The Washington PostDemocracy Dies in Darkness

Ukraine’s ransomware attack was a ruse to hide culprit’s identity, researchers say

Employees read a ransomware demand for the payment of $300 worth of bitcoin on company computers infected by the Petya software virus inside a retail store in Kiev, Ukraine, on June 28. (Vincent Mundy/Bloomberg News)

The cyber attack that crippled computer systems in Ukraine and other countries this week employed a ruse — the appearance of being ransomware — that seems designed to deflect attention from the attacker’s true identity, security researchers said.

And many companies initially fell for it.

The first reports out of cybersecurity firms on Monday, when news of the attack hit, was that a new variant of WannaCry, a virus that encrypted data and demanded a ransom to restore it, was on the loose.

In fact, a number of researchers said this week, the malware — which researchers are calling NotPetya — does not encrypt data, but wipes its victims’ computers. If the data is not backed up, it’s lost, they said.

“It definitely wasn’t ransomware and wasn’t financially motivated,” said Jake Williams, founder of Rendition Infosec, a cybersecurity firm, which has analyzed the virus. “The goal was to cause disruption in computer networks.”

Moreover, the email address to make a payment to retrieve data is no longer accessible, said Matt Suiche, a hacker and founder of Comae Technologies, a cybersecurity firm.

He said in a blog post this week that the ransomware feint was probably a way to make people think "some mysterious hacker group" was behind the attack rather than a nation state.

“The fact of pretending to be a ransomware while being in fact a nation-state attack . . . is in our opinion a very subtle way for the attacker to control the narrative of the attack,” Suiche said.

Security researchers cautioned that it is too early to know for sure who is behind it. But some say that the targeting and distribution method of the malware point to Russia.

More than half the victimized computers were in Ukraine, including banks, energy firms and an airport.

Russia, which has annexed Crimea and has backed separatists in eastern Ukraine, has carried out an aggressive campaign of cyberattacks and harassment there.

In December, Russian government hackers disrupted the power grid in Kiev. A year earlier, they knocked out power in western Ukraine.

In this case, to get into victims’ computers, attackers infected a financial software program in Ukraine, called MEDoc, that delivers software updates to businesses through the Internet.

That’s called a “watering hole” attack, which targets users who navigate to the site for updates or to browse. It is also a tactic that Russian government hackers have used in the past to compromise industrial control system networks, Williams noted.

MEDoc is one of only two software options Ukrainian businesses have to pay their taxes, noted Lesley Carhart, an information security expert.

“This was a clever choice” for several reasons, she noted in a blog post, including that the “distribution base” within the country was “extremely comprehensive” as many companies used the software.

NotPetya did not spread across the open Internet, she said in an email. “Its tactic was to compromise a few computers inside a network” once the hacker got in, say, by delivering the malware through MEDoc. Then it could rapidly spread to other computers in the same network using a variety of other methods.

“While most ‘patient zero’ computers were in Ukraine . . . the corporate networks those computers [connect to] could potentially span the globe, and infection could also spread to any customers, partners, or vendors with whom they had unrestricted network connections and shared accounts,” she said.

That might explain how U.S. pharmaceutical giant Merck, the Danish shipping firm Maerskeven and the Russian oil company Rosneft became infected.

The Rosneft infection might be an unintended consequence — collateral damage, Williams said.

Valentyn Petrov, head of the information security service at Ukraine’s National Security and Defense Council, said that the attack’s timing, on the eve of Ukraine’s Constitution Day, indicated this was a political attack.

“We are in an interesting test phase in which Russia is using modern cyberweapons,” Petrov said, “and everyone is interested to see how it is working — and how threats can be countered.”

David Filipov in Moscow contributed to this report.