ME Doc's servers seized in NotPetya investigation in Ukraine as attackers remove $10,000 in bitcoin from 'ransomware' wallet

Attack on ME Doc - used by four-fifths of companies in Ukraine - a nation-state attack intended to disrupt the country, claim authorities

Police in Ukraine have seized the servers of Intellect Service, the company responsible for ME Doc, the accounting software whose updating infrastructure was compromised to propagate the NotPetya malware last week.

The head of Ukraine's cyber police, Serhiy Demedyuk, confirmed the seizure yesterday. That followed claims by one of the company's official dealers on Facebook that "masked men" were searching ME Doc's offices, and that the company's servers and services were down. The company fully cooperated in the raid, according to the police report.

Demedyuk's team claims that ME Doc was compromised as a result of a ‘classic supply chain attack', which would have required access to ME Doc's source code. "Once they have access to the source code, they installed a backdoor in one of the program updates, which installs unauthorised remote access [Trojan] on the computers of ME Doc users," the police report suggested.

The software update, it added, "probably took place on 15 May 2017", while the attack was perpetrated in order to disrupt the Ukrainian economy under the cover of ransomware.

While that claim remains to be proven, it does highlight another weak point in modern economies, and that "essential infrastructure" that could be targeted in a nation-state cyber attack need not necessarily be the utilities, such as power stations and other elements of the electricity infrastructure, that most people automatically think of as essential infrastructure.

The police report also suggests that there may be a link between the WannaCry ransomware propagated in May and NotPetya.

The police also advised users of ME Doc to disconnect any PCs running the software, and to change passwords and digital signatures. It warned that organisations taken down by NotPetya could also be compromised in future as a result.

Intellect Service's ME Doc accounting software is used by 80 per cent of businesses in Ukraine. As a result of the disruption caused by the attack Ukrainian authorities have extended the deadline for filing end-of-year tax returns by one month to help businesses whose preparation might be affected by the sudden removal of the service.

The police raid comes after someone overnight removed around $10,000 in bitcoin from the wallet set-up in connection with the malware. The funds were transferred to a different bitcoin wallet, following a couple of test transfers with small denominations.

NotPetya, which was launched on 27 June via the compromised servers of ME Doc, utilises ransomware similar to Petya in order to supposedly encrypt files.

Analyses of the malware indicate that it made use of US National Security Agency (NSA) exploits that ought to have enabled it to self-propagate once released into the wild - and that those exploits were absorbed into the malware before the exploits were publicly released.

Victims are then requested to make a payment in bitcoin to a particular account in order to receive a decryption key. However, the NotPetya ransomware destroys files rather than encrypting them, and keys are therefore not distributed to people who pay the ransom.

Criminal charges may be levied against the company after claims that managers ignored security warnings from security specialists and staff.