Image of suspect's home and seized equipment
Image of suspect's home and seized equipment [Source: Ukrainian Cyber Police]

Ukrainian authorities have arrested a 51-year-old man from Nikopol, Dnipropetrovsk region, on accusations of distributing a version of the NotPetya ransomware.

Police arrested the man on Saturday, August 5, and according to statements from Ukraine's Cyber Police and Ministry of Internal Affairs, the man is not accused of causing the NotPetya outbreak from late June, but for events after the initial attack.

Suspect is not the NotPetya author

Authorities say the man published a version of the Petya.A ransomware — one of the technical terms used by Ukrainian police to describe the NotPetya ransomware strain, together with Diskcoder.C.

The suspect uploaded a copy of the NotPetya executable on a file-sharing server and spread a link to that page via his social media accounts, along with written and video instructions on how to download and use it to infect a computer. Police say the man confessed to his actions.

According to a former M.E.Doc software developer who saw the instructions and spoke with Bleeping Computer, links to the man's videos were shared among Ukrainian companies as a way to getting a tax reporting delay from Ukrainian tax authorities.

Ukrainian newspaper Strana identified the man as Sergey Neverov. He is described as an IT nerd and his NotPetya installation tutorials are still available on YouTube [1, 2]. From posts and comments seen by this reporter, the man never advertised his videos as a way to obtain a tax reporting delay or other way to avoid paying taxes.

Nonetheless, he was accused of spreading links to the ransomware and charged with "unauthorized interference with the operation of computing systems." If found guilty, the man could face a prison sentence of up to three years. In previous official statements, Ukrainian authorities accused the Russian secret service of its involvement in the NotPetya outbreak.

Ukraine gave NotPetya victims a tax reporting delay

The NotPetya ransomware outbreak spread through a backdoored server belonging to Intellect Service, a company that makes M.E.Doc a file sharing application app used as a component in a very popular accounting software. M.E.Doc was also used as an automated tool to file documents with the Ukrainian state tax service.

An unknown attacker used the backdoored server to deliver a booby-trapped update for the M.E.Doc software that installed the NotPetya ransomware.

The ransomware spread mostly to Ukrainian companies that used the accounting software. Due to the large number of victims and the ransomware's incorrect handling of the encryption key, many companies were unable to recover their files.

As this became clear to the Ukrainian state tax service, they agreed to allow companies affected by the NotPetya ransomware extend the tax reporting deadline for various operations to December 31, 2017.

Ukrainian Cyber Police said that over 400 users downloaded the Not.Petya version advertised by the 51-year-old suspect.

Police said they also have a list of suspected companies that might be using the NotPetya incident to delay paying taxes or hide the status of their finances. Authorities warned they'd be cracking down on the suspected businesses in the coming months.

 A video of the arrest is available below.