{
	"id": "adc53933-b072-4cca-afae-96b87d7d4e49",
	"created_at": "2026-04-06T00:09:09.732351Z",
	"updated_at": "2026-04-10T13:12:37.284882Z",
	"deleted_at": null,
	"sha1_hash": "7c8a73861b129dd1798c638b020cae2f0a6cd783",
	"title": "Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1709728,
	"plain_text": "Ransomware Attacks Continue in Ukraine with Mysterious WannaCry\r\nClone\r\nBy Catalin Cimpanu\r\nPublished: 2017-06-29 · Archived: 2026-04-05 15:18:14 UTC\r\nA fourth ransomware campaign focused on Ukraine has surfaced today, following the same patterns seen in past ransomware\r\ncampaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya.\r\nThe ransomware was discovered today by a security researcher who goes online only by the name of MalwareHunter.\r\nThe researcher says the ransomware got his attention because mostly Ukrainian victims were submitting samples for\r\nanalysis on VirusTotal.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nIn the past month and a half, Ukraine has been bombarded with ransomware campaigns. The first was XData (mid-May), the\r\nsecond was PSCrypt (last week), and then NotPetya (started on Tuesday).\r\nAccording to the researcher, this fourth ransomware campaign started on Monday, one day before NotPetya, and piqued his\r\ninterest because of several reasons.\r\nM.E.Doc servers appear to have distributed another ransomware\r\nThe one clue that stood out was the location of the ransomware's component, which was:\r\n\"C://ProgramData//MedocIS//MedocIS//ed.exe\"\r\nThis file path is specific to M.E.Doc IS-pro, a software application used for accounting in Ukraine. Both XData and the\r\nNotPetya ransomware outbreaks used the update servers of M.E.Doc to deliver their ransomware payloads. Microsoft,\r\nKaspresky, Cisco, and other cyber-security companies have specifically pinpointed M.E.Doc software update servers as the\r\nsource of the NotPetya outbreak.\r\nIt is unclear if this recently discovered ransomware reached users via a trojanized update from the same server or a\r\ntrojanized M.E.Doc app installed from scratch.\r\nSince the start of the NotPetya ransomware outbreak that affected countries all over the world, M.E.Doc has consistently\r\ndenied that it ever hosted trojanized versions of its apps.\r\nOn Facebook, M.E.Doc says it enlisted the help of Cisco experts to clear its name and investigate what really happened on\r\nits servers. In an email to Bleeping Computer, the company also said it invited officers from the Department of Cyber Police\r\nto also investigate what happened.\r\nWhile Cisco and Ukrainian authorities are looking into identifying the real culprit behind the M.E.Doc server hijacking, it's\r\nnow becoming clear that there might be another ransomware that used the same server to infect victims, albeit with less\r\nsuccessful results than NotPetya.\r\n\"Designed\" to look like WannaCry, but nothing more\r\nThis \"fourth\" ransomware is designed to look like WannaCry, the ransomware that affected tens of thousands of computers\r\nin mid-May.\r\nMalwareHunter says this ransomware was \"designed\" to look like WannaCry, but it's not an actual clone. For starters, the\r\nransomware is coded in .NET, while the original WannaCry was coded in C.\r\nThe WannaCry lookalike doesn't use any NSA exploits to spread laterally, and its internal structure is also different. The only\r\nthing it shares with the original WannaCry it's its GUI that shows the countdown timer and the ransom demand.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/\r\nPage 3 of 6\n\nIn most cases, .NET-based ransomware is usually a sign that the author has no coding experience. This is not the case with\r\nthis WannaCry lookalike.\r\n\"The WannaCry lookalike is probably one of the best .NET ransomware strains we've seen,\" MalwareHunter says, \"surely\r\nno skids made this.\"\r\nThe ransomware infects systems via an initial dropper that unpacks and saves two files locally, the GUI for the WannaCry-like window, and the encrypter component.\r\nThe ransomware uses a Tor-based command and control server, won't start without special command-line arguments, and\r\nwill kill processes before encrypting files used in live apps. This last feature, MalwareHunter says is unique for all\r\nransomware families he analyzed.\r\nSomeone is slinging ransomware at Ukraine\r\nWhat's more peculiar is that this fourth ransomware also fits a pattern observed with the previous strains. This ransomware\r\ntries to pass as another family — WannaCry.\r\nThe same thing was noticed with XData — based on stolen AES-NI codebase; PSCrypt — based on GlobeImposter; and\r\nNotPetya — disguised as Petya.\r\nRansomware operators trying to pass as famous threats ain't anything new, but AES-NI and GlobeImposter are very small\r\nenterprises. There's hardly a reason for anyone to imitate these two unless wanting to go under the radar as a very very\r\nordinary operation.\r\nSlowly, it's becoming somewhat clear that someone is slinging ransomware specifically at Ukraine and is trying to pass as a\r\nmundane cyber crime operation, hiding other motives.\r\nPutting all clues together, we see four ransomware campaigns that have targeted Ukraine, have tried to pass as other\r\nransomware threats, have quality code, and three of which appear to have used the same server to spread.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/\r\nPage 4 of 6\n\nThere is no clear-cut evidence that the same person or group is behind all campaigns, but there are too many coincidences to\r\nignore.\r\nSHA256 hashes:\r\nDropper: 51e84accb6d311172acb45b3e7f857a18902265ce1600cfb504c5623c4b612ff\r\nGUI: 7b6a2cbb8909616fe035740395d07ea7d5c2c0b9ff2111ae813f11141ad77ead\r\nEncrypter: db8e7098c2bacad6ce696f3791d8a5b75d7b3cdb0a88da6e82acb28ee699175e\r\nRansom note:\r\nRansom note text:\r\nQ: What's wrong with my files?\r\nA: Oooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypt\r\nQ: What do I do?\r\nA: First, you need to pay service fees for the decryption. Please send 0.1 bitcoin to this bitcoin address: 13KBb1G7pkqcJc\r\nNext, please find an application file named \"@WanaDecryptor@.exe\". It is the decrypt software. Run and follow the instruct\r\nQ: How can I trust?\r\nA: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users.\r\n* If you need our assistance, send a message by clicking \u003c Contact Us \u003e on the decryptor window.\r\nUpdate [July 4, 2017]: Kasperksy Lab has also confirmed this Bleeping Computer report.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/"
	],
	"report_names": [
		"ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone"
	],
	"threat_actors": [],
	"ts_created_at": 1775434149,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c8a73861b129dd1798c638b020cae2f0a6cd783.pdf",
		"text": "https://archive.orkl.eu/7c8a73861b129dd1798c638b020cae2f0a6cd783.txt",
		"img": "https://archive.orkl.eu/7c8a73861b129dd1798c638b020cae2f0a6cd783.jpg"
	}
}