ExPetr cyber attack was about disruption, not money, National Cyber Security Centre says

The NCSC says the aim of the global attack wasn’t motivated by financial gain.
The NCSC says the aim of the global attack wasn’t motivated by financial gain.

The cyber attack that struck businesses around the world earlier this week was designed to disrupt rather than earn money, the National Cyber Security Centre (NCSC) has said.

The attack, which affected major organisations including advertising firm WPP and European bank BNP Paribas, was originally thought to be a type of ransomware, which blocks access to files and demands a ransom be paid to unlock them.

laptop keyboard
(Dominic Lipinski/PA Wire/PA Images)
(Dominic Lipinski/PA)

The virus, which has been referred to by several names including ExPetr, also affected parts of the Ukrainian government’s computer systems.

However, the NCSC said in statement it now believes the motive of the attack may have been solely to cause disruption.

“Earlier this week, we were made aware of a global cyber incident that was reported to be ransomware,” the organisation said.

“While managing the impact to the UK, the NCSC’s experts have found evidence that questions initial judgments that the intention was to collect a ransom.

NCSC logo
(Dominic Lipinski/PA Wire/PA Images)
(Dominic Lipinski/PA)

“We are investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain.

“We recognise the impact this attack has had on affected businesses. If you think you have been a victim, you should report to Action Fraud by calling 0300 123 2040.”

The theory has been supported by security experts, including Anton Ivanov and Orkhan Mamedov from cyber security firm Kaspersky Lab, who claim that the malicious software has been designed to destroy files, rather than earn money.

“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made,” the pair wrote on SecureList.

(Yui Mok/PA Wire/PA Images)
(Yui Mok/PA)

“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”

The security experts said this was the “worst-case news for victims” because even paying the ransom would not return data to their control.

“This reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive,” they said.