# Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone **[bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/](https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/)** Catalin Cimpanu By [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) June 29, 2017 07:05 PM 2 A fourth ransomware campaign focused on Ukraine has surfaced today, following the same patterns seen in past ransomware campaigns that have been aimed at the country, such as [XData,](https://www.bleepingcomputer.com/news/security/xdata-ransomware-on-a-rampage-in-ukraine/) [PScrypt, and the infamous](https://www.bleepingcomputer.com/news/security/before-notpetya-there-was-another-ransomware-that-targeted-ukraine-last-week/) [NotPetya.](https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/) The ransomware was discovered today by a security researcher who goes online only by the name of [MalwareHunter.](https://twitter.com/malwrhunterteam/) The researcher says the ransomware got his attention because mostly Ukrainian victims were submitting samples for analysis on VirusTotal. ----- In the past month and a half, Ukraine has been bombarded with ransomware campaigns. The first was XData (mid-May), the second was PSCrypt (last week), and then NotPetya (started on Tuesday). According to the researcher, this fourth ransomware campaign started on Monday, one day before NotPetya, and piqued his interest because of several reasons. ## M.E.Doc servers appear to have distributed another ransomware The one clue that stood out was the location of the ransomware's component, which was: "C://ProgramData//MedocIS//MedocIS//ed.exe" ----- This file path is specific to M.E.Doc IS-pro, a software application used for accounting in Ukraine. Both [XData and the](https://ain.ua/2017/05/24/vse-pro-xdata-poka) [NotPetya ransomware outbreaks used the update servers of](https://www.bleepingcomputer.com/news/security/petya-ransomware-outbreak-originated-in-ukraine-via-tainted-accounting-software/) M.E.Doc to deliver their ransomware payloads. Microsoft, Kaspresky, Cisco, and other cyber-security companies have specifically pinpointed M.E.Doc software update servers as the source of the NotPetya outbreak. We are confident that trojanized MeDoc updates were used as an infection vector [against several of our users. https://t.co/5lbvNhn6KX](https://t.co/5lbvNhn6KX) [— Costin Raiu (@craiu) June 29, 2017](https://twitter.com/craiu/status/880343543373586432) It is unclear if this recently discovered ransomware reached users via a trojanized update from the same server or a trojanized M.E.Doc app installed from scratch. Since the start of the NotPetya ransomware outbreak that affected countries all over the world, M.E.Doc has consistently denied that it ever hosted trojanized versions of its apps. [On Facebook, M.E.Doc says it enlisted the help of Cisco experts to clear its name and](https://www.facebook.com/medoc.ua/posts/1905198096434435) investigate what really happened on its servers. In an email to Bleeping Computer, the company also said it invited officers from the Department of Cyber Police to also investigate what happened. While Cisco and Ukrainian authorities are looking into identifying the real culprit behind the M.E.Doc server hijacking, it's now becoming clear that there might be another ransomware that used the same server to infect victims, albeit with less successful results than NotPetya. ## "Designed" to look like WannaCry, but nothing more This "fourth" ransomware is designed to look like WannaCry, the ransomware that affected tens of thousands of computers in mid-May. ----- MalwareHunter says this ransomware was designed to look like WannaCry, but it s not an actual clone. For starters, the ransomware is coded in .NET, while the original WannaCry was coded in C. The WannaCry lookalike doesn't use any NSA exploits to spread laterally, and its internal structure is also different. The only thing it shares with the original WannaCry it's its GUI that shows the countdown timer and the ransom demand. In most cases, .NET-based ransomware is usually a sign that the author has no coding experience. This is not the case with this WannaCry lookalike. "The WannaCry lookalike is probably one of the best .NET ransomware strains we've seen," MalwareHunter says, "surely no skids made this." The ransomware infects systems via an initial dropper that unpacks and saves two files locally, the GUI for the WannaCry-like window, and the encrypter component. The ransomware uses a Tor-based command and control server, won't start without special command-line arguments, and will kill processes before encrypting files used in live apps. This last feature, MalwareHunter says is unique for all ransomware families he analyzed. ----- ## Someone is slinging ransomware at Ukraine What's more peculiar is that this fourth ransomware also fits a pattern observed with the previous strains. This ransomware tries to pass as another family — WannaCry. The same thing was noticed with XData — based on stolen AES-NI codebase; PSCrypt — based on GlobeImposter; and NotPetya — disguised as Petya. Ransomware operators trying to pass as famous threats ain't anything new, but AES-NI and GlobeImposter are very small enterprises. There's hardly a reason for anyone to imitate these two unless wanting to go under the radar as a very very ordinary operation. Slowly, it's becoming somewhat clear that someone is slinging ransomware specifically at Ukraine and is trying to pass as a mundane cyber crime operation, hiding other motives. Putting all clues together, we see four ransomware campaigns that have targeted Ukraine, have tried to pass as other ransomware threats, have quality code, and three of which appear to have used the same server to spread. There is no clear-cut evidence that the same person or group is behind all campaigns, but there are too many coincidences to ignore. ### SHA256 hashes: **Dropper: 51e84accb6d311172acb45b3e7f857a18902265ce1600cfb504c5623c4b612ff** **GUI: 7b6a2cbb8909616fe035740395d07ea7d5c2c0b9ff2111ae813f11141ad77ead** **Encrypter: db8e7098c2bacad6ce696f3791d8a5b75d7b3cdb0a88da6e82acb28ee699175e** ### Ransom note: Ransom note text: ----- ``` Q: What s wrong with my files? A: Oooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send 0.1 bitcoin to this bitcoin address: 13KBb1G7pkqcJcxpRHg387roBj2NX7Ufyf Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking < Contact Us > on the decryptor window. ``` **[Update [July 4, 2017]: Kasperksy Lab has also confirmed this Bleeping Computer report.](https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/)** ### Related Articles: [Hackers use Conti's leaked ransomware to attack Russian companies](https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/) [BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [NotPetya](https://www.bleepingcomputer.com/tag/notpetya/) [Petya](https://www.bleepingcomputer.com/tag/petya/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Ukraine](https://www.bleepingcomputer.com/tag/ukraine/) [WannaCry](https://www.bleepingcomputer.com/tag/wannacry/) [Xdata](https://www.bleepingcomputer.com/tag/xdata/) [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page. ----- [Previous Article](https://www.bleepingcomputer.com/news/security/cerber-renames-itself-as-crbr-encryptor-to-be-a-pita/) [Next Article](https://www.bleepingcomputer.com/news/security/more-security-firms-confirm-notpetya-shoddy-code-is-making-recovery-impossible/) ### Comments [Demonslay335 - 4 years ago](https://www.bleepingcomputer.com/forums/u/726225/demonslay335/) We analyzed this one to be secure as well, worth pointing out. No way to decrypt it for free without their private RSA key unfortunately. [Amigo-A - 4 years ago](https://www.bleepingcomputer.com/forums/u/998576/amigo-a/) This can be called an attack with a big stretch. Ukrainians infect computers of Ukrainians. This is a competitive struggle or outright sabotage. MEDoc to someone did not pay salaries, greedy, for this all customers will receive virus. This will lead to the collapse of MEDoc. Already the company is on the verge of ruin. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----