Mystery of motive for ransomware attack: Money, mayhem or message?

Most recent attack less severe than similar hacking in May

SAN FRANCISCO — As governments and organizations around the world grappled on Wednesday with the effect of a cyberattack that froze computers and demanded a ransom for their release, victims received a clear warning from security experts not to pay a dime in the hopes of getting back their data.

The hackers’ email address was shut down and they had lost the ability to communicate with their victims, and by extension, to restore access to computers. If the hackers had wanted to collect ransom money, said cybersecurity experts, their attack was an utter failure. That is, if that was actually their goal.

Increasingly sophisticated ransomware assaults now have cybersecurity experts questioning what the attackers are truly after. Is it money? Mayhem? Delivering a political message?

In the attack that hit computers from Ukraine to the United States on Tuesday, financial gain may be the least likely motive.

“Either it was a sophisticated actor who knew what they were doing — except screwed up horribly on the part where they actually get paid,” said Nicholas Weaver, a researcher at the International Computer Science Institute and a lecturer at the University of California, Berkeley, “or it wasn’t about the ransom in the first place.”

Ransomware, one of the oldest and most prolific forms of cyberattack, relies on encrypting a victims’ files, essentially locking them out of their own computer systems, until they pay a ransom. Last year, cybersecurity researchers estimate that criminals made over $1 billion through ransomware attacks, with victims ranging from the chief executives of Fortune 500 companies to mom-and-pop businesses and private individuals.

The attack on Tuesday, like a similar assault in May called WannaCry, spread wider and faster than previous forms of known ransomware. But combined, they barely banked $100,000.

WannaCry spread by combining traditional ransomware with a worm, or a mechanism by which the attack could quickly grow. It was the first of its kind, said cybersecurity researchers, in that its goal appeared to be spreading as quickly as possible, rather than to successfully collect ransoms from victims.

The attack on Tuesday is being called by different names, including Petya, NotPetya and GoldenEye. Like WannaCry, it also appeared built for speed, as it spread across systems, exploiting a single unprotected machine to then infect machines across a network.

WannaCry’s spread was halted by an independent cybersecurity researcher, who discovered that by registering a single domain for about $10 he could stop the attack in its tracks. Though Tuesday’s assault does not appear to have finished, it is no longer likely to generate significant payments, because a German email provider shut down the email address associated with the ransom.

“They are no longer collecting a ransom,” said Justin Harvey, managing director of global incident response at Accenture Security. “They are just being destructive.”

When criminals stage a ransomware attack to make money, they set up multiple avenues to collect funds from their victims, Harvey said. By contrast, the recent, widespread attacks used “immature” methods, like a single email address and a single bitcoin wallet for electronic payments.

But considerable attention was paid to the technical details of launching the attacks and ensuring they would spread as fast as possible.

Security researchers said the attack on Tuesday originated in Ukraine, seemingly timed to hit a day before a holiday marking the 1996 adoption of Ukraine’s first constitution. More than 12,500 machines in the country were targeted, according to Microsoft, though the online attack spread to 64 other countries.

While law enforcement officials struggled to determine who was behind the attack, Microsoft said the assailants initially focused on software run by M.E.Doc, a Ukrainian company specializing in tax accountancy. M.E.Doc acknowledged that its servers had been affected and said in a statement that it was cooperating with Ukrainian cyberpolice.

The attack targeted businesses in Ukraine, Russia and Poland, according to a post from Kaspersky Lab, a Moscow-based security firm. According to the report, those three countries as well as Italy and Germany were most affected. A number of companies in other European countries and the United States were also hit.

Still, companies and government offices worldwide appeared less affected than they were by the WannaCry attack, notably in places like China, which was hit hard in May. Reports from Asia suggested that many of the companies hit were the local arms of European and U.S. companies that were struck on Tuesday.

In Mumbai, India, a port terminal operated by A.P. Moller-Maersk, a Danish shipping giant, was shut down Tuesday afternoon after it disclosed that it had been affected by the malware. In a statement, Indian port authorities said they were working to relieve congestion, including finding places to park stranded cargo.

On the Australian island of Tasmania, computers in a Cadbury chocolate factory owned by Mondelez International, a U.S. food company, displayed the ransomware message, the local news media reported.

“We continue to work quickly to address the current global IT outage across Mondelez International and to contain any further exposure to our network,” a spokeswoman for the company said, adding that it was not clear when the company’s systems would be back up.

The virus also spread to the Australian branches of DLA Piper, a law firm with offices around the world. The firm warned clients that it was dealing with a “serious global cyberincident” and said that it had taken down its communications as a precaution.

In China, there were only scattered reports of the malware. Qihoo 360, a Chinese computer security company, said the attack hit far fewer companies and government offices than WannaCry.

Yet who was behind WannaCry and Tuesday’s attack, and why they did it, remained unclear.

Brian Lord, former deputy director for intelligence and cyber operations at Britain’s Government Communications Headquarters, the country’s equivalent to the National Security Agency, said that rather than aiming for financial rewards, the hackers were trying to create the largest amount of disruption — particularly in Ukraine.

But he is not convinced it was a Russian attack. “The Russians are very smart,” said Lord, who is now managing director for cyber and technology at PGI Cyber, an online security company. “There’s something about the blatantness of hitting Ukraine that doesn’t sit well with me about this being a Russian attack.”

Both the IP address and the phone number connected to the internet domain registration used in this week’s attack were from Iran, said Ido Wulkan, head of intelligence at the cybersecurity firm Insight, based in Tel Aviv, Israel. The same information was connected to a different attack two months ago.

“It is possible that this is Iran, or it is possible that this is someone trying to mask themselves as Iran,” he said.

But since the tools used in the recent attacks are widely available, a range of hackers — criminals and state-sponsored — would have been capable of carrying them out.

“These types of attacks are just going to keep happening, and we’ve known this since we first saw how big WannaCry was going to be last month,” Harvey, of Accenture Security, said. “The real question is whether these are all just practice runs for the big one.”

Categories: -News-

Leave a Reply