Petya 'ransomware' ruse for something more sinister: researchers

As a money-making exercise – the sole motivation behind most ransomware – Petya was a flop.

The bitcoin address that appeared on the locked screens of computers across the Ukraine, Russia, Western Europe and at a number of businesses in Australia this week, as of this morning had received only 3.99 Bitcoins, around A$13,500.

Not long after organizations began reporting the ransomware, the email address to which those affected were prompted to send their Bitcoin wallet ID and ‘personal installation key’ had been shut down by the provider Posteo. This removed any possibility a decryption key would be received, and so any incentive to pay the ransom.

Having unleashed a weapon powerful enough to shut down global businesses and governments, those behind the ransomware raised enough money for a second hand saloon car.

The meagre amount – combined with evidence that decryption of victims’ disks was never possible to begin with – are now leading infosec experts to conclude that perhaps money was not the motive. The 'ransomware', they believe, was a cover for something far more sinister.

Ground zero

On Tuesday morning Vice Prime Minister of Ukraine Pavlo Rozenko tweeted that the country’s Secretariat of the Cabinet of Ministers’ computer systems were down.

Reports emerged that Ukrainian banks, Kiev's Borispol airport and the country’s energy firms Kyivenergo and Ukrenergo, had also fallen victim to the ransomware, known as Petya, ExPetr, Petrwrap, GoldenEye and NotPetya.

Petya’s ability to self-propagate saw it spread to the US, most of Europe, China and Australia. But it is almost impossible to control the spread of malware once unleashed – Ukraine was undoubtedly ground zero.

The initial infection vector for Petya, according to Symantec, is MEDoc, a tax and accounting software package widely used in Ukraine.

Kaspersky analysis indicates 60% of the total infections occurred in the country, with little over 30% affecting nearby Russia. Symantec research indicates nearly 140 Ukrainian organisations were affected, more than any other country.

These indicators, Symantec said, show “organizations in that country were the primary target”.

But a target for raising money? There are doubts.