MeDoc
MeDoc updates distributed NotPetya ransomware.
The update mechanism for MeDoc, a widely used Ukrainian accounting package, was compromised and used to distribute NotPetya. What looked like ransomware operated as a destructive wiper, escaping its initial target set and crippling shipping, pharmaceuticals, logistics, and public services worldwide. A local tax-software update became one of the costliest cyber disruptions on record.
- Date
- 2017-04-01 to 2017-06-27
- Category
- Commercial
- Target Surface
- Build/CI
- Insertion Phase
- distribution
- Impact
- Ransomware (wiper)
- Cause
- build server compromise
What Was Affected
Package
MeDoc
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
medoc.ua
Compromised Versions
- Specific MeDoc update versions distributed on or around June 27, 2017
Incident Context
- Motive
- Data destruction
- Attribution
- Nation-state
- Transitive
- No
- User Impact
- 400000
- Observed Duration
- 87 days
Evidence
Compromised Artifacts
- MeDoc software updates distributed via medoc.ua's update server (e.g., upd.me-doc.com.ua) around June 27, 2017.
Current Artifacts and Analysis
- welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine
- microsoft.com/en-us/security/blog/2017/06/27/new-ransomware-old-techniques-petya-outbreak-originates-in-ukraine-spreads-globally
- virustotal.com/gui/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
- virustotal.com/gui/file/13d5006285b3f9151e7e7f98e75a99534a831510f6e6d4f1a24713004f014906
Indicators and Changes
Hashes
sha256:027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745sha256:13d5006285b3f9151e7e7f98e75a99534a831510f6e6d4f1a24713004f014906md5:71b6a493388e7d0b40c83ce903bc6b04
External References
Source Data
Source record: proprietary/medoc/meta.yaml