Analysts think Petya ‘ransomware’ was built for targeted destruction, not profit

The description of the Petya infections hitting computers worldwide as “ransomware” may be a misnomer, security analysts suggest. The malicious software’s code and other evidence indicate that the profit motive may have been a camouflage for an act of cyber-espionage targeting Ukraine.

Ransomware fundamentally works on the idea that if you pay the attacker, you get your data back. If the attacker doesn’t fulfill their side of the bargain, word gets out and no one else pays the ransom. Ultimately it’s in everyone’s interest to have the con work as advertised.

So what do you make of “ransomware” that makes it impossible to retrieve the data?

Well, that isn’t ransomware. And if it isn’t ransomware, the motive wasn’t to make money. If the motive wasn’t to make money, what was it? Well, considering Petya appears to have had its origin on Ukrainian networks, it wouldn’t be a stretch to speculate that the point was to damage those networks.

That’s the idea advanced by several experts as more facts about the software come to light. Comae’s Matt Suiche and others compared the code in this week’s Petya attack with a similar attack from last year. 2017 Petya appears to have been modified specifically to make the encoding of user data irreversible by overwriting the master boot record. The attackers’ email address also appears to have been taken offline, preventing ransoms from being paid.

(Update: MalwareTech, the researchers who accidentally halted WannaCry, point out that the MBR may not in fact be overwritten. As I originally concluded, expect more updates as more analysis occurs.)

Brian Krebs cites Nicholas Weaver at Berkeley’s International Computer Science Institute, who calls Petya “a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.” Wired cites Information Security Systems Partners in Kiev, who suggest that the attackers were already present in the Ukrainian systems for some months, and may even have been covering their tracks with the infection.

Since the progress of the malware can’t be predicted with any real accuracy (unless its course is hard-coded into the command and control server, which would be evident), it would be impractical to, say, release it in France with the object of infecting Germany. On the other hand, releasing it at the target location, then trusting the collateral damage and superficial similarities to WannaCry to act as a smokescreen is a pretty good plan.

All this analysis is necessarily based on incomplete information, however, so it’s difficult to draw any hard conclusions. But from what we’ve seen, the narrative of a WannaCry-type global ransom plan seems like an inaccurate one.