Petwrap Ransomware massive attack – 24 hours later

Pierluigi Paganini June 28, 2017

A new strain of the infamous Petya ransomware dubbed Petwrap, is infecting computers in different states, mostly in Ukraine and Russia.

This is the second massive ransomware-based attack in a few weeks, like WannaCry, the Petwrap ransomware exploits the MS17-010 SMB Remote Code Execution, so-called Eternal Blue, that Microsoft patched in March 2017.

Banks, financial institutions, businesses, energy firms, telecoms and systems in critical infrastructure were infected by the malware, among the victims the giant Maersk that confirmed the attack in an official statement on its Web site:

“We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.” 


Kaspersky telemetry on Petya ransomware

The “Eternal Blue” exploit was developed by the US National Security Agency, its code was leaked and in April by the hacker group Shadow Brokers.

Analyzis conducted by experts revealed that Petwrap also used other tricks to spread inside target networks. 

According to the experts at Russian security firm Group-IB, the malware leverages a tool called “LSADump,” which can be used to collect login credentials from Windows computers and domain controllers on the network.

While I was writing, there is also news about illustrious victims in the US such as the global law firm DLA Piper that experienced severe issues at its systems.

Which is the attackers’ motivation? 

According to security experts the attack presents various anomalies that led the experts into believing that hackers operated for sabotage.

According to Nicholas Weaver, a security researcher at the International Computer Science Institute Petya has been designed to be destructive while masquerading as a ransomware malware.

Weaver highlighted numerous anomalies in the ransomware-based attack, such as the use of a single Bitcoin address for every victim and the fact that the Petwrap operators urge victims to communicate with the them via an email address, while most of ransomware require victims to use Tor for communications.

“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” states the Weaver’s comment published by Brian Krebs said. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”

Let me suggest to give a look at Yara rules and IOCs published by Kaspersky in the following analysis:

Schroedinger’s Pet(ya)

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Petwrap ransomware , malware)

[adrotate banner=”13″]

you might also like

leave a comment