PetrWrap, a Petya-based ransomware, was used in targeted attacks

Threat actors in the wild have found the way to hijack the Petya ransomware on the fly and use it in targeted attacks, say welcome to PetrWrap ransomware.

The Petya ransomware was first spotted by experts at TrendMicro one year ago, it overwrites MBR to lock users out of the infected machines.

The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR with malicious code that encrypts the drive’s master file table (MFT).

When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode. Users turning on the computer are displayed a flashing red and white screen with a skull-and-crossbones instead.

The Petya ransomware has a RaaS model, but the attackers developed a special module to patch the original Petya ransomware “on the fly.”

The attackers first compromised the networks of target organizations, then used the PsExec tool to install a ransomware on all endpoints and servers.

The variant of Petya group used in the attack was dubbed PetrWrap.

“The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine.” reads the analysis published by Kaspersky. “What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.”

The authors of the PetrWrap ransomware have devised a method to force Petya in using an encryption key that is different from the one that the original creators have hardcoded.

Using this mechanism, the attackers can decrypt the files in any time. The PetrWrap also removes all mentions of Petya from the ransom message, as well as its animation red skull designed in ASCII.

Why do hackers hijack the Petya ransomware?

First, because attackers don’t need to write a ransomware from scratch, second, because the version used by threat actors is stable and not affected by major flaws.

The bad news for the victims is that currently there isn’t a recovery tool to decrypt the MFT of hard disk volumes infected by Petya. The experts noticed anyway that because this specific ransomware doesn’t encrypt the file contents, it is possible to reconstruct the file from hard disk raw data by using specific recovery tools.

Summarizing, the PetrWrap ransomware achieves the following goals:

  1. The victim’s machine is locked and the MFT of NTFS partitions is encrypted securely (because Petya v3 which is used in this attack doesn’t have flaws of the earlier versions and implements Salsa20 correctly);
  2. The lockscreen doesn’t show the flashing skull animation and doesn’t contain any mentions of Petya which makes it harder to assess the situation and determine the extent of the caused damage;
  3. The developers of PetrWrap didn’t have to write the low-level bootloader code and risk making mistakes similar to the ones observed in earlier versions of Petya.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PetrWrap ransomware , malware)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Experts observed approximately 120 malicious campaigns using the Rafel RAT

Multiple threat actors are using an open-source Android remote administration tool called Rafel RAT to target Android…

16 mins ago

LockBit claims the hack of the US Federal Reserve

The Lockbit ransomware group announced that it had breached the US Federal Reserve and exfiltrated…

4 hours ago

Ransomware threat landscape Jan-Apr 2024: insights and challenges

Between Jan and Apr 2024, the global ransomware landscape witnessed significant activity, with 1420 ransomware…

5 hours ago

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

The cybercrime group ExCobalt targeted Russian organizations in multiple sectors with a previously unknown backdoor…

6 hours ago

Threat actor attempts to sell 30 million customer records allegedly stolen from TEG

A threat actor is offering for sale customer data allegedly stolen from the Australia-based live…

16 hours ago

Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

This website uses cookies.