2017 Ukraine ransomware attacks

Security experts believe that the NotPetya attack originated from an update of M.E.Doc, a Ukrainian tax accounting package developed by Intellect Service. and Mikko Hyppönen, a security expert at F-Secure, described it as a primary accounting software for many Ukrainian firms. A similar incident occurred on 18 May 2017, when the XData ransomware spread through a compromised update of M.E.Doc. Hundreds of accounting departments were affected in Ukraine. The cyberattack involved malware that resembled Petya ransomware but was later found to function as a wiper rather than traditional ransomware. Like the WannaCry ransomware attack in May 2017, NotPetya used the EternalBlue exploit, which targeted a vulnerability in older versions of the Microsoft Windows operating system. When executed, NotPetya encrypted the master boot record (MBR), preventing the operating system from loading. It then displayed a message demanding USD 300 in Bitcoin, but researchers found that data recovery was not possible. The software also spread within networks by exploiting the Server Message Block (SMB) protocol in Windows. Additionally, NotPetya incorporated Mimikatz, a proof-of-concept tool created in 2011 to demonstrate how Windows stored passwords in memory. Attackers used it to extract credentials, escalate privileges, and move laterally across networked systems. Security expert Lesley Carhart stated, "Every method of exploitation that the attack used to spread was preventable by well-documented means." Security experts determined that the variant of Petya used in the 2017 Ukraine cyberattacks had been modified and was subsequently named NotPetya or Nyetna to distinguish it from the original ransomware. NotPetya encrypted entire files, not just the Master File Table (MFT), and in some cases, functioned as a wiper, permanently destroying or irreversibly altering data, with no known method of recovery. Some security experts saw that the software could intercept passwords and perform administrator-level actions that could further ruin computer files. They also noted that the software could identify specific computer systems and bypass infection of those systems, suggesting the attack was more surgical in its goal. According to Nicholas Weaver of the University of California the hackers had previously compromised M.E.Doc "made it into a remote-control Trojan, and then they were willing to burn this asset to launch this attack." == Attack ==

During the attack the radiation monitoring system at Ukraine's Chernobyl Nuclear Power Plant went offline. Several Ukrainian ministries, banks, metro systems and state-owned enterprises (Boryspil International Airport, Ukrtelecom, Ukrposhta, State Savings Bank of Ukraine, Ukrainian Railways) were affected. In the infected computers, important computer files were overwritten and thus permanently damaged, despite the malware's displayed message to the user indicating that all files could be recovered "safely and easily" by meeting the attackers' demands and making the requested payment in Bitcoin currency. The attack has been seen to be more likely aimed at crippling the Ukrainian state rather than for monetary reasons. Most government offices would be empty, allowing the cyberattack to spread without interference. Former government adviser in Georgia and Moldova Molly K. McKew believed this assassination was related to the cyberattack. On 28 June 2017 the Ukrainian government stated that the attack was halted, "The situation is under complete control of the cyber security specialists, they are now working to restore the lost data." Following the initial 27 June attack, security experts found that the code that had infected the M.E.Doc update had a backdoor that could potentially be used to launch another cyberattack. On seeing signs of another cyberattack, the Ukrainian police raided the offices of M.E.Doc on 4 July 2017 and seized their servers. M.E.Doc's CEO stated that they were not aware there had been a backdoor installed on their servers, again refuted their involvement in the attack, and were working to help authorities identify the source. Security company ESET found that the backdoor had been installed on M.E.Doc's updater service as early as 15 May 2017, while experts from Cisco Systems' Talos group found evidence of the backdoor as early as April 2017; either situation points to the cyberattack as a "thoroughly well-planned and well-executed operation". Ukrainian officials have stated that Intellect Service will "face criminal responsibility", as they were previously warned about lax security on their servers by anti-virus firms prior to these events but did not take steps to prevent it. Talos warned that due to the large size of the M.E.Doc update that contained the NotPetya malware (1.5 gigabytes), there may have been other backdoors that they have yet to find, and another attack could be possible. == Attribution ==

On 30 June, the Security Service of Ukraine (SBU) reported that it had seized equipment allegedly used to launch the cyberattack, stating that it belonged to Russian agents responsible for the attack. On 1 July 2017, the SBU stated that available data indicated the perpetrators of the December 2016 attacks on Ukraine's financial system, transport and energy infrastructure, which used TeleBots and BlackEnergy, were the same groups responsible for the 27 June 2017 attack. "This testifies to the involvement of the special services of Russian Federation in this attack," it concluded. A December 2016 cyberattack on a Ukrainian state energy system caused a power outage in northern Kyiv. In December 2016, ESET concluded that TeleBots had evolved from the BlackEnergy group and had used cyberattacks to sabotage Ukraine's financial sector during the second half of 2016. Around the time of the 4 July raid on M.E.Doc, the $10,000 in bitcoin already collected in the listed wallets for NotPetya had been withdrawn, and experts speculated it was used to buy space on the anonymous Tor network. One message posted there, allegedly from the NotPetya authors, demanded 100,000 bitcoin (about $2.6 million) to halt the attack and decrypt all affected files. According to reports cited in January 2018, the United States Central Intelligence Agency claimed that Russia was responsible for the cyberattack, alleging that Russia's Main Intelligence Directorate (GRU) had designed NotPetya. Similarly, in February 2018, the United Kingdom Ministry of Defence accused Russia of launching the cyberattack, stating that by targeting systems in Ukraine, the attack had spread and affected major systems in the United Kingdom and elsewhere. Russia denied involvement, noting that Russian systems were also impacted by the attack. Wired technology writer Andy Greenberg, in reviewing the history of the cyberattacks, stated that the attacks were attributed to a Russian military hacker group called "Sandworm". Greenberg claimed that Sandworm was responsible for the 2016 blackouts in Kyiv, among other incidents. The group had reportedly been targeting Ukraine's financial sector, and sometime in early 2017, allegedly gained access to M.E.Doc's update servers, which were then used to distribute the malware that facilitated the cyberattack in June 2017. == Affected companies ==

Companies affected include Antonov, Kyivstar, Vodafone Ukraine, lifecell, TV channels STB, ICTV and ATR, Kyiv Metro, UkrGasVydobuvannya (UGV), gas stations WOG, DTEK, EpiCentre K, Kyiv International Airport (Zhuliany), Prominvestbank, Ukrsotsbank, KredoBank, Oshchadbank and others, Oshchadbank was again fully functional on 3 July 2017. Ukraine's electricity company's computers also went offline due to the attack; but the company continued to fully operate without using computers. the APM Terminals subsidiary of international shipping company A.P. Moller-Maersk, the FedEx shipping subsidiary TNT Express (in August 2017 its deliveries were still disrupted due to the attack), Chinese shipping company COFCO Group, French construction materials company Saint Gobain, advertising agency WPP plc, Heritage Valley Health System of Pittsburgh, law firm DLA Piper, pharmaceutical company Merck & Co., consumer goods maker Reckitt Benckiser, and software provider Nuance Communications. A Ukrainian police officer believes that the ransomware attack was designed to go global so as to distract from the directed cyberattack on Ukraine. The cost of the cyberattack had yet to be determined, as, after a week of its initial attack, companies were still working to mitigate the damage. Reckitt Benckiser lowered its sales estimates by 2% (about $130 million) for the second quarter primarily due to the attack that affected its global supply chain. Tom Bossert, the Homeland Security adviser to the President of the United States, stated that the total damage was over . Among estimated damages to specific companies included over to Merck, to FedEx, to Saint-Gobain, and to Maersk. == Reaction ==

Secretary of the National Security and Defence Council of Ukraine Oleksandr Turchynov claimed there were signs of Russian involvement in the 27 June cyberattack, although he did not give any direct evidence. Russian officials have denied any involvement, calling Ukraine's claims "unfounded blanket accusations". The White House Press Secretary released a statement on 15 February 2018 attributing the attack to the Russian military, calling it "the most destructive and costly cyberattack in history." IT-businessman, chairman of the supervisory board of the Oktava Capital company Oleksandr Kardakov proposed to create civil cyber defense in Ukraine. == See also ==