M.E. Doc, patient zero of NotPetya?
Ukrainian authorities think it was. On Tuesday they raided Intellect Service, whose M.E. Doc tax accounting software is believed to be the initial source of Petya/Nyetya/NotPyeta (which we'll henceforth call simply "NotPetya") and seized servers the authorities believe were primed to release a second wave of the non-ransomware (Talos). Intellect Service says it's not responsible for the malware, that its networks had been compromised by hackers (Reuters). For all the patch-now advice the incident has prompted, the attackers' choice of a compromised software update as their infection mechanism seem, retrospectively, unpleasantly clever (WIRED) and ironic, given reports of laggard updating in Intellect Service's servers (Bleeping Computer). Ukraine continues to blame the Russian government (Statement of Interior Minister Arsan Arvakov), which attribution, of course, Russia continues to deny (Fifth Domain | Cyber).
The relatively small amount of ransom paid in the course of this global attack (a bit more than $10,000 since the beginning of the attack, according to reports) was moved on Tuesday from the Bitcoin wallet nominally established to collect payment. People who claimed responsibility for the malware surfaced in dark web chatrooms to offer decryption for 100 Bitcoin (slightly more than $260,000), but their offer was met with general skepticism (Bleeping Computer).
Motherboard got in touch with the offerers to arrange a demonstration of their ability to decrypt affected files, but the demonstration was too limited to carry conviction. The analysts the publication consulted concluded that the people who demonstrated decryption had some connection to the malware, and that the demonstration showed there might be some possibility, in principle, of decryption. As Motherboard put it, "The capability to decrypt a single file shows the hackers are connected to the NotPetya attack, but that does not necessarily mean they will be able to decrypt files en masse." Security experts as a whole continue to regard NotPetya as being functionally intent upon disruption, not extortion, and that victims remain very unlikely to recover their files by paying the ransom (Computing).
It appears there was some attempt at misdirection in the NotPetya campaign. FakeWannaCry, a secondary attack also staged through M.E. Doc servers, represented itself as "made in China." Kaspersky assesses this as a false flag (SecureList).