Watch: Armed Ukrainian cyber-cops raid MeDoc in NotPetya probe

Equipment seized to head off new attack, we're told

M.E.Docs servers - image from Ukraine Cyberpolice
Image: Cyberpolice Ukraine

Video There's a new wrinkle to the NotPetya story: authorities in Ukraine have seized equipment from MeDoc, the accounting software maker implicated in spreading the malware.

The country's anti-cybercrime unit has seized the developer's servers after saying it had detected new activity, and was acting to “immediately stop the uncontrolled proliferation” of malware.

Associated Press's Raphael Satter quotes a police spokesperson, Yulia Kvitko, as saying the company's systems had either sent or were preparing to send a new (presumably compromised) update.

The cyber-plod says the company's management and staff fully assisted in the investigation, adding that equipment will be “sent for detailed analysis”. A video of the armed raid was posted on YouTube by the cops:

Youtube Video

Officers now recommend people stop using the software until further notice, turn off any computers it's installed on, and change their passwords. Cisco's security peeps have also published an analysis of how MeDoc's systems were commandeered to infect victims with NotPetya. ESET has also described in detail how the malware spread via a malicious MeDoc update.

In another twist, Kaspersky Lab analyst Aleks Gostev says the Bitcoin collected in the original attack has been withdrawn and a statement (which Vulture South can't verify) posted to an Onion text site.

The AP story says the Ukrainian infrastructure ministry alone has incurred “millions” in the costs of the attack, which hit two servers and hundreds of workstations. ®


Biting the hand that feeds IT © 1998–2017