“The haze of yesterday’s massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hack’s reach touched some of the country’s most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.
The ostensible purpose of all that damage was to make money — and yet there’s very little money to be found. Most ransomware flies under the radar, quietly collecting payouts from companies eager to get their data back and decrypting systems as payments come in. But Petya seems to have been incapable of decrypting infected machines, and its payout method was bizarrely complex, hinging on a single email address that was shut down almost as soon as the malware made headlines. As of this morning, the Bitcoin wallet associated with the attack had received just $10,000, a relatively meager payout by ransomware standards.
It leads to an uncomfortable question: what if money wasn’t the point? What if the attackers just wanted to cause damage to Ukraine? It’s not the first time the country has come under cyberattack. (These attacks have typically been attributed to Russia.) But it would be the first time such an attack has come in the guise of ransomware, and has spilled over so heavily onto other countries and corporations.
Because the virus has proven unusually destructive in Ukraine, a number of researchers have come to suspect more sinister motives at work. Peeling apart the program’s decryption failure in a post today, Comae’s Matthieu Suiche concluded a nation state attack was the only plausible explanation. “Pretending to be a ransomware while being in fact a nation state attack,” Suiche wrote, “ is in our opinion a very subtle way from the attacker to control the narrative of the attack.””