Microsoft says hacked software updater source of global Petya ransomware attack

Company says at least a portion of the infections stemmed from a software supply-chain attack with a legitimate MEDoc updater process.
By Jessica Davis
11:52 AM
Microsoft ransomware attack

Some of the initial Petya ransomware infections started with Ukraine-based tax accounting software MEDoc from the firm M.E.Doc, Microsoft confirmed on Tuesday.

While this connection was speculated by the media, security researchers and Ukraine’s Cyber Police, Microsoft now has solid evidence that some active infections began with a legitimate MEDoc updater process. Recently, hackers have been leveraging software supply chain attacks -- with great success.

[Also: Nuance knocked offline by ransomware attacking Europe]

Microsoft researchers discovered telemetry that showed the MEDoc software updater process executing a malicious command-line on Tuesday. The ransomware installation confirms EzVit.exe process from MEDoc executed the malicious script.

Ukraine Cyber Police also saw the connection in a public list of indicators of compromises.

[Also: Global ransomware attack hits Merck, health system after thrashing Europe (UPDATED)]

The virus leverages multiple lateral movements, which means it just needs one infected computer to infect the entire network. Microsoft said that once in, Petya can steal credentials and reuse existing active sessions. It leverages file sharing to transfer the virus across the network, while using legitimate functions to execute the payload or abuse SMB flaws in unpatched machines.

Tuesday’s attack is on pace to be as big as the WannaCry outbreak, said Kaspersky Labs officials. This ransomware strain is much worse than the original format of Petya. Thus, Kaspersky and others have dubbed this recent strain NotPetya.

The hackers leveraged the leaked NSA ETERNALBLUE exploit, at least within corporate networks, officials confirmed. But while WannaCry used an internet-facing worm component, Petya only scans internally.

Kaspersky, the FBI and other security experts stress that victims should never pay the ransom. In this case, Kaspersky said that the German email provider Posteo shut down the email address that victims were supposed to use to contact the hackers and eventually receive the decryption keys after paying the ransom.

Without the email address, victims won’t be able to retrieve the files. While the impact of WannaCry was halted by the discovery of the killswitch shortly after the attacks, researchers have not found a killswitch for NotPetya.

So far, hackers have infected companies in 64 countries, including the U.S., Ukraine, India and Denmark. Global biopharma giant Merck and major voice and language tool provider Nuance were hit in the U.S., as well as a health system in Pennsylvania. Ukraine has been hit the hardest

Twitter: @JessieFDavis
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn