Skip to content ↓ | Skip to navigation ↓

A Russian antivirus (AV) firm was firebombed back in 2014 as a result of a report it published on a particular malware sample.

On December 18, 2013, the AV company Doctor Web published a news item announcing that Trojan.Skimmer.18 had been added to the company’s virus database. Later that same day, the company received a threatening email presumably originating from the writers and/or criminal organization that had sponsored the malware’s development.

The email reads as follows:


On behalf of Syndicate we congratulate you with successful disassembly of NCR ATM software skimmer. The source code of writers is attached.

Good job but it’s prospectless. Profit from Dr.Web_ATM_shield is dirt-cheap because bankers never give money willingly. However the development of Dr.Web_ATM_shield threatens activity of Syndicate with multi-million dollar profit. Hundreds of criminal organizations throughout the world can lose their earnings.

You have a WEEK to delete all references about ATM.Skimmer from your web resource. Otherwise syndicate will stop cash-out transactions and send criminal for your programmers’ heads. The final of Doctor Web will be tragic.

According to an article published by Brian Krebs, Doctor Web refused to comply with the email’s demands. This resulted in two firebombings against the anti-virus laboratory of Igor Daniloff in St. Petersburg, a third party that was distributing Doctor Web’s ATM Shield product.

Shortly following the attacks, both of which occurred in March of 2014, Doctor Web received another email:

Dear Dr.Web, the International carder syndicate has warned you about avoidance of interference (unacceptable interference) in the ATM sphere. Taking into account the fact that you’ve ignored syndicate’s demands, we employed sanctions. To emphasis the syndicate’s purpose your office at Blagodatnaya st. was burnt twice.

If you don’t delete all references about atmskimmer viruses from your products and all products for ATM, the International carder syndicate will destroy Doctor Web’s offices throughout the world, In addition, syndicate will lobby the Prohibition of usage of Russian anti-viruses Law in countries that have representation offices of the syndicate under the pretext of protection against Russian intelligence service.

doctor web firebombingsBoris Sharov, CEO of Doctor Web, told Brian Krebs that in addition to a third attack being perpetrated against the St. Petersburg office, Doctor Web detected two physical intrusions into its Moscow offices. These incidents have led Sharov to believe that those who sent the threats were an organized group of programmers who sold a crimeware product to multiple gangs. These individuals, Sharov thinks, likely hired a group of strangers to carry out the attacks.

Notwithstanding the incidents of March 2014, Doctor Web is firm in its stance to continue the fight against computer criminals:

“Doctor Web considers its duty to provide users with the ultimate protection against the encroachments of cybercriminals,” the company says. “Consequently, efforts aimed at identifying and studying ATM threats are in progress as is work to improve Dr. Web ATM Shield.”

News of these firebombing attacks follow on the heels of another story published by Brian Krebs revealing that Doctor Web experimented with ways to expose how anti-virus companies might be blindly accepting threat intelligence feeds from rival firms.