The ransomware attack that gripped institutions and companies around the world this week may not have been ransomware at all. Instead, the perpetrators of the attack may have had political motives. Craig Williams, Senior Technical Leader at Cisco’s cybersecurity division Talos, suggests the payment network was too small.
Williams describes the malware as “unusual” because there was only a single email linked to it and one wallet. Cisco’s expert concludes that the ‘ransomware’ “may not have been about making money.”
Cisco has been tracking the virus, which has undergone a name change. It was originally believed the attack used a strain of the Petya ransomware. However, many experts pointed out that the virus was too different to be given the same moniker.
With that in mind, the attack is now being called “NotPetya” or “Nyetya”. Regardless of name, the malware left a heavy toll on countries and organizations and could leave a bill higher than the recent WannaCry attack.
Microsoft said yesterday the Nyetya spread started with a legitimate MEDoc process. This is a tax accounting software developed by Ukraine-based company M.E.Doc.
The company said 12,500 machines in the country were exploited by the ransomware. Other countries did not escape Petya, with significant reports in the US, Brazil, Russia, Denmark, and Germany. In total, 64 countries were affected.
Talos points out that ransomware typically points victims to multiple emails and wallets to maximize the amount of money that can be gathered. Williams says it may be a mimic of ransomware, but not for the purpose of money. “Looks like someone has been trying to design something that looks like ransomware,” he added.
While early reports suggested Nyetya was asking $300 to unlock individual machines, there was no coverage of how much companies were expected to pay. Indeed, the wallet and email were blocked soon after the attack started. This meant while the virus was spreading there was no way for those affected to pay.
Williams says a policitcal angle is likely as the spread started ahead of the Ukraine’s Constitution Day. He stops short of saying it was a state sponsored attack. However, Williams believes the Ukraine was the target and other nations affected fell under “collateral damage”.