Threat actors in the wild have found the way to hijack the Petya ransomware on the fly and use it in targeted attacks, say welcome to PetrWrap ransomware.
The Petya ransomware was first spotted by experts at TrendMicro one year ago, it overwrites MBR to lock users out of the infected machines.
The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR with malicious code that encrypts the drive’s master file table (MFT).
When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode. Users turning on the computer are displayed a flashing red and white screen with a skull-and-crossbones instead.
![](data:image/svg+xml;charset=utf-8,<svg height="333px" width="600px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
The Petya ransomware has a RaaS model, but the attackers developed a special module to patch the original Petya ransomware “on the fly.”
The attackers first compromised the networks of target organizations, then used the PsExec tool to install a ransomware on all endpoints and servers.
The variant of Petya group used in the attack was dubbed PetrWrap.
“The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine.” reads the analysis published by Kaspersky. “What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.”
![](data:image/svg+xml;charset=utf-8,<svg height="400px" width="720px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
The authors of the PetrWrap ransomware have devised a method to force Petya in using an encryption key that is different from the one that the original creators have hardcoded.
Using this mechanism, the attackers can decrypt the files in any time. The PetrWrap also removes all mentions of Petya from the ransom message, as well as its animation red skull designed in ASCII.
Why do hackers hijack the Petya ransomware?
First, because attackers don’t need to write a ransomware from scratch, second, because the version used by threat actors is stable and not affected by major flaws.
The bad news for the victims is that currently there isn’t a recovery tool to decrypt the MFT of hard disk volumes infected by Petya. The experts noticed anyway that because this specific ransomware doesn’t encrypt the file contents, it is possible to reconstruct the file from hard disk raw data by using specific recovery tools.
Summarizing, the PetrWrap ransomware achieves the following goals:
- The victim’s machine is locked and the MFT of NTFS partitions is encrypted securely (because Petya v3 which is used in this attack doesn’t have flaws of the earlier versions and implements Salsa20 correctly);
- The lockscreen doesn’t show the flashing skull animation and doesn’t contain any mentions of Petya which makes it harder to assess the situation and determine the extent of the caused damage;
- The developers of PetrWrap didn’t have to write the low-level bootloader code and risk making mistakes similar to the ones observed in earlier versions of Petya.
[adrotate banner=”9″]
Pierluigi Paganini
(Security Affairs – PetrWrap ransomware , malware)
[adrotate banner=”13″]
