Ukraine Police Seize Servers, Blame Software Firm for 'Petya'

Ukrainian police have seized equipment from the company behind the country’s most popular accountancy software and said it will face criminal charges after confirming a ME Doc update was the source of last week’s ‘Petya’ ransomware epidemic.

Intellect Service, a small family-run business, has denied its software was used to spread the malware.

However, a new report from Ukrainian police cybercrime specialists suggests hackers carried out a classic supply chain attack on the company, infecting a recent update which was sent out to users of the software. Microsoft and others agree.

According to the BBC, around 80% of Ukrainian businesses use ME Doc.

Claiming “new activity was recorded today”, Ukrainian law enforcers said they’d conducted searches at Intellect Service and have seized equipment both for further analysis and in a bid to shut down any renewed attempts to prevent further “uncontrolled proliferation” of the malware.

Head of the country’s national cybercrime unit, Serhiy Demydiuk, told AP that the owners had been warned about security risks before.

“They knew about it,” he told the newswire. “They were told many times by various anti-virus firms. ... For this neglect, the people in this case will face criminal responsibility.”  

It is believed that whoever masterminded the attack – which Ukrainian officials have blamed on Russia – intended it to look like ransomware to cover up what was in fact a destructive attack designed to cause chaos in the country.

Once initial Ukraine-based firms were infected via the malicious ME Doc update, it’s thought to have spread globally thanks to multi-nationals with VPN links into satellite offices or business partners in the country.

Eset believes the attackers “underestimated the spreading capabilities” of the malware, which is designed to alter a victim machine’s Master Boot Record (MBR) so that it can’t be recovered.

Those firms, including UK ad giant WPP, Danish shipper Maersk and global law firm DLA Piper, are only now beginning to recover from the incident. 

What’s Hot on Infosecurity Magazine?