The Latest Ransomware Took Advantage of a Devilishly Clever Trick

Usually, ransomware may be spread via emails or websites. But at least some victims of this latest wave were infected by a software update, according to researchers and law enforcement.

|
Jun 28 2017, 3:47pm

Image: Shutterstock

Tuesday's global ransomware outbreak may be notable for its size, but there is a second aspect that sets it apart from other attacks: the way in which at least some victims appear to have been infected.

Typically, ransomware may be distributed through spam emails, or dodgy adverts on websites. In this case, some victims were impacted because of a booby-trapped software update from a Ukrainian financial software company, according to researchers and law enforcement. This episode doesn't only showcase a novel attack approach, it also highlights the power that software updates can have over the security of a system more generally.

In a blog post published on Tuesday, Microsoft said it had evidence that "a few active infections of the ransomware initially started from the legitimate MEDoc updater process." MEDoc is a company that provides accounting software, such as tools that simplify filing your taxes.

The Ukrainian police and researchers at cybersecurity firms Kaspersky and AlienVault said much the same: hackers likely broke into MEDoc's own systems, bundled ransomware up with a software update, and pushed it out to unsuspecting MEDoc customers.

For its part, MEDoc denied on Facebook it was the source of the infections, saying that "such conclusions are clearly wrong, because the developer MEDoc, as a responsible software vendor, monitors the security and cleanliness of its own code," according to a Google translation of the post. MEDoc did not immediately respond to a request for comment.

But, whereas a normal update file would be around 300 bytes, this one was 330KB, according to the Ukrainian police. Microsoft said it observed the MEDoc software updater execute a malicious attack on Tuesday, at around 10:30 GMT. From here, the update created a new file, Rundll32.exe, and started the rest of the ransomware process. It spread throughout networks using other techniques, such as stealing credentials and making use of NSA exploits called EternalBlue and EternalRomance, and locked down machines, according to Microsoft's blog.

Got a tip? You can contact this reporter securely on Signal at +44 20 8133 5190, OTR chat at jfcox@jabber.ccc.de , or email joseph.cox@vice.com

In other words, MEDoc users had unknowingly downloaded malware without clicking on a link or visiting a malicious website, because of a system designed to distribute legitimate software. When an application, piece of software, or operating system updates itself, users are typically at the mercy of whoever controls that update, and whatever they decide to use it for.

It's like when the Twitter app pushes a new interface you don't like or when Windows forces an update. What appears to have happened in this instance is that hackers took control of an update mechanism themselves, and used it to spread malware. Of course, there are mitigations against this—maybe the process requires updates to be cryptographically signed, increasing the chance only legitimate software can be installed—and whether it's successful depends on the specifics of the attack, but in general this is an interesting way to break into systems.

If people don't learn to patch their systems, or properly segment networks, or anything else from this latest wave of ransomware, maybe at least it will remind everyone just how simultaneously fragile and powerful the supply-chain of software can be.