I came across an interesting article today, with regards to the Petya / NotPetya cyber attack from last week. This is a very good write up and analysis of how the organisation M.E.Doc appears to have been compromised and used to spread the malware in a series of updates for the software it produces.
This demonstrates how devastating these types of compromises can be and as a defender can make it very difficult to identify and stop this type of attack from happening, if you happen to be the target of said attack.
I suggest you read this very good article!
https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/
Analysis of TeleBots’ cunning backdoor
On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C(aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors’ intention was to cause damage, so they did all that they could to make data decryption very unlikely.
Another good write up by bleeping computer that contains more information.
Conspiracy theories
Last week, a blog post from a Ukrainian web developer went viral, after it hinted that the real culprit behind the hacked server could have been M.E.Doc’s web host, Wnet, a company that has been accused of having ties to Russia’s intelligence service (FSB).
An investigation into the man’s accusations revealed that the SBU had raided the web host on June 1, for “illegal traffic routing to Crimea in favor of Russian special services.”