Julia Irvine 28 Jun 2017 05:45pm

Tax accounting software spread Petya ransomware

It looks increasingly likely that the ransomware that has attacked computers in 65 countries and caught out some of the world’s most high-profile companies was helped to spread by, of all things, some tax accounting software

However, it seems unlikely that the software was the only source of infection, ICAEW believes.

According to Microsoft, the initial infection “appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc”.

The software giant said in a statement that it has evidence that a few active infections of the ransomware initially started from the legitimate updater process.

“We observed telemetry showing the MEDoc software update process (EzVit.exe) executing a malicious commend-line matching this exact attack pattern on Tuesday, 27 June around 10.30am GMT,” it added.

Reports of the ransomware attack started in Ukraine where more than 12,500 computers were hit. Before long the virus had spread to 64 other countries, including Belgium, Brazil, Germany, Russia and the US.

Russian oil company Rosneft, Ukrainian banks, Kiev Airport, shipping giant Maersk, pharmaceutical company Merck, global advertising agency WPP, US law firm DLA Piper and the Chernobyl nuclear reactor are among its victims.

Microsoft said that the ransomware is a more sophisticated version of Petya, which first appeared in 2016. It has worm capabilities which allow it to move laterally across infected networks.

Mark Taylor, technical manager in ICAEW’s technical innovation team, said that he would be surprised if MEDoc was the only tool used to spread the virus. “I think its use would be pretty limited since it is obviously software that is only used in Ukraine and Russia as far as I can tell.

“The trouble with all these things is you get quite a lot of misinformation floating around and people confuse the symptoms when they look at one outbreak and they think it’s responsible and it’s not. So it’s difficult to track how it got out there. I suspect it was delivered through more than one means and that’s key here.”

He said that all those people who had kept their systems protection up to date in the past, particularly in response to the WannaCry cyber attack in May, should still be protected today. “Even if this software was delivered through a mechanism from MEDoc, if you had taken the precautions beforehand it would not have spread beyond that one computer that was infected.”

ICAEW is making available advice for people on how to protect their systems from ransomware.