If you analyze the NotPetya attack, it differs from other ransomware attempts in two respects. First, it was specifically targetting Ukraine. Second, the attackers didn't actually take any money but rendered all systems defunct. If you are a criminal, you aim to make money, right? Why give up on that possibility? It makes no sense.
So, even if in the infosec world you can never say never, but just as Stuxnet is generally attributed to Israel/USA, in the same way NotPetya is attributed to Russia, even though none of these countries will ever admit they actually did it.
Oh I did not know that. The attack was behaving differently on Ukrainian targets? That's a pretty damning thing indeed and makes the question of the act of war very relevant.
Note that it could make sense to a pro-Russia Ukranian group to extort money abroad and to hurt economically on the target. That seems to be the Russian MO to not be directly implicated in the Ukrainian operations: help with tools, weapons and money the groups that are already in place.
They give up direct control over the actions in exchange of deniability.
As far as I know, it didn't behave differently on Ukraine targets. The attack was on Ukrainian tax software M.E.Doc that businesses in the Ukraine are legally mandated to use.
So it was targeted at the Ukraine, but plenty of multinational companies also operate there, so they were collateral damage
So, even if in the infosec world you can never say never, but just as Stuxnet is generally attributed to Israel/USA, in the same way NotPetya is attributed to Russia, even though none of these countries will ever admit they actually did it.