Jun 28, 2017 - Technology

Global hack appears aimed at damage, not money

Ng Han Guan / AP

The "ransomware" attack that struck Ukraine and has since spread to about 65 countries might not be a regular ransomware attack after all. Instead, its code indicates it is more like a "wiper," according to Matt Suiche, founder of cybersecurity startup Comae Technologies.

What it means: "The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money," Suiche writes. Instead of just encrypting files when it infects a device, this hack encrypts your entire hard drive and the Master Boot Record so that it is totally inoperative, according to Radware. This also causes the whole computer to restart.

  • Microsoft points out that this hack, sometimes called GoldenEye, is a new variant of Petya, which CNET reports has been sold on forums in the dark web since last April.

Why it matters: For one, as CNET's Alfred Ng writes: "Compared with GoldenEye, WannaCry (a ransomware attack in May) looks like it was written by amateurs." Second, Suiche believes the hackers went to the trouble of making it look like ransomware attack to "control the media narrative" to scapegoat an unknown hacking group instead of what it actually might be — a state hacker. (State hackers usually don't use ransomware.)

One big caveat: As Bret Padres, a former intel official and CEO of The Crypsis Group tells Axios, "a just as plausible explanation is that this is a coding error" that makes it look like a wiper and not a simple ransomware hack.

What else we've learned in the last day:

  • The hack hit 65 countries, including Ukraine, Russia, Denmark, Spain, India, Germany, U.K., U.S. and France, according to a Microsoft analysis. It is still impacting ATMs in Ukraine and Pennsylvania's Heritage Valley Health System, per NPR.
  • There is no "kill switch" for this hack (there was one for WannaCry).
  • GoldenEye was spread, in part, through Ukrainian tax accounting software, Symantec reports, adding that it's "interesting" that the attack began on a Ukrainian national holiday, Constitution Day.
  • The hackers aren't attempting to attack random IP addresses (as WannaCry did) and instead targeting mostly financial institutions in Ukraine, per Symantec.
  • Motives: Since the hackers set up a poor payment system, the goal appears to be to cause damage rather than to collect ransom (the point of contact was through an email suspended by the host, and there is only one Bitcoin wallet listed to receive money, making the operation appear uncoordinated and weak).

What to watch now: The Bitcoin wallet that the hackers were going to use to receive payments, which law enforcement will be watching, too, to see if the attackers will somehow reveal themselves. Plus, expect hacking to come up during NATO meetings tomorrow in Brussels. Last year NATO decided a cyber hack could trigger its mutual defense protocol, Article Five.

Go deeper