The haze of yesterday’s massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hack’s reach touched some of the country’s most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.The ostensible purpose of all that damage was to make money — and yet there’s very little money to be found. Most ransomware flies under the radar, quietly collecting payouts from companies eager to get their data back and decrypting systems as payments come in. But
Petya seems to have been incapable of decrypting infected machines, and its payout method was bizarrely complex, hinging on a single email address that was shut down almost as soon as the malware made headlines. As of this morning, the Bitcoin wallet associated with the attack had received just $10,000, a relatively meager payout by ransomware standards.
It leads to an uncomfortable question: what if money wasn’t the point? What if the attackers just wanted to cause damage to Ukraine? It’s not the first time the country has come under cyberattack. (These attacks have typically been attributed to Russia.) But it would be the first time such an attack has come in the guise of ransomware, and has spilled over so heavily onto other countries and corporations.
Because the virus has proven unusually destructive in Ukraine, a number of researchers have come to suspect more sinister motives at work. Peeling apart the program’s decryption failure in a post today, Comae’s Matthieu Suiche concluded a nation state attack was the only plausible explanation:
“Pretending to be a ransomware while being in fact a nation state attack, is in our opinion a very subtle way from the attacker to control the narrative of the attack.”
Another prominent infosec figure put it more bluntly: “There’s no fucking way this was criminals.” There’s already mounting evidence that Petya’s focus on Ukraine was deliberate. The Petya virus is very good at moving within networks, but initial attacks were limited to just a few specific infections, all of which seem to have been targeted at Ukraine. The highest-profile one was a Ukrainian accounting program called
MeDoc, which sent out a suspicious software update Tuesday morning that many researchers blame for the initial
Petya infections.
Attackers also planted malware on the homepage of a prominent Ukraine-based news outlet, according to one researcher at Kaspersky.In each case, the infections seem to specifically target Ukraine’s most vital institutions, rather than making a broader attempt to find lucrative ransomware targets. These initial infections are particularly telling because they were directly chosen by whoever set the malware in motion. Computer viruses often spread farther than their creators intended, but once
Petya was on the loose, the attackers would have had no control over how far it reached. But
the attackers had complete control over where they planted Petya initially, and they chose to plant it by some of the most central institutions in Ukraine.Slovakian security software firm ESET released statistics on Thursday showing 75 percent of the infections detected among its global customer base were in Ukraine, and that all of the top 10 countries hit were located in central, eastern or southern Europe.
Arne Schoenbohm, president of BSI, Germany's federal cyber security agency, told Reuters in an interview on Thursday that most of the damage from the attack had hit Ukraine, and Russia to a lesser extent, with only a few dozen German firms affected.
"In all of the known cases, the companies were first infected through a Ukrainian subsidiary," the German official said.
"I think this was directed at us," says Roman Boyarchuk, the head of the Center for Cyber Protection within Ukraine's State Service for Special Communications and Information Protection.
"This is definitely not criminal. It is more likely state-sponsored."As for whether that state sponsor was Russia, "It’s difficult to imagine anyone else would want to do this," Boyarchuk says.
Boyarchuk points to the timing of the attack, just before Ukraine's Constitution Day, which celebrates the country’s post-Soviet independence.“You don’t hit the day before Constitution Day for no reason,” said Craig Williams, the senior technical researcher with the Talos division of Cisco, the American technology company, which helped pinpoint the origin of the Tuesday attack.
Technical experts familiar with the recent history of the cyber escalation between Russia and Ukraine, say these latest attacks are part of the wider political and military conflict, although no "smoking gun" has been found to identify the culprits.John Hultquist, a cyber intelligence analyst with FireEye, said the failed ransomware attack disguises an as yet unseen destructive motive.
"If it were an attack masquerading as crime, that would not be unprecedented at all," Hultquist said.