Money or disruption: What motivated Petya attack?

The Petya ransomware attack that was inspired by WannaCry attack, kicked off on June 27. Symantec has investigated the motivation behind the Petya attack, to understand whether money or disruption is the more likely motivation of the people behind the Petya cyber attack. According to Symantec telemetry, the majority of victims of Petya are Ukrainian organizations. This makes the date the attack began (June 27) interesting as June 28 is Ukraine’s Constitution Day, a national holiday. From Symantec’s investigations, there are two likely theories to explain the actions of the Petya attackers – money-making, and disruption (likely criminally or politically motivated).

Sometimes the obvious answer is the right one…

The first theory offered by Symantec is based on Occam’s Razor. Or to put it more plainly, if it looks like a duck, walks like a duck, and quacks like a duck, it’s a duck. The person or persons behind the attack were technically capable and were attempting to compromise a choice group of financial targets that may be more likely to pay a ransom, as they would need to regain access to important financial records.

The attacker may not be a particularly smart criminal, however, as using a single bitcoin wallet, and a single e-mail account for contact, was not the best way to get payment. The e-mail account was rapidly suspended by its provider, thus disabling the ability of the attacker to interact with victims. The Bitcoin wallet is still active, however, any money transferred from this wallet is likely to be closely monitored by law enforcement. The attacker may have a difficult time making use of the ransom payments.

…sometimes it isn’t

The second theory by the company is that there may be a more nefarious motive behind the attack, that is, disruption. Such attacks have occurred in Ukraine previously, most notably the KillDisk attacks. Similar to Killdisk, perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations. Launching an attack that would wipe victim hard drives would achieve the same effect, however, that would be an overtly aggressive action. Effectively wiping hard drives through the pretense of ransomware confuses the issue, leaving victims and investigators to ask: “Are the attackers politically motivated, or criminally motivated?”

Conclusion

Based on the current data, the motive behind the Petya attacks may be the second option. Non-Ukrainian organizations were affected, however, this may have been unintentional. There was no attempt to spread across the internet by attacking random IP addresses.

This attack was an ineffective way to make money, but a very effective way to disrupt victims and sow confusion.