Roaring of NotPetya disk wiper still echoes around the world as compromised businesses aim to restore their services to the fullest. Just a few days ago, we discussed that the reprehensible WannaCry ransomware might have dipped its toes back into the dark waters, and today, we have to evaluate the possibility of another nightmare repeating itself.
To this day, initiators of the worldwide attack of NotPetya are not caught; neither the whole story is known. Nevertheless, over these few months it was determined that the variant was not a crypto-virus, but a disk wiper. Additionally, the mother of all problems, or the source of the infection, was determined to be M.E.DOC accounting firm from Ukraine. As a consequence, their servers were confiscated as evidence.
Furthermore, many services had a complicated time in attempting to reinvent themselves after the attack. FedEx was one of the highly-concerned organizations that believed to have lost huge amounts of their data permanently. Much to our surprise, NotPetya virus was exploited to commit tax fraud since some Ukrainian companies were allowed to present their paperwork later due to the inconveniences of the cyber invasion.
Is it possible for NotPetya to return?
While people pray to the almighty virtual gods for mercy, history slowly starts repeating itself. Once again, a Ukrainian accounting company is hacked. This time, Crystal Finance Millennium fell as a victim to the vicious hands of hackers. Soon after the cyber attack, the servers of the legitimate firm began hosting several variants of malware. The only positive news about this is that crooks did not manage to influence the company’s software like they did to M.E.DOC. This time, the uploaded malware was only hosted on the service’s domain.
As hackers did not feel satisfied with this turnout, they decided to sent malicious email letters to a bunch of people. Certainly, emails contained harmful files which, if ran, were to install a virus. According to the analysis, Crystal Finance Millennium firm was exploited for the purpose of transmitting several malicious tools: Smoke Loader, Chthonic, a very-disturbing PSCrypt virus, Zbot banking trojan, Purge ransomware.
The situation is settled: crisis averted
While all of this scenario sounded like a strong deja vu of NotPetya, the disk wiper was not involved in the attack against Crystal Finance Millennium firm. Instead, other ransomware variants had stepped up. Thankfully, the situation appears to have been caught just in time as a massive outbreak of ransomware was avoided. This time, that is. But what stands in the way of hackers repeating the same strategy a weak or a month from now? We suggest users to be extremely careful, even when visiting domains of legitimate services.