Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)

Police Seize Backdoored Firm's Servers to Stop Attacks

NotPetya Attackers Drain Bitcoin Wallet Filled With Unanswered Ransom Payments
Police Seize Backdoored Firm's Servers to Stop Attacks
Seized M.E. Doc servers. (Source: Ukrainian police)

Police in Ukraine have seized servers operated by the Kiev-based Intellect Service to disrupt what they said was an imminent malware attack. Intellect Service develops M.E. Doc accounting and bookkeeping software used by 80 percent of businesses in Ukraine.

See Also: Enhancing Cyber Defense with AI-Powered SOCs

Researchers at Slovakian security firm ESET, tracing the May 27 outbreak of NotPetya - aka ExPetr and Diskcoder.C, among other names - found that "a very stealthy and cunning backdoor" had been added to the source code of at least three versions of M.E. Doc that were then automatically distributed via Intellect Service's update server to its 400,000 customers. Malware researcher Anton Cherepanov at ESET said attackers were able to access the backdoor and push malware to PCs, including NotPetya (see NotPetya Patient Zero: Ukrainian Accounting Software Vendor).

Intellect Service has denied any wrongdoing. In a message to customers posted on its Facebook page, it promised to restore updating services within 24 hours, following the seizure of its servers.

Ukraine Interior Minister Arsen Avakov said in a Facebook post that national cybercrime police seized the servers Tuesday after "new activity" was detected beginning at 1:40 p.m. Kiev time (10:40 GMT), which police blocked. "The attack was stopped," said Avakov, who like other Ukrainian officials has blamed the attack on Russia. Officials in Russia, however, have denied those allegations.

Police spokeswoman Yulia Kvitko tells Associated Press that the server seizure was made as the M.E. Doc update servers were sending updated software to users and suggested that the quick action had disrupted attackers' attempts to distribute yet more backdoored software.

Video posted by Ukraine police, showing the M.E. Doc server seizure.

Citing related research by ESET and Microsoft, Ukraine's national cyber police force, in a Wednesday statement, urged everyone "to stop using the M.E. Doc software and turn off the computer on which it is installed." In addition, it recommended changing all related passwords and digital signatures, "due to the fact that this data could be compromised," and promised to soon release instructions for identifying if the software had been used to install a backdoor on a PC.

Security firms say about 70 percent of all NotPetya infections hit Ukrainian businesses, government agencies and individuals. While related damage is still being tallied, Ukraine Infrastructure Minister Volodymyr Omelyan tells AP that his department alone faces "millions" in related costs, adding that hundreds of his agency's workstations were disabled and two of its six servers compromised.

Firms in other countries were also affected, including law firm DLA Piper, Danish shipping giant Maersk, Russia oil producer Rosneft and British advertising firm WPP (see Police in Ukraine Blame Russia for NotPetya).

Criminal Charges Could Be Filed

Police say employees at Intellect Service could face criminal charges if they knew their software had been backdoored, but failed to respond properly.

The M.E. Doc software logo.

Intellect Service was first warned by anti-virus firms that a backdoor had been added to its software - and used to distribute XData ransomware - on May 18, police say. Ukraine Interior Minister Arsen Avakov said Wednesday that those attacks appear to have begun May 15.

But the software company, in a May 22 statement cited by police, claimed the attack reports were "erroneous" and that the outbreak was a "coincidence."

The statement was subsequently deleted from the software company's website.

Attacks that trace to the company's software appear to predate the XData and NotPetya campaigns. "This company has long history of security breaches," ESET's Cherepanov says via Twitter, pointing to a 2015 statement the company issued about a previous piece of malware that appeared to target or leverage the M.E. Doc software.

Fake WannaCry Distributed via M.E. Doc

To that tally, add yet another attack. Security researchers at Moscow-based cybersecurity firm Kaspersky Lab reported Tuesday that ransomware designed to look like WannaCry, which it calls FakeCry, was also distributed via backdoors in M.E. Doc software. The ransomware hit a number of firms in Ukraine, including at least one power supplier, officials say (see Ukraine Power Supplier Hit by WannaCry Lookalike).

"Unfortunately, ExPetr/Petya was not the only ransomware that was distributed via MeDoc updates on June 27," Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov write in a blog post. "In parallel, another ransomware, FakeCry, was also distributed to MeDoc users at exactly the same time as ExPetr/Petya. Our telemetry shows about 90 attacked organizations received the FakeCry ransomware, almost all in Ukraine."

In the attacks, a software program sent by attackers to the backdoor in M.E. Doc installations "acts as a dropper for a ransomware module," which is FakeCry, the researchers say.

A look at the FakeCry code: "In what we believe to be a false flag, it pretends to be 'made in China,'" according to Kaspersky Lab.

Based on the blockchain address associated with related ransom payments, it appears that the first FakeCry attacks date from around June 26, one day before the NotPetya outbreak was launched.

According to a teardown of the code published last week by the security research group known as MalwareHunter Team, while the ransomware's countdown timer looks the same as WannaCry, all of the code is different.

The bitcoin wallet tied to FakeCry has so far received seven payments, totaling 0.51 bitcoins, worth $1,300, of which 0.41 bitcoins have been withdrawn, worth $1,050.

NotPetya Attackers Cash Out

Whoever launched the "NotPetya" ransomware attack has also drained the bitcoin wallet containing approximately $10,000 worth of bitcoins paid by 55 victims of the ransomware in return for the promise of receiving a decryption key (see Please Don't Pay Ransoms, FBI Urges).

Unfortunately, security experts say, NotPetya's developers failed to create a unique ID for each infected system, meaning that they could not generate decryption keys tied to every individual victim, even if those victims do pay. Security experts continue to debate whether the malware was coded that way by mistake. Alternatively, it could have been done on purpose, for example, to make a disk-wiping campaign appear to be ransomware (see Latest Ransomware Wave Never Intended to Make Money).

Private Key Promise

There is, however, one big caveat: Whoever launched the attacks could, in theory, release the master encryption key they used, thus allowing security researchers to build a decryption key for potential use by many victims.

And on Tuesday, hackers claiming that they launched NotPetya surfaced, saying via posts to DeepPaste and Pastebin that they would share a private master key that would allow anyone to decrypt file encrypted by NotPetya - provided it wasn't a boot disk. They set the price for the private key at 100 bitcoins, currently worth $258,000. Unusually, however, they posted no bitcoin address via which the payment could be remitted.

The post to DeepPaste.

Finnish security firm F-Secure said Tuesday that "file decryption should be possible," if this private key were obtained, and if it was real. But there are some caveats, for example, relating to how the malware may have encrypted some files twice or destroyed a disk's master file table, or MFT. If that were to happen, disks would be left unrecoverable, even if the private key was obtained, the security firm says.

But was the private key being offered for sale legitimate? Asked that question, the hackers behind the post told Motherboard that they would decrypt a NotPetya-encrypted file to prove their bona fides. But when provided with such a file by the publication, working with security experts, the purported NotPetya hackers failed to deliver.

Scam Alert

In other words, the private-key offer appears to be either a ruse, or a case of attackers playing with their victims.

"This is a fear, uncertainty and doubt case," security expert Matt Suiche, managing director of Dubai-based incident response firm Comae Technologies, tells Motherboard. Rather than an attempt by outside scammers to cash in on NotPetya, however, he suspects that the attackers themselves may be "trolling journalists" by continuing to pretend that NotPetya was ransomware launched by a cybercrime group, rather than simply being a disk-wiping campaign, perhaps launched by a nation-state.

"This is a clear attempt from the attackers to try to further confuse the audience, by changing the wiper narrative into a ransomware one again," Suiche says.

In a subsequent interview with Information Security Media Group, Suiche says many systems crypto-locked with NotPetya are not recoverable. And he said the posters' failure to provide a bitcoin address for receiving the 100 bitcoins is further evidence of the private key promise being bogus. "Computers which had administrator rights had their MBR [master boot record] replaced or erased and their MFT encrypted so they would not even be able to retrieve encrypted files," he says. "So it doesn't matter, that's why it's most likely a disguise."

Update (July 6): Multiple security experts have confirmed that the attackers do have access to the private key used with NotPetya. Likewise, Motherboard reports that attackers successfully decrypted one file that they had provided to test the hackers' claims. In theory, says security researcher Marcus Hutchins, aka MalwareTech, for anyone with the private key, "you can decrypt all files, as long as the MFT isn't corrupted and they're in same order they were encrypted."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.