PetrWrap Ransomware has been detected as a new member of ransomware family that exploits the original module of Petya ransomware. It performs or spread through RaaS platform to targeted attacks against small organizations and companies. The creators of this new ransomware made a special module that completely modifies original Petya ransomware leaving them helpless against the unauthorized use. However, PetrWrap Ransomware needs to hook a couple of Petya’s functions first so that it replaces the instructions that call Petya’s DLLEntryPoint with NOPs. It prevents the Petya from proceeding its own and allows PetrWrap Ransomware to make all necessary preparations and computations before letting it continue.
In the May 2016, Petya ransomware has been discovered by Kaspersky Lab that not only encrypts stored data but also overwrites the hard disk drive’s MBR. According to the malware researchers, PetrWrap Ransomware does not appear to be an official version of Petya ransomware but it wrapped the original version of Petya and then patches its malicious code to execute a series of custom and malicious commands. When your PC is infected with this ransomware, it sends the encryption keys and handles all operations of payment via Petya Raas backend. The wrapping of original Petya binary allowed its creators to modify the ransom note, removing any mentions and flashing red skull of Petya name.
According to the Kaspersky researchers, PetrWrap Ransomware operates in the same way by looking for the unsecured RDP servers, launching the brute-force attacks, compromising the server and using other tools to access inside the organization’s network. Yet, it is unclear how PetrWrap Ransomware is being distributed but after infection, it launches Petya to encrypt it’s victim’s data and then demands a ransom note. The authors of this ransomware uses their own public and private encryption keys instead of those that come with ‘stock’ versions of Petya. Petya generates 16-byte key and uses Salsa20 cipher to encrypt files on local drives.
It uses flawless cryptographic algorithm that is really very hard to break. It is used in targeted attacks and unfortunately it is mots likely. If you really want to protect your organization from attacks of PetrWrap Ransomware then follow these advices :
- Use a trusted and well reputed anti-virus tool.
- Keep and mange your backup on the regular basis so that you can easily restore your original files.
- Conducts a security assessment of the network control to identify and delete any security loopholes.
- Pay attention to operational, engineering staff and their awareness of recent attacks and threats.
- Request an external intelligence from the reputable vendors to help your organization