The cyberattack that spread across Europe on June 27 was declared not a ransomware attack after further observation by researchers.
The “Not Petya” attack didn’t encrypt files on the infected computers. Instead, it wiped the entire drive, making it impossible to retrieve files if they weren’t backed up on another device. Researchers said the attack was meant to look like a malicious group of hackers but was probably the work of a nation-state.
“The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative,” said Matt Suiche, hacker and founder of Comaeio, in a blog post. “We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker.”
The most infected systems were concentrated in Ukraine, where Russia, which has annexed Crimea and has backed separatists in eastern Ukraine, has carried out cyberattacks. In December, Russian government hackers shut down the power grid in Kiev, and knocked out power in western Ukraine a year earlier.
On June 27 it was discovered that companies that paid the ransom to retrieve their data from the Petya attack have no way of receiving the encryption key. Although Symantec had verified the Ukrainian accounting service MeDoc as “patient zero” for the attack, the cybersecurity company hasn’t discovered who is behind the attack. The email account that the attack stemmed from has been shut down, so that companies that paid the ransom of $300 couldn’t receive the encryption key needed to return their data.
The malicious code was stealing credentials from users to possibly infect more high-value systems that have more complex security standards, Jon DiMaggio, senior threat intelligence analyst for Symantec Security Response, told MeriTalk on June 28.
“It’s not normal for ransomware to steal credentials,” DiMaggio said.
DiMaggio said that Symantec’s findings on Tuesday were “odd” and had many theories as to what was behind the attack. Researchers have not yet identified who is behind the cyberattack.