M.E.Doc Servers Found Responsible for Spreading NotPetya Ransomware

NotPetya, Petna, PetrWrap, EternalPetya, Diskcoder.C, ExPetr, PetyaBlue, PetyaWrap, SortaPetya, Nyetya. These are few of the many names that the infamous ransomware is known by. The threat hit at full force on June 27, and it was estimated that it helped cyber criminals earn over 10,000 USD. This infection came soon after the infamous WannaCry Ransomware, and it exploited the exact same vulnerability (EternalBlue) to infect Microsoft operating systems. At the same time, another infection known by the name “FakeCry” was spreading as well. This infection was one of the bogus lookalikes of the devious WannaCry Ransomware. Both NotPetya and FakeCry were found spreading via M.E.Doc servers. M.E.Doc software was designed for electronic document management and accounting, and it was created by a Ukraine-based company, Intelligence Service Ltd. So, is this company to blame or is it just another victim of the ruthless cyber criminals?

Were M.E.Doc Servers Hacked?

The representatives of Intelligence Service Ltd. – the developer of M.E.Doc software – claim that the company’s servers were hacked to spread NotPetya. According to the findings of Anton Cherepanov at welivesecurity, a backdoor was injected into a legitimate module of the software. After examining the updates of M.E.Doc, it was found that three different updates accommodated the module with this backdoor. It was reported that the attacker had to be familiar with the M.E.Doc application source code.

According to the official statement issued by the Department of Cyber Police (Ukraine), the remote access most likely was enabled back on May 15, and the company was well aware of that because of the multiple warnings it received from third-party virtual security companies. Surprisingly, nothing was done at the time, and that is why speculations on whether or not Intelligence Service Ltd. was responsible occurred. The investigation is continuing after the company’s servers were seized and confiscated for further analysis. Overall, the verdict has not been reached yet, and we are yet to learn about the involvement of Intelligence Service Ltd.

Are M.E.Doc Users at Risk?

While M.E.Doc is not popular worldwide, it is estimated that some 80% of all businesses in Ukraine are using it on a daily basis. Unfortunately, this might mean that 400,000 clients are at risk. It is particularly important to note that the infection can record EDRPOU codes (Код ЄДРПОУ), which are given to every business in Ukraine for identification purposes. If the attacker is capable of identifying the party that is using the compromised version of M.E.Doc, they potentially might be able to perform personalized attacks. Besides that, the attacker can gain full control of the infected system using the backdoor. In the best case scenario, they are expected to at least record data about the operating system and its user. As it is now known, NotPetya Ransomware was spread using this backdoor as well.

If you enter the name of NotPetya into the search box at the top, you will find numerous articles and reports that our research team has already created to provide you with more information regarding this infection. If you need more details about it, this is where you need to go. What we can tell you right away is that this ransomware encrypts files, but has no way of providing the victim with a decryption tool. Some go as far as calling NotPetya a data wiper because once the files are encrypted, there is no way of decrypting them. It is technically impossible. If you want to learn more, read NotPetya Wiper Disguises as Ransomware,.

So, M.E.Doc Servers Were Compromised. What Now?

The first thing that everyone should do is install the MS17-010 patch. This is the fix for the vulnerability that the malicious ransomware is currently exploiting. The infamous WannaCry ransomware was stopped after a kill-switch was enabled, and NotPetya was halted after the Ukrainian authorities have taken action against Intelligence Service Ltd. That being said, copycats of this dangerous malware are thriving, and it is only a matter of time before the next monstrous ransomware emerges and targets vulnerable systems. To guard personal data against ransomware, one must always install updates, as well as employ authentic security software. The best advice, of course, is to back up data, as, nowadays, that is the only way to ensure its safety. When it comes to M.E.Doc users, they are advised to stop using this software immediately. Changing passwords is suggested as well.


Cherepanov, A. Analysis of TeleBots’ cunning backdoor

Департамент кіберполіції України (Department of Cyber Police of Ukraine) Прикриттям наймасштабнішої кібератаки в історії України став вірус Petya (Diskcoder.C)

Ivanov, A., Mamedov, O. In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine

Lee, D. Ukraine cyber-attack: Software firm MeDoc's servers seized

Polityuk, P., Stubbs, J. Family firm in Ukraine says it was not responsible for cyber attack