The Petya ransomware that plagued companies in Europe on Tuesday might have stemmed from corrupted updates of an accountancy software. Reports said that the Ukrainian tax-filing software, M.E.Doc, might have been the source of infection, but the company has denied these allegations.
According to BBC, a number of security experts claim to have logs revealing M.E.Doc as the source. British malware expert Marcus Hutchins, who had been credited with ending the recent WannaCry ransomware outbreak, said that the software’s automatic update system was compromised, and instead of running updates for the software, it was downloading and running malware.
Malware infiltrates networks via email attachments aiming to fool users into clicking on it by mistake. The Petya ransomware, once it has taken over a computer, will encrypt important documents and files and then demands a ransom in Bitcoins; in this case, $300. If the ransom is not paid, the user will risk losing all their files.
The cyberattack led to disruptions among infected companies in 64 countries, including banks in Ukraine, Russian oil giant Rosneft, and the British advertising company, WPP.
Danish shipping giant Maersk was also one of the companies that took a hit in yesterday’s cyberattack. According to BBC, the company was unable to process new orders and was expecting delays on consignments.
Even a Cadbury factory in Tasmania was affected and was forced to stop production as computer systems went down, according to John Short, the Australian Manufacturing and Workers Union state secretary.
While M.E.Doc denied claims that the ransomware sprung from its update, Microsoft published a blog post analyzing how the infection took hold of Windows machines. It pointed the blame at the accounting software.
“Active infections of the ransomware initially started from the legitimate M.E.Doc update process,” the blog entry reveals.
Meanwhile, according to The Guardian, the Petya ransomware looks like just another cybercriminal taking advantage of cyberweapons leaked online. Security experts deem the payment mechanism of the attack to be too amateurish since the ransom note includes the same Bitcoin payment address for every victim. The malware also asks the victim to communicate via a single email address, which was already suspended by the email provider. This means that there is no way to communicate with the attacker to request the decryption key.
According to security researcher Grugq, the recent cyberattack has only a superficial resemblance to Petya, which was a money-making criminal enterprise.
“This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware,'” Grugq wrote.
The origin of the attack remains unknown, although according to Wired, Ukrainian cybersecurity firms and government agencies pin the attacks on political operatives seeking to disrupt Ukrainian institutions as it targets infrastructure, including an electricity supplier, the state telecom, the central bank, and an airport.
[Featured Image Matejmo/iStock]