Cyber Incident Victim: Crystal Finance Millennium
Date:
Aug 2017
Location:
Ukraine
Summary
A Ukrainian accounting software provider, Crystal Finance Millennium, experienced a server breach where attackers compromised its web server to host malware. Hackers distributed phishing emails containing JavaScript attachments that, when executed, downloaded malicious payloads from the compromised server, ultimately deploying Purgen ransomware—a variant of the Globe family. This incident mirrored prior malware distribution campaigns linked to banking trojans and ransomware, though Ukrainian authorities did not classify it as a major cyberattack. The provider's hosting company intervened by taking the website offline to mitigate infections, preventing a widespread outbreak despite ongoing isolated ransomware incidents in the region.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around August 18, 2017, Ukrainian accounting software provider Crystal Finance Millennium (CFM) suffered a server breach that enabled malware distribution. Hackers compromised CFM’s web server infrastructure—without targeting its software update mechanisms—and used it to host malicious payloads. Attackers disseminated phishing emails containing JavaScript file attachments disguised as legitimate documents. When recipients unzipped these attachments, the JavaScript executed and downloaded a file named load.exe directly from CFM’s compromised server. This executable subsequently retrieved and deployed Purgen ransomware, a variant within the Globe ransomware family, encrypting victims’ files for extortion. The incident mirrored the June 2017 NotPetya ransomware outbreak in Ukraine, which also leveraged compromised software providers, though CFM’s update systems were not exploited in this case. Security researchers from Kaspersky Lab identified connections between this campaign and broader malware distribution efforts, noting that identical load.exe files had been planted on servers belonging to other Ukrainian companies.
Ukrainian authorities monitored the situation but did not classify it as a large-scale cyberattack despite heightened concerns due to its proximity to Ukraine’s Independence Day. CFM’s hosting provider intervened by taking the company’s website offline to disrupt further malware distribution, effectively containing the incident. Security analysts linked the campaign to prior attacks distributing Zbot banking trojans and PSCrypt ransomware, the latter having exclusively targeted Ukrainian entities through Remote Desktop Protocol (RDP) compromises before this incident. While no widespread ransomware outbreak resulted from the CFM breach, isolated infections involving PSCrypt and other malware families continued to affect Ukrainian organizations. The incident underscored recurring vulnerabilities in third-party software supply chains and the reuse of compromised infrastructure for multi-stage attacks.