After Ukrainian police seized the servers, Cisco has found a backdoor in which cyber criminals were able to propagate NotPetya.
Security Week explains:
Last week, multiple security companies determined that the tax software company’s update server was used as the initial attack vector. Although M.E.Doc denied possible compromise several times during the first days of the outbreak, it eventually agreed to allow a security firm to perform forensic analysis of the server.
Earlier this week, Ukraine police seized the M.E.Doc servers believed to have been used in the incident, to prevent any subsequent attacks from happening. The local authorities suggested the threat group might use the server for further attacks, and not without reason, it seems: a fake WannaCry ransomware family was distributed in the shadow of NotPetya using the same vector.