Security researchers may have identified how yesterday’s massive ransomware outbreak began, blaming a software update server that was hijacked and used to push the malware without users having to take any action.
According to security researchers at Microsoft, the source of the infections is believed to be M.E.Doc, a Ukrainian software company that produces a popular tax accounting software. It appears intruders managed to compromise the company’s automated update server, allowing them to push the malware as a self-installing update using the software as a backdoor.
Once installed on an infected system, the malware dropped its ransomware payload and used a worm to seek out vulnerable systems using the EternalBlue and EternalRomance exploits, both of which were patched out of Windows in March as part of a critical update.
The worm spread the ransomware across 64 countries, including Russia, Denmark, the UK, Germany, France, Belgium, the US and Brazil. Particularly hard-hit was Ukraine, where over 12,500 computers were infected, including at the country’s national bank, an airport and the national power company. One of the most prominent victims was US/UK law firm DLA Piper, where an infection in their Spanish office quickly spread to locations around the world and crippled operations.
Making this infection particularly difficult is Posteo’s decision to shutter the email account of the ransomware operators, meaning those who pay the ransom likely still will not be able to recover their data without significant loss. So far, the Bitcoin wallet associated with the attacks has collected just under 4 bitcoins, about $10,000.