IBM X-Force IRIS has outlined the evidence behind this analysis in a security intelligence blog here: https://securityintelligence.com/a-wiper-in-ransomware-clothing-global-attacks-intended-for-destruction-versus-financial-gain/
- Evidence shows this attack was designed to permanently disable as many machines as possible rather than for financial gain:
- The information provided in the “ransomware” is not accurate or relevant to unlocking any affected machine - it is incapable of relaying the information the attacker would need to provide the correct decryption key
- The design of the attack suggests that it was carried out by a technically skilled group of cybercriminals, yet the “ransomware” components showed little to no expertise or intent to produce financial gains. Despite the global spread of the malware, IBM Security researchers also believe that this attack was specifically targeted at Ukraine
- The compromised websites and software used to initiate the infection were clearly aimed at Ukrainian users – including tax software used specifically for organizations doing business in Ukraine, as well as planting malicious code within Ukrainian specific website.
- In fact, “patient zero” (the initially infected machine) in all of the impacted organizations IBM has analyzed has been based in the Ukraine
New Blog Postfrom Mike Oppenheim, Global Research Lead, IBM X-Force IRIS (June 29 at 5pm ET, New York time) https://securityintelligence.com/a-wiper-in-ransomware-clothing-global-attacks-intended-for-destruction-versus-financial-gain/
Original Blog from June 27 and June 28 recapping Petya variant attacks from Diana Kelley, Global Executive Security Advisor, IBM Security