Cyber attack seems intent on havoc, not extortion: Researchers

While the rogue software used in the attack was configured as extortionate "ransomware," that may have just been a ruse. "It is clear that this was targeted indiscriminately at Ukrainian businesses, and the Ukrainian government," Jake Williams, president of the security firm Rendition Infosec and a former member of the U.S. National Security Agency's elite cyber warfare group, told The Associated Press in an online chat. "The 'ransomware' component is just a smokescreen (and a bad one)."

Although the attack was global in its reach, Ukraine bore the brunt. Computers were disabled at banks, government agencies, energy companies, supermarkets, railways and telecommunications providers. Many of these organizations said they had recovered by Thursday, although some experts suspected that work was incomplete.

And that's just in Ukraine. Microsoft said the malware hit at least 64 nations, including Russia, Germany and the United States. "I expect that we will see additional fallout from this is the coming days," said Williams.

In Ukraine, suspicion immediately fell on hackers affiliated with Vladimir Putin's regime, although there is no direct, public evidence tying Russia to the attack. Relations between the two nations have been tense since Moscow annexed the Crimean peninsula from Ukraine in 2014. Pro-Russian fighters are still battling the government in eastern Ukraine.

Experts have also blamed pro-Russian hackers for major cyberattacks on the Ukrainian power grid in 2015 and 2016, assaults that have turned the eastern European nation into the world's leading cyberwarfare testing ground. A disruptive attack on the nation's voting system ahead of 2014 national elections is also attributed to Russia.

The malicious program, which researchers are calling NotPetya, initially appeared to be ransomware. Such malware locks up victims' files by encrypting them, then holds them hostage while demanding payment — usually in bitcoin, the hard-to-trace digital currency. But researchers said the culprits would have been hard-pressed to make money off the scheme. They appear to have relied on a single email address that was blocked almost immediately and a single bitcoin account that collected the relatively puny sum of $10,000. Firms including Russia's anti-virus Kaspersky Lab, said clues in the code indicate that the program's authors would have been incapable of decrypting the data, further evidence that the ransom demands were a smoke screen.

The timing was intriguing, too. The attack came the same day as the assassination of a senior Ukrainian military intelligence officer and a day before a national holiday celebrating the new Ukrainian constitution signed after the breakup of the Soviet Union.

Williams and other researchers said all evidence indicates that NotPetya was introduced via Ukrainian financial software provider MeDoc. NotPetya was cleverly engineered to spread laterally within Windows networks and across the globe via private network connections. Globally, dozens of major corporations and government agencies have been disrupted, including FedEx subsidiary TNT.