Ukraine's security service (SBU) has blamed Russia for perpetrating the recent global attacks leveraging the NotPetya wiper malware, which affected the critical infrastructure of Ukraine, as well as hit numerous businesses worldwide. The malware was first thought to be the Petya ransomware, however, further analysis by security researchers revealed that the malicious software was masquerading as Petya, but in actuality was far more sinister.
The NotPetya attacks, which are how they are now widely being characterised, saw hackers launch a wiper malware, designed to destroy systems, but posing as regular ransomware to hoodwink victims.
Ukraine's SBU said in a statement that it had "terminated" NotPetya's distribution, which it added was "built up by Russia special services". SBU said the "seized server equipment, engaged in the system of cyberattacks from the RF special services side".
BBC reported that Russia has dismissed the allegations of its involvement in the attacks as "unfounded".
The attacks appear to have been specifically targeted at Ukraine, but given that the malware used was based on leaked NSA exploit EternalBlue, it also came with features similar to those that WannaCry possessed such as its self-propagating ability. Researchers suspect that it is this feature that may have helped NotPetya spread across the globe quickly.
Ukraine's security service also said that the ransom demand was a cover-up. SBU suspects that the attacks were aimed at disrupting the operations of Ukraine's private and government organisations and causing political destabilisation.
Meanwhile, in India, Navi Mumbai police's own website reportedly got hacked, even as authorities investigated the NotPetya attacks.
Ukraine's state power firm was hit by a ransomware attack similar to WannaCry just days after it faced attacks from NotPetya.
"It is almost certain that we will see more attacks, especially as this is using the ExternalBlue exploit again," Yonathan Klijnsma, Threat Researcher at RiskIQ, told IBTimes UK. "When you are told to patch months before and there has been a large set of precursor warnings like WannaCry, organisations need to heed these warning signals and start with patching their systems.
"Keep in mind, however, that this ransomware also makes use of credential re-use," Klijnsma added. "This means that if the domain administrator starts the ransomware, his or her entire domain may be affected. The ransomware will have full rights everywhere depending on how the domain restrictions are set up."