Attack’s aim to disrupt, not profit: NCSC

The cyber attack that struck businesses around the world earlier this week was designed to disrupt rather than earn money, Britain’s National Cyber Security Centre (NCSC) has said.


The attack, which affected major organisations including advertising firm WPP and European bank BNP Paribas, was originally thought to be a type of ransomware, which blocks access to files and demands a ransom be paid to unlock them.

The virus, which has been referred to by several names including ExPetr, also affected parts of the Ukrainian government’s computer systems.

However, the NCSC said in statement it now believes the motive of the attack may have been solely to cause disruption.

“Earlier this week, we were made aware of a global cyber incident that was reported to be ransomware,” the organisation said.

“While managing the impact to the UK, the NCSC’s experts have found evidence that questions initial judgements that the intention was to collect a ransom.

“We are investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain.”

The theory has been supported by security experts, including Anton Ivanov and Orkhan Mamedov from cyber security firm Kaspersky Lab, who claim that the malicious software has been designed to destroy files, rather than earn money.

“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made,” the pair wrote on SecureList.

“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”

The security experts said this was the “worst-case news for victims” because even paying the ransom would not return data to their control.

“This reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive,” they said.