As governments and organizations around the world grappled on Wednesday with the impact of a cyberattack that froze computers and demanded a ransom for their release, victims received a clear warning from security experts not to pay a dime in the hopes of getting back their data.
The hackers’ email address was shut down and they had lost the ability to communicate with their victims, and by extension, to restore access to computers. If the hackers had wanted to collect ransom money, said cybersecurity experts, their attack was an utter failure. That is, if that was actually their goal.
Increasingly sophisticated ransomware assaults now have cybersecurity experts questioning what the attackers are truly after. Is it money? Mayhem? Delivering a political message?
In the attack that hit computers from Ukraine to the United States on Tuesday, financial gain may be the least likely motive.
“Either it was a sophisticated actor who knew what they were doing — except screwed up horribly on the part where they actually get paid,” said Nicholas Weaver, a researcher at the International Computer Science Institute and a lecturer at the University of California, Berkeley, “or it wasn’t about the ransom in the first place.”
Ransomware, one of the oldest and most prolific forms of cyberattack, relies on encrypting a victims’ files, essentially locking them out of their own computer systems, until they pay a ransom. Last year, cybersecurity researchers estimate that criminals made over $1 billion through ransomware, with victims ranging from the chief executives of Fortune 500 companies to mom-and-pop businesses and private individuals.
The attack on Tuesday, like a similar assault in May called WannaCry, spread wider and faster than previous forms of known ransomware. But combined, they barely banked $100,000.
WannaCry spread by combining traditional ransomware with a worm, or a mechanism by which the attack could quickly grow. It was the first of its kind, said cybersecurity researchers, in that its goal appeared to be spreading as quickly as possible, rather than to successfully collect ransoms from victims. The attack on Tuesday is being called by different names, including Petya, NotPetya and GoldenEye.
Whatever its name is, it was built for speed. It spread across systems, exploiting a single unprotected machine to then infect machines across a network.
WannaCry’s spread was halted by an independent cybersecurity researcher, who discovered that by registering a single domain for about $10 he could stop the attack in its tracks. Though Tuesday’s assault does not appear to have finished, it is no longer likely to generate significant payments, because a German email provider shut down the email address associated with the ransom.
“They are no longer collecting a ransom,” said Justin Harvey, managing director of global incident response at Accenture Security. “They are just being destructive.”
When criminals stage a ransomware to make money, they set up multiple avenues to collect funds from their victims, Mr. Harvey said. By contrast, the recent, widespread attacks used “immature” methods, like a single email address and a single Bitcoin wallet for electronic payments. But considerable attention was paid to the technical details of launching the attacks and ensuring they would spread as fast as possible. Security researchers said the attack on Tuesday originated in Ukraine, seemingly timed to hit a day before a holiday marking the 1996 adoption of Ukraine’s first constitution. More than 12,500 machines in the country were targeted, according to Microsoft, though the online attack spread to 64 other countries.
While law enforcement officials struggled to determine who was behind the attack, Microsoft said the assailants initially focused on software run by M.E.Doc, a Ukrainian company specializing in tax accountancy. M.E.Doc acknowledged that its servers had been affected and said in a statement that it was cooperating with Ukrainian cyberpolice.