ExPetr cyber attack was about disruption, not money, National Cyber Security Centre says

The cyber attack that struck businesses around the world earlier this week was designed to disrupt rather than earn money, the National Cyber Security Centre (NCSC) has said.

The attack, which affected major organisations including advertising firm WPP and European bank BNP Paribas, was originally thought to be a type of ransomware, which blocks access to files and demands a ransom be paid to unlock them.

However, the NCSC said in statement it now believes the motive of the attack may have been solely to cause disruption.

“Earlier this week, we were made aware of a global cyber incident that was reported to be ransomware,” the organisation said.

“While managing the impact to the UK, the NCSC’s experts have found evidence that questions initial judgments that the intention was to collect a ransom.

“We recognise the impact this attack has had on affected businesses. If you think you have been a victim, you should report to Action Fraud by calling 0300 123 2040.”

The theory has been supported by security experts, including Anton Ivanov and Orkhan Mamedov from cyber security firm Kaspersky Lab, who claim that the malicious software has been designed to destroy files, rather than earn money.

“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made,” the pair wrote on SecureList.

The security experts said this was the “worst-case news for victims” because even paying the ransom would not return data to their control.

“This reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive,” they said.