PetrWrap: Criminals Steal Ransomware Code From Their Peers

Kaspersky Lab’s researchers have discovered PetrWrap, a new malware family that exploits the original Petya ransomware module, distributed through a Ransomware-as-a-Service platform, to perform targeted attacks against organisations. The PetrWrap creators made a special modulethat modifies the original Petya ransomware “on the fly”, leaving its authors helpless against the unauthorised use of their malware. This may be the sign of growing competitiveness on the underground ransomware market.

 In May 2016 Kaspersky Lab discovered Petya ransomware that not only encrypts data stored on a computer, but also overwrites the hard disk drive’s master boot record (MBR), leaving infected computers unable to boot into the operating system. The malware is a notable example of the Ransomware-as-a-Service model, when ransomware creators offer their malicious product ‘on demand’, spreading it by multiple distributors and getting a cut of the profits. In order to get their part of the profit, the Petya authors inserted certain “protection mechanisms” in their malware that do not allow the unauthorised use of Petya samples. The authors of the PetrWrap Trojan, which first had activities detected in early 2017, managed to overcome these mechanisms and have found a way to use Petya without paying its authors a penny.

It is unclear yet how PetrWrap is being distributed. After infection, PetrWrap launches Petya to encrypt its victim’s data and then demands a ransom. PetrWrap authors use their own private and public encryption keys instead of those that come with “stock” versions of Petya. This means they can operate without needing a private key from the Petya operators for decryption of the victim’s machine, should the ransom be paid.

Apparently, it is no coincidence that the developers of PetrWrap have chosen Petya for their malicious activities: this ransomware family now has a rather flawless cryptographic algorithm that is hard to break – the most important component of any encryption ransomware. In several cases in the past, mistakes in cryptography have allowed security researchers to find a way to decrypt files and ruin all of the efforts criminals have put into their malicious campaigns. This has also happened with previous versions of Petya and since then its authors have fixed almost all mistakes. Because of this, a victim’s machine is reliably encrypted when it is attacked with the latest versions of Petya – so it is clear why the criminals behind PetrWrap decided to use it in their activities. Moreover, the lock screen shown to PetrWrap victims does not reflect any mentions of Petya, making it harder for security experts to assess the situation and quickly identify what family of ransomware has been used.

“We are now seeing that threat actors are starting to devour each other. From our perspective, this is a sign of growing competition between ransomware gangs. Theoretically, this is good, because the more time criminal actors spend on fighting and fooling each other, the less organised they will be, and the less effective their malicious campaigns will be. The worrying thing here is the fact that PetrWrap is used in targeted attacks. This is not the first case of targeted ransomware attacks and unfortunately it is most likely not the last. We urge organisations to pay as much attention as possible to the protection of their networks from this kind of threat, because the consequences can be really disastrous,” said Anton Ivanov, Senior Security Researcher, Anti-Ransom, Kaspersky Lab.

In order to protect organisations from such attacks, Kaspersky Lab security experts advise the following:

• Conduct proper and timely backup of your data so it may be used to restore original files after a data loss event.

• Use a security solution with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.

• Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and 3rd party security policies in case they have direct access to the control network.

• Request external intelligence: intelligence from reputable vendors helps organisations to predict future attacks on the company.

• Train your employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.

• Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.

To learn more about PetrWrap, please read the blog post available at Securelist.com.

Please check NoRansom.kaspersky.com to see the tools we developed to help ransomware victims.