The ransomware attack that spread to computer systems in at least 64 countries Tuesday earned hackers less than $10,000 in ransom from victims seeking to regain access to their files, prompting some analysts to question whether such attacks are money-making schemes at all.
The cyberattack began in Ukraine using an updated version of a ransomware called “Petya,” which Microsoft said was traced to a tax account software from a Ukrainian company. From there, it spread, targeting companies in the U.K., the U.S., Russia, and at least 60 other countries. Though it is unknown who is behind the attack, experts noted that it bore similarities to the “WannaCry” ransomware that spread to more than 150 countries in May; some have attributed that attack to North Korean hackers using leaked tools believed to belong to the National Security Agency. As in the WannaCry incident, attackers on Tuesday took control of computer systems and demanded victims pay of $300 to a Bitcoin address to regain access to their files. Both attacks are believed to have exploited the NSA hacking tool Eternal Blue to further the ransomware’s spread, according to Accenture Security.
But there were key differences between the two attacks. The European Union Agency for Law Enforcement Cooperation (Europol) said in a statement Wednesday that this week’s incident was indicative of “a more sophisticated attack capability” than the WannaCry attack, noting the malware used rendered machines unusable by encrypting their hard drives (previous attacks only locked individual files).
Even so, this week’s attack has been less successful financially. As of Wednesday afternoon, the Bitcoin address recorded receiving 45 transactions totaling 3.9 Bitcoin, or $9,984—a sum markedly lower than the more than $130,000 in Bitcoin hackers have earned to date from the WannaCry attack. (The Washington Post reported in mid-June that the attackers hadn’t been able to cash in the Bitcoin though, “likely because an operational error has made the transactions easy to track, including by law enforcement.”) Though this could be attributed in part to German email service provider Posteo quickly shutting down the email account the hackers used to manage ransom demands, some analysts suggest the ransom could be a smokescreen.
“The challenge with any of these [attacks] is that you can never actually determine if the primary motivation was actually financial,” Jeff Pollard, a principal analyst at Forrester, a security and risk consultancy, told me. “It’s totally possible and potentially reasonable for someone to create an attack tool like this to cause havoc and then slap the ransomware front-end on top of that to make it appear as if it's financially motivated when in fact it might be furthering some other goal.”
Justin Harvey, the managing director of global incident response at Accenture Security, told me the failure of the email suggested the ransom was not a priority. “They left this simple email address,” Harvey said. “If you have all of this technical sophistication and you're a criminal organization, why would you leave a single point of failure like that?”
He added: “If you were looking for money, you would have taken a different route—that leads not that many threat groups that want to do organizations harm.”
Regardless of who was behind the attack, Harvey said organizations should take preventive measures to shield themselves from future attacks. “Some companies did not take WannaCry seriously, and those are the companies that I worry about,” Harvey said. “Ransomware and destructive malware is very subversive and without preventative controls or the right monitoring controls, something like this can completely take over and disable an organization.”