Researchers from Kaspersky Lab reported that NotPetya was not the only one distributed piece of malware using the compromised M.E.Doc update mechanism over the past week.
On June 27, the M.E.Doc users were affected by the so called FakeCry ransomware. The Kaspersky experts claim that it was run as ed.exe in the M.E.Doc directory by the parent process ezvit.exe, suggesting that the virus used the same delivery mechanism as the NotPetya wiper.
The FakeCry ransomware is written in .NET and includes a “WNCRY” string, which automatically refers the infection to the huge WannaCry campaign last month. At the same time, FakeCry pretends to be “made in China,” which according to the experts, is not true.
Some security experts have recently suggested that WannaCry was created by North Korean hackers, however, others did not support this theory.
On May 28, the Flashpoint linguistic analysis on WannaCry reported that the hackers were fluent Chinese speakers who spoke English as well.
The main difference between the WannaCry and FakeCry infections is the fact that WannaCry is distributed via the EternalBlue Windows exploit, while FakeCry uses a dropper saved on disk as wc.exe. The dropper is able to execute a few commands: drop the ransomware component; begin encryption; begin decryption; (public key for encryption and private key for decryption); and demo (encryption or decryption with hardcoded RSA keys).
On the other hand, the ransomware component can generate the RSA-2048 key pair, encrypt/decrypt files, encrypt/decrypt disk, and delete shadow copies on the infected system. Being executed, the virus deletes the shadow copies first, initializes the keys, creates the file list for encryption, proceeds to encrypt files, and shows the ransom window after that.
The FakeCry ransomware targets approximately 170 types of files to encrypt and can kill processes if they use targeted files, to unlock them. To acomplish the task, the virus uses the Handler Viewer Sysinternals tool. Besides, FakeCry contains a list of extensions which includes only image file types (jpg, jpeg, png, tif, gif, and bmp), and which hackers can decrypt for free.
The ransom note which FakeCry displays is rather similar to the one of WannaCry. It states that victims should pay 0.1 Bitcoin (around $260) and use the same wallet number for all infections (seven payments have been made so far to the wallet). FakeCry uses a Tor server for command and control.
“Unfortunately ExPetr/Petya was not the only ransomware that was distributed via MeDoc updates on June 27. In parallel, another ransomware, FakeCry, was also distributed to MeDoc users at exactly the same time as ExPetr/Petya. Our telemetry shows about 90 attacked organizations received the FakeCry ransomware, almost all in Ukraine,” the Kaspersky Lab say.
This week, the Ukraine’s authorities reported that they have raided and seized M.E.Doc servers fearing that the hackers behind NotPetya might still have access to these resources. Their official announcement advised users to turn off all computers on which the M.E.Doc software is running and to change the passwords and the electronic digital signatures.
Nevertheless, despite all the above-mentioned, the security experts have not established a definitive connection between the FakeCry and WannaCry ransomware yet.