The current ransomware wave with 'Petya' has hit numerous large companies, but the campaign is not a financial success for those behind it. On the one hand, because by Tuesday evening only a few victims were prepared to pay the requested sum of 300 US dollars in bitcoins. On the other hand, because the email address that the victims were supposed to use to contact Posteo for instructions on how to decrypt their data was quickly switched off by the email service provider Posteo.

However, it is possible that the Petya makers don't care, because according to Bitdefender's assessment, there are indications that they were not interested in the ransom money at all, but rather in the destruction of data. Even choosing a mail service provider without special protection as a communication channel "would be a bad choice for an organization trying to maximize financial gain," explains security expert Bogdan Botezatu from the software company Bitdefender.

The screen after Petya has struck.

© Sophos

In addition, there are complicated processes, such as victims first having to pay and then contact the blackmailers by email - only to receive an extremely long string of characters as a decryption key that has to be entered manually. According to Bitdefender, the entire process lacks automation and typing in the key is prone to errors. "Normally, ransomware campaigns that want to generate significant profits have a high degree of automation that makes the payment process simple and secure, almost at the level of professional online banking," says Botezatu.

According to Bitdefender, these are several indications that support the theory that Petya is primarily about destroying data.

The network monitoring specialist Gigamon comes to a similar conclusion. They have found that Petya only becomes active ten to 60 minutes after the system has been infected - probably to trick sandbox procedures. The malicious code also spreads faster in the network than Wanncry. "Whoever is behind this is incredibly advanced in designing the malware, infecting and spreading it, but is completely inadequate in the central part of a ransomware attack - the extraction of a ransom," says Kevin Magee of IT firm Gigamon. "This was a well-thought-out piece of malicious code aimed at large organizations and spreading rapidly, with a ransomware component added half-bakedly at the last moment."

He therefore suspects that the attackers were not interested in money, but in testing their technology and causing chaos. As the attack began in Ukraine on June 27, 2017 - the day before 'Constitution Day' - the origins are likely to lie in Russia. The fact that companies in other countries were also hit, including Russian ones, was simply collateral damage.