Russian ATM VXers have firebombed the research lab of an anti-virus firm after its researchers refused to retract reverse engineering analysis of their malware.
The attack followed email threats by the group calling itself the 'Syndicate' to the Moscow company which sold the Shield antivirus product that prevented the gang's malware running in ATMs.
Dr Web says it refused to comply with demands to remove references to ATM malware analysis.
Its St Petersburg laboratory was twice firebombed with only minor damage inflicted.
"You have a week to delete all references about ATM skimmers … otherwise Syndicate will stop cash-out transactions and send criminals for your programmers’ heads," the first threat letter read.
A subsequent email on 13 March warned that the Syndicate would destroy all Dr Web offices "throughout the world"
"If you don’t delete all references about ATM skimmer viruses from your products and all products for ATM (sic), the international carder syndicate will destroy Doctor Web’s offices throughout the world," the subsequent letter says.
The criminals make a confused claim that they will also lobby for the "prohibition of usage of Russian anti-viruses" that such software is the handiwork of Moscow intelligence services.
The antivirus company says it will not capitulate to VXer threats.
"Doctor Web considers its duty to provide users with the ultimate protection against the encroachments of cybercriminals," the company says.
"Consequently, efforts aimed at identifying and studying ATM threats are in progress as is work to improve Dr. Web ATM Shield."
Dr Web boss Boris Sharov told KrebsonSecurity the Syndicate was likely a customer of the malware rather than the authors.
He says three physical intrusions were made into the office but did not elaborate.
Boris reckons a job was placed on criminal underground forums requesting the bombing of the offices. He says the attacks seemed unprofessional and resulted in more damage from the firetrucks than flame. ®