On Tuesday (27 June), what first appeared to be a massive ransomware attack, hit victims in 25 countries across the world. The infosec community began racing to uncover more details about the attacks to help potential victims protect themselves from further assaults.
Security experts are still investigating the attacks. Some have indicated that Petya may not be a simple ransomware, instead it is a more nefarious cyberweapon designed to cause widespread destruction. Experts now believe that Petya may have been designed to pose as a ransomware, when in reality, it functions as a wiper malware. This would mean that unlike other ransomware developers, the motive behind the attack is not to simply make money.
What is the motive of the attackers?
"This attack was an ineffective way to make money, but a very effective way to disrupt victims, and sow confusion," said Symantec researcher Gavin O' Gorman.
If disruption, rather than making money is the motive; it would mean that this ransomware is backed by state-sponsored attackers.
"Launching an attack that would wipe victim hard drives would achieve the same effect, however, that would be an overtly aggressive action. Effectively wiping hard drives through the pretense of ransomware confuses the issue, leaving victims and investigators to ask: 'Are the attackers politically motivated, or criminally motivated?'"
How much money have the attackers made and why you shouldn't pay the ransom
A Twitter account with the handle @petya_payments has been tracking bitcoin payments since the attacks began on Tuesday. Similar to the WannaCry bitcoin tracking Twitter account @actual_ransom, the Petya equivalent account has been tweeting out the number of payments made to the bitcoin address tied to the Petya attacks.
So far, the bitcoin wallet has received 45 payments totalling to a little over $10,000 (£7,700). In comparison to WannaCry, Petya reportedly made $20,000 less in the first 24 hours of the attack.
Security experts at Digital Shadows are warning those affected by the Petya not to pay the $300 ransom. Digital Shadows told IBTimes UK that the email address associated with paying the ransomware authors to get decryption keys has been disconnected.
"It means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so," Digital Shadows told us.
"The attacker may not be a particularly smart criminal, however, as using a single bitcoin wallet, and a single e-mail account for contact, was not the best way to get payment. The e-mail account was rapidly suspended by its provider, thus disabling the ability of the attacker to interact with victims.
"The Bitcoin wallet is still active, however, any money transferred from this wallet is likely to be closely monitored by law enforcement. The attacker may have a difficult time making use of the ransom payments," Gorman added.