Initially, all security companies united on calling the attack ransomware, with some saying the Petya ransomware was being used, while others said it only had some characteristics of Petya, but was otherwise different.
Now it appears that there is a further twist to the tale.
Researcher Matt Suiche who runs a company known as Comae Technologies in the United Arab Emirates, attempted to cast the blame on the media.
He did not mention the fact that every security company of note, including his own, had called the causative agent ransomware.
In a post a day earlier, Suiche himself wrote: "Yes, this is bad — real bad — this is another ransomware leveraging SMB network kernel vulnerabilities to spread on the local network. The exploit used is based on EternalBlue, NSA’s exploit leaked by the Shadow Brokers in April, 2017. Similar to WannaCry. No kill-switch this time."
Trend Micro's vice-president of security research Rik Ferguson said the target of the attack appeared to be Ukraine.
"The attack itself certainly seems to have been originally planned as a targeted attack, originating with a compromise of Ukrainian accounting software MEDoc’s update infrastructure (seemingly admitted on their website but categorically denied by MEDoc on Facebook)," he wrote.
"This island-hopping attack starting with a smaller software vendor, whose product is mandated for companies paying taxes in Ukraine, may well have been targeted specifically at that country. However, as with every notionally targeted attack there has been collateral damage."
Ferguson pointed to the fact that the malware was set to wait five days before triggering on 27 June, a day before a Ukrainian public holiday celebrating the ratification of its new constitution in 1996, also provided circumstantial weight to the proposition that the attack was targeted primarily at Ukraine.
"Some of the names of prominent global victims, WPP, Maersk and Saint-Gobain for example all have offices and operations in Ukraine and are likely users of MEDoc, some have even posted job ads for accounting specialists with MEDoc skills," he wrote.
"Also Rosneft, Russia’s state-owned oil company, although not necessarily corporate users of MEDoc, still have a presence in Ukraine and thus may be exposed to MEDoc within their network."
Ferguson said it looked as though this attack was "following the law of unintended consequences, with the victim population very rapidly spreading outside of Ukraine and encompassing organisations and partners of organisations who have a presence in Ukraine".
Update, 30 June: Similar conclusions — that the malware was designed to destroy data, not extort money — have been reached by two other security outfits, Kaspersky Lab and ESET.