From Ukraine with ransomware: How the global mess all began

Researchers found it only took one victim in Ukraine to infect computers around the world with ransomware.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Petya ransomware cyber attack
Alexander Ryumin\TASS via Getty Images

Even system updates aren't safe from ransomware.

The ransomware GoldenEye spread like wildfire across computers around the world, infecting systems at an alarming rate on Tuesday.

Now researchers believe they found where the first spark went off. The attacks started in Kiev, Ukraine, during the early hours of Tuesday. While the majority of victims were in Ukraine and neighboring Russia, it spread throughout the world, hitting global companies like Maersk, FedEx and Merck.

The GoldenEye ransomware, a strain of the popular Petya malware, encrypted computers across networks using an NSA exploit called EternalBlue, leaked in April, and held them hostage for $300 in bitcoins. The cyberattack disrupted hundreds of businesses on Tuesday.

Ransomware attacks have run rampant in recent weeks, as GoldenEye follows the wake of the massive WannaCry attack. Computers around the world are getting infected, holding up businesses, hospitals and schools. The widespread attacks shines a new light on an old hack that's since gotten much more powerful. Where the attack originates highlights how even the most diligent systems of computers can be undone if there's even one vulnerable link in the chain -- even if that link is from outside software or a partner that's connected to you.

That link, it turns out, is MEDoc, a Ukrainian tax accounting software, researchers found. MEDoc is considered the "default" tax filing application "for all companies operating in Ukraine," said Bogdan Botezatu, a threat analyst for Bitdefender.

Hackers attacked MEDoc's program, and hid the GoldenEye ransomware in a software update to its many customers. Both Bitdefender and Microsoft were able to find evidence linking GoldenEye's spread to MEDoc.     

The "software update" from an infected MEDoc program would execute "rundll32.exe," an application that helps Windows perform functions like activate GoldenEye, and start encrypting your computer's files and the hard drive.

"This is the indubitable confirmation that MeDOC update is an infection vector," Botezatu said. "This makes Ukraine 'patient zero' from where the infection spread across VPN networks to headquarters or satellite offices."

Maersk, FedEx and Merck all have offices in Ukraine, and were likely infected through there, he noted.

Microsoft tracked the infections to a software update from a program called "ezvit.exe" -- MEDoc's update process. Through this method of infection, even if your computer system's have been patched, even a seemingly safe update could slip through, packed with malware.

"Software supply chain attacks are a recent dangerous trend with attackers, and it requires advanced defense," Microsoft wrote in its blog.  

In a defense posted to its Facebook page, MEDocs denied that it was responsible for helping the ransomware spread. The company argued Microsoft was wrong because the source code for its software update does not contain the command "rulldll32.exe."

The company said it was working with Ukrainian police to find out who's behind the cyberattack. On Tuesday, the Cyberpolice Ukraine recommended against downloading any updates from MEDocs.

Once it's on one computer, GoldenEye can spread to every computer in the network, even if the EternalBlue exploit had been patched. While up to 38 million computers remain vulnerable without any patching, GoldenEye doesn't need to rely on that exploit only. It can still spread through account impersonation.

In addition to locking up your computer, the malware steals login credentials and copies itself across all computers in the network. Botezatu said he saw "800 fully patched computers" get infected with GoldenEye in less than a minute from the account impersonation technique.

Logging Out: Welcome to the crossroads of online life and the afterlife.

Virtual reality 101: CNET tells you everything you need to know about VR.