A second ransomware called ‘FakeCry’ was distributed to computers alongside the infamous NotPetya through a compromised software update from Ukraine software vendor M.E.Doc.
That means users of the MEDoc accounting software package were actually exposed to two pieces of ransomware on June 27, the date of the NotPetya outbreak.
Kaspersky Lab researchers, which discovered the second ransomware in the MEDoc update have named it FakeCry because it copies the WannaCry ransom page and message, including displaying the title “Wanna Decryptor 2.0”. It is however different to WannaCry.
Another quirk is that a string in the code contains a "made in china" copyright notice. Kaspersky researchers labelled this a "false flag", designed to throw researchers off in efforts to attribute the ransomware to a specific hacking group.
It’s not known whether FakeCry and NotPetya are from the same attacker though it is noteworthy they were both distributed at exactly the same time through the MEDoc updates.
Nearly all the 90 organizations that were affected by FakeCry were Ukrainian, according to Kaspersky.
FakeCry runs as “ed.exe” in the “MeDoc” program folder and runs on victim machines by a component of the MEDoc software called ezvit.exe.
“This suggests the delivery mechanism abused the same MeDoc updates vector as ExPetr [NotPetya],” wrote Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov.
Victims of FakeCry are asked to 0.1 Bitcoin or around USD $260 for the decryption key. Similar to NotPetya, the FakeCry attackers use a fixed wallet to receive payments from all victims. At the time of writing the wallet had received seven payments totaling 0.51 BTC.
Ukraine police seized today seized M.E.Doc's servers as part of the investigation into last week’s attack and its attempt to find out who was behind it.
M.E.Doc’s owners have repeatedly denied being the source of the NotPetya outbreak, which mostly affected organizations in Ukraine. More than 70 percent of NotPetya encounters were in the Ukraine, according to Microsoft. MEDoc is the most widely used accounting software in Ukraine.
Researchers at ESET who’ve been closely tracking other malware attacks against Ukraine's financial sector and energy firms noted that different ransomware to NotPetya, called XData, was distributed through an update from M.E.Doc on May 18.
XData ransomware is from a hacker group ESET calls Telebot, which is also behind the destructive KillDisk malware that wipes victims' files. KillDisk has targeted Ukraine organizations since 2016.
ESET researcher Anton Cherepanov detailed some similarities between KillDisk and NotPetya’s apparent use of ransomware as a cloak for destructive malware combined with a ‘supply chain attack’. Researchers found that NotPetya victims would not be able to decrypt data even if they paid.
Cherepanov notes that KillDisk infections in 2016 displayed an image but lacked the hallmarks of ransomware, such as contact details and a ransom note.
A subsequent wave of KillDisk attacks contained a message claiming files had been encrypted and contact details. However, the attackers asked for a whopping 222 Bitcoin, worth about $250,000 at the time, suggesting it was not a money making exercise.
In 2017 the same group also compromised Ukraine software firm that was not M.E.Docs to distribute malware to its customers via VPN. It is similar as the attack relies on comprising a software provider. Microsoft has also recently observed “well-planned” supply chain cyber attacks, which are dangerous because the updates come from a trusted supplier.