{ "id": "1502414f-91aa-4594-bd53-7bd558511533", "created_at": "2026-04-06T00:19:32.580603Z", "updated_at": "2026-04-10T03:20:07.270808Z", "deleted_at": null, "sha1_hash": "e3e20bb540610307bb0f5f41a65a57f532aa07b1", "title": "Ukrainian Man Arrested, Charged in NotPetya Distribution", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34187, "plain_text": "Ukrainian Man Arrested, Charged in NotPetya Distribution\r\nBy Tom Spring\r\nPublished: 2017-08-11 · Archived: 2026-04-05 17:00:04 UTC\r\nUkranian police arrested a suspect alleged to have distributed the NotPetya/ExPetr malware that ultimately\r\ninfected 400 computers.\r\nThe Cyber Police of Ukraine arrested a suspect they allege distributed the destructive NotPetya/ExPetr malware\r\nresulting in the infection of 400 computers.\r\nNotPetya/ExPetr was the malware behind a massive global cyberattack that took place earlier this year. It infected\r\ncomputers worldwide with wiper malware disguised as a ransomware attack; the bulk of infections were in the\r\nUkraine.\r\nThe unidentified Ukrainian man, 51, was arrested earlier this week at his home in Nikopol.\r\nPolice allege the man uploaded a video to a file exchange service that contained instructions on how to run the\r\nmalware, and shared links to the video on a personal blog and social media. Links from the video pointed to\r\ndownloads of the Petya.A malware, said police. In all, authorities said, 400 victims followed the link and\r\ndownloaded the malware to their computers and became infected. Victims were unaware of what exactly they\r\nwere downloading at the time, according to a translation of the Cyber Police of Ukraine’s report of the arrest.\r\nThis summer’s outbreak was a wiper attack that sabotaged PCs globally, overwriting their Master Boot Record\r\nforever. It’s important to note the suspect was not accused of creating Petya.A.\r\nNotPetya/ExPetr spread using the leaked NSA EternalBlue and EternalRomance exploits, infecting machines that\r\nstill had not applied the MS17-010 Microsoft update that patches a handful of SMBv1 vulnerabilities targeted by\r\nthe exploit.\r\nThe malware initially impacted critical industries and services in Ukraine, Russia and then throughout Europe,\r\nincluding the radiation monitoring station for the crippled Chernobyl nuclear power plant and pharmaceutical\r\ngiant Merck and Co.’s MSD operation in the United Kingdom.\r\nIn June, the Ukraine’s Cyber Police said the initial infection vector was via an update mechanism for Ukrainian\r\nfinancial software provider MEDoc. Cisco, Kaspersky Lab and Microsoft also implicated the company, saying\r\nthat its software update system had been compromised and was serving up the ransomware in phony updates.\r\nInterestingly, during the police seizure of the suspect’s computers, it found a list of companies that it claimed used\r\nthe Petya malware to purposely sabotage their own computers to hide incriminating information. “They\r\nspecifically infected their own computers to cover up (unspecified) illegal activities and evade the payment of\r\nfines to the government,” according to a translation of the report.\r\nhttps://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/\r\nPage 1 of 2\n\nAuthorities said the suspect is being charged under criminal proceedings tied to “unauthorized interference with\r\nthe work of computers,” according to a translation of the post.\r\nSource: https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/\r\nhttps://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/" ], "report_names": [ "127391" ], "threat_actors": [], "ts_created_at": 1775434772, "ts_updated_at": 1775791207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e3e20bb540610307bb0f5f41a65a57f532aa07b1.pdf", "text": "https://archive.orkl.eu/e3e20bb540610307bb0f5f41a65a57f532aa07b1.txt", "img": "https://archive.orkl.eu/e3e20bb540610307bb0f5f41a65a57f532aa07b1.jpg" } }