As a money-making exercise – the sole motivation behind most ransomware – Petya was a flop.
The bitcoin address that appeared on the locked screens of computers across the Ukraine, Russia, Western Europe and at a number of businesses in Australia this week, as of this morning had received only 3.99 Bitcoins, around $13,500.
Not long after organisations began reporting the ransomware, the email address to which those affected were prompted to send their Bitcoin wallet ID and ‘personal installation key’ had been shut down by the provider Posteo. This removed any possibility a decryption key would be received, and so any incentive to pay the ransom.
Having unleashed a weapon powerful enough to shut down global businesses and governments, those behind the ransomware raised enough money for a second hand saloon car.
The meagre amount – combined with evidence that decryption of victims’ disks was never possible to begin with – are now leading infosec experts to conclude that perhaps money was not the motive. The 'ransomware', they believe, was a cover for something far more sinister.
On Tuesday morning Vice Prime Minister of Ukraine Pavlo Rozenko tweeted that the country’s Secretariat of the Cabinet of Ministers’ computer systems were down.
Та-дам! Секретаріат КМУ по ходу теж "обвалили". Мережа лежить. pic.twitter.com/B74jMsT0qs— Rozenko Pavlo (@RozenkoPavlo) June 27, 2017
Reports emerged that Ukrainian banks, Kiev's Borispol airport and the country’s energy firms Kyivenergo and Ukrenergo, had also fallen victim to the ransomware, known as Petya, ExPetr, Petrwrap, GoldenEye and NotPetya.
Petya’s ability to self-propagate saw it spread to the US, most of Europe, China and Australia. But it is almost impossible to control the spread of malware once unleashed – Ukraine was undoubtedly ground zero.
The initial infection vector for Petya, according to Symantec, is MEDoc, a tax and accounting software package widely used in Ukraine.
Kaspersky analysis indicates 60 per cent of the total infections occurred in the country, with little over 30 per cent affecting nearby Russia. Symantec research indicates nearly 140 Ukrainian organisations were affected, more than any other country.
These indicators, Symantec said, show “organisations in that country were the primary target”.
But a target for raising money? There are doubts.
Wipe your eyes
A breakdown of Petya’s workings by Kaspersky and Comae show those behind it were never able to decrypt encrypted information. Nor did they want to.
Kaspersky’s Anton Ivanov last night put it this way: “…the main goal of the ExPetr attack was not financially motivated, but destructive”.
Sign up for CIO Asia eNewsletters.