Putin and his pals in action?
The first clue is in the types of files this piece of ransomware encrypts. Typically this kind of malware encrypts everything to make the victim more likely to cough up the digital cash, but in total this ransomware encrypts 65 types of files, from .7z archives and .c source files to .aspx code to .pdf and .php files to PowerPoint and Python to VMware images and Excel spreadsheets.
That might sound like a lot, but the original Petya ransomware that popped up last year encrypted hundreds of file types, and the new code makes some interesting choices in what it encrypts.
"It's very odd," Justin Cappos, assistant professor of security, operating systems and networks at the New York University Tandon School of Engineering told The Register.
"The image types like .png don't seem to be among those encrypted and usually those would be the kinds of things people want to encrypt because the victims will care about their baby pictures, if you were targeting consumers. I find this suspicious; it's targeting code and even Python scripts and Visual Basic to lock down developers' work."
There's also the method of extracting money from the attack. Ransomware has been exploding of late because it makes it easy for criminals to collect funds without having to recruit a lot of money mules around the world to harvest payments.
Bitcoin has helped with this and, as you'd expect, this infection also asks for the digital currency but with a crucial difference. This time, users wanting to get their files back had to email details to a specific address.
This is neither normal or sensible, since the malware writers must have known that the email address would be shut down quickly, which cut off access to funds. This is not how criminals looking to make a quick buck operate.
Another hint comes in the timing of the attack. Tomorrow, June 28, is a national holiday in Ukraine, its annual Constitution Day. Criminal hackers typically attack on holidays and weekends to avoid detection, but doing so the day before looks like an attempt to cause maximum disruption for the largest number of people in the country.
Who is Ukraine's main enemy at the moment? Russia, since it's currently fighting a proxy in the country by supporting the Donetsk People's Republic that has set itself up in the east of the country. Russia has also been accused of hacking Ukrainian systems in the past.
That said, Russian firms have been hit by the ransomware too. State oil giant Rosneft has reported infections, although it says oil productions and processing wasn't harmed in the outbreak, and local steel maker Evraz has also been infected.
As is so often the case in online attacks, we may never know the truth behind the source of the infection, but Interpol and police forces in at least three countries are investigating the source and motivations behind the attacks. Microsoft will be doing its own detective work and says Defender has been updated to block the ransomware.
"Our initial analysis found that the ransomware may use multiple techniques to spread, including one which was addressed by a security update previously provided for all platforms from Windows XP to Windows 10," a spokesperson told The Reg.
"As ransomware also typically spreads via email, customers should exercise caution when opening unknown files. We are continuing to investigate and will take appropriate action to protect customers."
In the meantime, the best advice for dealing with ransomware hasn't changed since yesterday. Ensure that you take regular and complete backups, patch software as soon as possible, and disable any unwanted features or open ports that can be closed off. ®