Ukrainian officers confiscated M.E.Doc servers because this service is one of the suspects in the game, called “who is responsible for NotPetya virus?”. Serhiy Demeduyk, the head of Ukraine’s Cyber Police, confirmed this action and emphasized that this was a necessary action. While many people pointed fingers at Russia, Demeduyk indicates that initial activity of NotPetya originated from harmful updates for the M.E.Doc. Therefore, this is the trail that has to be followed first.
Analysts have figured out that counterfeit updates for the accounting software urged its clients to download 35 Megabytes of unknown material. If you are not familiar with M.E.Doc, it is a software that allows to exchange financial documents among connected sources.
The confiscation and perquisition were explained to have occurred rather dramatically when the controlles or M.E.Doc software published a post about it. According to their statements, mysteriously-looking people were rummaging through their office. Obviously, this prevents the popular accounting firm from completing its usual activities and forces it to put a halt to their affairs.
However, security researchers stress out that it is important to analyze the seized servers and determine whether any traces of hacking can be found. From the currently-available information, it has been established that crooks placed a backdoor into M.E.Doc’s modules for the sake of transmitting a malicious update for the software. Another very disturbing discovery is that this attack was in no way random: hackers are presumed to have done their homework and had to make preparations. One of them is the fact that they had to obtain the accounting-firm’s source code.
It is obvious that the incident still requires a ton of research. Without the servers in hand, it would be difficult to properly examine the potential culprits. These malicious programmers finally did something other than releasing the ransomware. A Twitter bot detected activity which was related to NotPetya and you would not believe what was found. Vicious people behind NotPetya have been caught sending money to PasteBin and DeepPaste services. Certainly, the transactions were sent via Bitcoin payment system.
Soon after, hackers were detected to send approximately 10,000 US dollars to another bitcoin wallet. Additionally, they posted several messages. Security researchers were able to contact the authors of NotPetya. While there is no doubt that hackers are trying to finally get their profit from the crypto-virus, they are also aiming for so much more.
They appear to be selling the private key of the user-mode encryption module. A lot of questions were ignored by the people from the NotPetya group. Our assumption is that their maneuver of responding to security researchers in the first place was to spread the news of the product that they put on sale.