Iranian hackers (or people who act like Iranian hackers).
A new version of the Shamoon malware has targeted at least two energy companies in the Middle East. Italian oil and gas company Saipem said more than three hundred computers had been affected. Saipem has recovered because it had its systems backed up (Reuters); the company doesn't expect significant financial effect (Reuters). A second, unidentified, heavy engineering company in the UAE was hit by Shamoon on December 10th (Forbes).
Shamoon is the wiper malware used in a massive attack against Saudi Aramco in 2012. That attack has been attributed to Iran. Some warn against jumping to conclusions regarding attribution (BleepingComputer); others think it worth noting that Saipem is a Saudi Aramco contractor.This new variant presents itself as cryptoransomware, not the direct data-destroyer the first version was. That presentation is bogus: this version simply overwrites data with gibberish that at first glance looks encrypted. The new variant also lacks hard-coded SMB credentials earlier versions used to self-propagate (which suggests Remote Desktop Protocol as the possible infection vector). Finally, the new version lacks a command-and-control server, and may have been deployed manually (ZDNet).