We’re still discovering new facts about the NotPetya ransomware that is infecting computers around the world, but the latest claims by several security firms come as quite a surprise: it might not actually be ransomware, but a state-sponsored cyberattack.
Researchers, including those from Kaspersky Lab, believe that despite the malware demanding $300 in Bitcoins, it was primarily designed to damage infected systems by deleting their Master Boot Record, which makes it “Wiper malware” rather than traditional ransomware.
“This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of “ransomware,”” wrote information security researcher the grugq.
With Microsoft having now verified that the malware originated in Ukrainian accounting software MeDoc, along with the fact that 60 percent of all infections are within the Eastern European country, questions are being raised as to whether this was a politically motivated cyberattack.
"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," writes Comae Technologies Founder Matt Suiche.
The strange use of a single Bitcoin wallet for payments, as well as the requirement that victims email the hackers, add credence to the theory that NotPetya was designed for disruption rather than profit. It seems the 45 victims who have paid a total of $10,500 in ransom won’t be getting their files back, especially as email provider Posteo closed the attacker’s account.
"Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks," said Kaspersky.
With an apparent focus on the Ukraine – the attack began on the eve of the country’s constitution day – some believe Russia was behind this apparent state-sponsored attack. While it did hit some Russian businesses, these were reportedly well protected and managed to stop the infection with no major damage to their systems.
Roman Boyarchuk, the head of the Center for Cyber Protection within Ukraine's State Service for Special Communications and Information Protection, said "It's difficult to imagine anyone else would want to do this," when asked if he thought Russia was the state sponsor behind the attack.