A deeper look at the virus that struck computers in Ukraine and elsewhere this week has shown that what initially looked like ransomware was in fact a type of malware called a “wiper.” Rather than extorting money, it’s goal was to erase victims’ hard drives, disrupt their business and misdirect suspicions about the attacker’s identity, according to The Washington Post and other media reports.
Victims of the cyberattack saw a screen asking them to pay $300 in bitcoin for a key to unlock their computer – the same ploy used by the WannaCry ransomware that hit computers in more than 150 countries in May.
But security experts say this attack was different.
“It definitely wasn’t ransomware and wasn’t financially motivated,” Jake Williams, founder of cybersecurity firm Rendition Infosec, tells the Post. “The goal was to cause disruption in computer networks.”
Likewise, Matt Suiche, founder of cybersecurity firm Comae Technologies, writes on his website, “The goal of a wiper is to destroy and damage … Different intent. Different motive. Different narrative.”
Suiche says the perpetrator wanted to disguise the intent of the attack. “We believe the ransomware was in fact a lure to control the media narrative,” Suiche writes, “… to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”
Still, Reuters says Ukrainian politicians blamed Russia for the attack, even as a Kremlin spokesman dismissed “unfounded blanket accusations.”
The news agency says security researchers believe one goal of the attack was to put malware onto computers in government and commercial offices in Ukraine, perhaps in preparation for future sabotage.
In the short term, The New York Times says, the attack may have been aimed at shutting down Ukraine’s computer systems. The malware appeared on the eve of a holiday celebrating the country’s independence and initially targeted an unlikely group: tax accountants. The Times says many of them use Ukrainian-made software that runs on computers using Microsoft Windows and was recently updated. Microsoft said in a statement it has evidence that some of the ransomware infections started in the updating process.
Experts believe the attackers would have known they could get in through the update, the newspaper adds.
The attack paralyzed thousands of computers, shut down ports, factories and offices and spread to about 60 countries, Reuters says.
A second cyber attack hit Ukrainian’s state power distributor, Ukrenergo, on Thursday, but didn’t affect the nation’s power network, according to the news service.
Danish shipping giant A.P. Maersk-Moller was hit hard by the spread of the malware this week, but said Friday its operations are almost back to normal, The Associated Press reports.
As for those still wondering if they should pay the ransom to restore their computers, Suiche notes, “The payment email address isn’t accessible anymore if victims would happen to send payments.”