A widespread ransomware attack dubbed Petya/Petrwrap, bearing close resemblance to WannaCry attacks earlier this month had hit machines in Spain, France, Ukraine, Russia and a few other countries on Tuesday, but the highest impact of the attack was felt in Ukraine, where a number of government and private sector organisations were affected.
Later the same day, the hackers email account which was the key to decrypting the affected devices was disabled by the email company Posteo resulting in an uproar since affected users won’t be able to receive the decryption key even if they pay out the ransom of $300 in Bitcoins.
The magnitude of attack on Ukraine was relatively much higher when compared to other countries and this has led a lot of security researchers and experts to believe that the attack might just have been a state-funded attack targeting Ukraine.
Since the Bitcoin account that was accepting payments had only accrued over $10,000 in ransom payments before the email ID was shut down, this has led researchers to believe that the real motive behind the attack was not money but damaging Ukraine.
“The fact of pretending to be a ransomware while being, in fact, a nation-state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack,” Comae’s Matt Suiche concluded.
Petya: Wiper, Not Ransomware; Or Not
The Petya ransomware managed to collect a paltry sum and affected Ukraine’s central bank, metro transports, airport and the Chernobyl power plant, leading researchers to believe that the attack was state-funded and specifically targeted against affecting Ukraine’s infrastructure.
Security researchers have found out that the Petya ransomware could not have been decrypted.
“After an analysis of the encryption routine of the malware used in the Petya attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made. This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware,” Kaspersky Security researchers stated.
Not only that, initial infections were sent out alongwith an update to MeDoc, a Ukranian accounting program. While it’s unclear why the additional countries were targeted, if this suspicion is true, then it can well be to help disguise Petya as a worldwide ransomware attack rather than a state-sponsored attack on Ukraine.
One of the prime suspects of the attack is the Russian government, who in the past have been held responsible for cyber attacks on Ukraine’s public infrastructure which started soon after the annexation of Crimea in 2014.
While there is a lot of evidence pointing towards Petya being a Wiper and not a Ransomware, all of it is circumstantial at best.
It is quite possible that these public systems of the Ukranian government, like other government and private organisations in other countries worldwide, presented themselves a soft target to the hackers and that’s why they were attacked.
If you talk about the faulty decryption and payment system for the Petya ransomware attack, it could just have been the case of negligent coding and follow up by the hackers.
Even if the attackers were unable to make money, the malware also steals credentials and other data from the infected systems, which could prove to be useful for further attacks.
While nothing can be said for sure as to whether the Petya ransomware attack was a case of failed hacking or hybrid-warfare, one thing is for sure that there need to be a better and more reliable security frameworks in place to avert dangers of such cyber attacks in the future.