command before reset (allows to recover MBR), then it is possible to recover operability of the operating system and to start it.

The message resulting from computer infection with the Petya virus

According to specialists of Kaspersky Lab not to fall a victim of the similar attack, experts recommend to update the Windows operating system and also to reduce to a minimum of privilege of users at workstations. If infection occurred, then you should not pay malefactors as there is no guarantee of recovery of operation of the computer after transfer of the redemption.

The Jet Infosystems company reported that it is possible to avoid infection with a virus in several ways:

1) Prohibit access on http to servers: french-cooking.com: 80 84.200.16.242:80 111.90.139.247:80 COFFEINOFFICE.XYZ:80

2) Prohibit mail investments and downloading of files with names: Petia.apx, myguy.exe, myguy.xls, Order-[any date] .doc

3) Set patches for Microsoft Office and Windows.

4) Configure IPS on blocking of exploits for MS17-010^[13]

Eternal Blues vulnerability scanner

The employee of Imperva company Elad Erez provided on June 28, 2017 the development designed to help users to define whether we will wound their computer before the EternalBlue SMB exploit.^[14]

The tool under the name Eternal Blues will allow to scan available computers and to check whether it is possible to operate vulnerability by means of specially created packets.

By clicking the SCAN button the utility begins to scan immediately network on existence of the endpoints vulnerable to the attacks using EternalBlue

According to the statement Hellas of Erez, in the theory Eternal Blues can be used not only for LAN, but for any network ranges. According to the expert, unlike programs of NMap (security scanner) and Metasploit (the tool for testing for penetration), the utility is addressed not to cybersecurity specialists, and, first of all, ordinary users and busy system administrators who need the simple solution working "in two clicks".

The vulnerability scanner of Eternal Blues is available to free downloading in the blog Hellas by Erez to omerez.com where he publishes the depersonalized statistics collected during scannings and additional details about operation of the tool.

Comparison with WannaCry

Experts of Eset say that for penetration of the coder into corporate network the exploit similar to EternalBlue which became the reason of mass nature of epidemic of WannaCry is used. At the same time the new virus is especially dangerous as it can infect computers on  which fresh OS  — for example are installed with Windows 10 whereas  WannaCry was implemented into  older versions.

Win32/Diskcoder trojan coder epidemic source. With Trojan (Petya. C)

According to anti-virus company ESET, malefactors compromised the accounting software of M.E.Doc widespread in the Ukrainian companies, including financial institutions. In particular, attacking got access to the server of updates M.E.Doc and with its help directed troyanizirovanny updates with automatic installation. Some corporate users set the infected updating of M.E.Doc, having laid the foundation for the attack which covered the countries of Europe, Asia and America.

According to the system of telemetry of ESET, the majority of operations of anti-virus products ESET NOD32 were the share of Ukraine, Italy and Israel.

The malware is new modification of the Petya family. The anti-virus products ESET detect it as Win32/Diskcoder. With Trojan. If this virus successfully infects the master boot record (MBR — Master Boot Record), it will cipher all hard drive. Otherwise, the program ciphers all files.

The coder extends by means of the EternalBlue SMB exploit which became the reason of mass nature of epidemic of WannaCry earlier. Further distribution in a local network is performed through PsExec. This combination causes rapid distribution of the malware.

For infection of corporate network one vulnerable computer on which security updates are not set suffices. With its help the malware will snare, will acquire the rights of the administrator and will extend to other devices.

Court against Intellect Service via whose servers the encoder extended

The Ukrainian firm Juscutum Attorneys Association addressed in the summer of 2017 victims of the encoder of NotPetya with an appeal to submit claims against other Ukrainian company — the Kiev Intellect-Service, the developer of popular accounting service M.E.Doc. Via servers of this company NotPetya, and extended later and two other malwares — XData and a certain clone of the encoder of WannaCry, reports the BleepingComputer edition^[15].

Results of investigation were already confirmed by the Ukrainian cyberpolice officers. Yuskutum is going to use conclusions of the investigation as the key proof in future process against Intellect-Service.

Process will have civil character. Independent investigation is made by law enforcement agencies of Ukraine. Their representatives already declared earlier a possibility of initiation of proceedings against the staff of Intellect-Service.

The company M.E.Doc said that the events — attempt of raider occupation of the company. The producer of the only popular Ukrainian accounting software considers that the search which went to the companies carried out by cyberpolice of Ukraine became a part on implementation of this plan.

Initial vector of infection with the coder Petya

The Eset company announced on July 4, 2017 that it managed to define an initial vector of infection with the coder Diskcoder.C (Petya). Experts of the company detected the difficult hidden backdoor implemented in one of the legitimate modules M.E.Doc. According to them, it is improbable that attacking executed this transaction without access to the source code of the program.

Having studied all updates of M.E.Doc released in 2017 researchers found out that at least three updates contained the module of a backdoor:

• 01.175-10.01.176 of April 14, 2017
• 01.180-10.01.181 of May 15, 2017
• 01.188-10.01.189 of June 22, 2017

Epidemic of Diskcoder.C (Petya) began in 5 days after an exit of harmful updating on June 22, specified in the company. Earlier, in May, 2017, Eset fixed activity of other coder — Win32/Filecoder.AESNI.C (XData). According to telemetry, it appeared on the computer after start of the software of M.E.Doc.

On May 17 there was an updating of M.E.Doc which is not containing the harmful module of a backdoor. Possibly, these can explain rather small number of infections of XData, believe in the companies. Attacking did not expect an update exit on May 17 and started the coder on May 18 when most of users already managed to set safe updating.

The backdoor allows to load and execute other malware in the infected system — initial infection with the coders Petya and XData was so performed. Besides, the program collects settings of proxy servers and e-mail, including logins and passwords from the M.E.Doc application and also company codes on EDRPOU (The unified state register of the enterprises and organizations of Ukraine) that allows to identify the victims.

"We should answer a number of questions — Anton Cherepanov, the senior virus analyst of Eset told. — How the backdoor is long used? What commands and malware, in addition to Petya and XData, were directed via this channel? What else infrastructures did compromise, but the cybergroup standing behind this attack did not use yet?".

On set of the signs including infrastructure, harmful instruments, schemes and the purposes of the attacks, experts of Eset established connection between epidemic of Diskcoder.C (Petya) and the Telebots cybergroup. It is reliable to define who stands behind activity of this grouping, did not work well yet.

Eset recommends to all users of M.E.Doc to change passwords of proxy servers and e-mail accounts.

See Also

Notes