2017 NotPetya cyberattack
Petya's ransom note displayed on a compromised system
|
|
| Date | 27–28 June 2017 |
|---|---|
| Location |
 Ukraine Germany United States United Kingdom Russia Spain India Poland Italy Israel Belarus Argentina Netherlands Australia
|
| Type | cyberattack |
| Cause | malware, ransomware, cyberterrorism |
| Outcome | affected several Ukrainian ministries, banks, metro systems and state-owned enterprises |
| Suspect(s) |
Russia (according to statements of Ukrainian authorities and Michael N. Schmitt) |
A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia.ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.
Security experts believe the attack originated from an update of a Ukrainian tax accounting package called MeDoc (M.E.Doc), developed by Intellect Service. MeDoc is widely used among tax accountants in Ukraine, and the software was the main option for accounting for other Ukrainian businesses, according to Mikko Hyppönen, a security expert at F-Secure. MeDoc had about 400,000 customers across Ukraine, representing about 90% of the country's domestic firms and prior to the attack was installed on an estimated 1 million computers in Ukraine.
MeDoc provides periodic updates to its program through an update server. On the day of the attack, 27 June 2017, an update for MeDoc was pushed out by the update server, following which the ransomware attack began to appear. British malware expert Marcus Hutchins claimed "It looks like the software's automatic update system was compromised and used to download and run malware rather than updates for the software." The company that produces MeDoc claimed they had no intentional involvement in the ransomware attack, as their computer offices were also affected, and they are cooperating with law enforcement to track down the origin. Similar attack via MeDoc software was carried out on 18 May 2017 with a ransomware XData. Hundreds of accounting departments were affected in Ukraine.
...
Wikipedia