Petya outbreak: What’s the motive behind this major cyber attack?

Money or disruption? Which is the more likely motivation of the people behind the Petya cyber attack?

UPDATE: Further analysis has shown that keys generated and displayed in the ransom note are randomly generated and cannot be used to decrypt Petya-encrypted disks. This means that Petya is more accurately a wiper and not ransomware. This adds further credence to the theory outlined below that Petya’s primary motivation is disruption.

The Petya cyber attack that kicked off yesterday (June 27) was clearly inspired by the WannaCry attack, which received so much attention last month. The motives behind WannaCry are still unclear, however, it was not an effective approach to making money for its authors.

There are similar oddities around the Petya attack, which so far has not been very profitable. Two theories might account for the actions of the Petya attackers, but first let’s look at some of the facts as we know them.

The Petya malware was spread, at least in part, through updates to a Ukrainian tax accounting software. According to Symantec telemetry, the majority of victims of Petya are Ukrainian organizations. This makes the date the attack began (June 27) interesting as June 28 is Ukraine’s Constitution Day, a national holiday.

Once on a computer, Petya attempts to encrypt a set of files that have specific extensions. The attacker then demands payment of $300 worth of Bitcoin, which they request be transferred to a single wallet. In the ransom note, the victim is told to send notification of payment to a single email address.

The ransom note that appears on victim’s machines

Once on a computer, the malware attempts to spread to all machines on the network, using a combination of stolen credentials and the EternalBlue exploit. It also attempts to connect to any computers that the infected computer has recently interacted with. However, unlike WannaCry, it does not attempt to connect to random IP addresses across the internet.

From our investigations, I believe there are two likely theories to explain the actions of the Petya attackers.

Sometimes the obvious answer is the right one…

The first theory is based on Occam’s Razor. Or to put it more plainly, if it looks like a duck, walks like a duck, and quacks like a duck, it’s a duck. The person or persons behind the attack were technically capable and were attempting to compromise a choice group of financial targets that may be more likely to pay a ransom, as they would need to regain access to important financial records.

The attacker may not be a particularly smart criminal, however, as using a single bitcoin wallet, and a single email account for contact, was not the best way to get payment. The email account was rapidly suspended by its provider, thus disabling the ability of the attacker to interact with victims. The Bitcoin wallet is still active, however, any money transferred from this wallet is likely to be closely monitored by law enforcement. The attacker may have a difficult time making use of the ransom payments.

…sometimes it isn’t

The second theory is that there may be a more nefarious motive behind the attack, that is, disruption. Such attacks have occurred in Ukraine previously, most notably the KillDisk attacks. Similar to Killdisk, perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations. Launching an attack that would wipe victim hard drives would achieve the same effect, however, that would be an overtly aggressive action. Effectively wiping hard drives through the pretense of ransomware confuses the issue, leaving victims and investigators to ask: “Are the attackers criminally motivated, or politically motivated?”

Based on the current data, I’m inclined to believe the motive behind the Petya attacks may be the second option. Non-Ukrainian organizations were affected, however, this may have been unintentional. There was no attempt to spread across the internet by attacking random IP addresses.

This attack was an ineffective way to make money, but a very effective way to disrupt victims, and sow confusion.

What do you think are the motivations behind this latest high-profile attack? Tweet your theories to the Symantec Security Response team by using the @threatintel handle.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.