PetrWrap, a new malware family that exploits the original Petya ransomare module, is being distributed through a ransomware-as-a-service platform to perform targeted attacks against organisations – and may herald growing competitiveness in the underground ransomware market.
Kaspersky Lab researchers have found that the PetrWrap creators made a special module that modifies the original Petya ransomware “on the fly”, leaving its authors helpless against the unauthorised use of their malware.
In May 2016 Kaspersky Lab discovered Petya ransomware that not only encrypts data stored on a computer, but also overwrites the hard disk drive’s master boot record (MBR), leaving infected computers unable to boot into the operating system.
The malware is a notable example of the Ransomware-as-a-Service model, when ransomware creators offer their malicious product “on demand”, spreading it by multiple distributors and getting a cut of the profits. In order to get their part of the profit, the Petya authors inserted certain “protection mechanisms” in their malware that do not allow the unauthorised use of Petya samples.
The authors of the PetrWrap Trojan, which first had activities detected in early 2017, managed to overcome these mechanisms and have found a way to use Petya without paying its authors a penny.
It is unclear yet how PetrWrap is being distributed. After infection, PetrWrap launches Petya to encrypt its victim’s data and then demands a ransom.
PetrWrap authors use their own private and public encryption keys instead of those that come with “stock” versions of Petya. This means they can operate without needing a private key from the Petya operators for decryption of the victim’s machine, should the ransom be paid.
Apparently it is no coincidence that the developers of PetrWrap have chosen Petya for their malicious activities: this ransomware family now has a rather flawless cryptographic algorithm that is hard to break – the most important component of any encryption ransomware.
In several cases in the past, mistakes in cryptography have allowed security researchers to find a way to decrypt files and ruin all of the efforts criminals have put into their malicious campaigns. This also happened with previous versions of Petya, but since then its authors have fixed almost all mistakes.
Because of this, a victim’s machine is reliably encrypted when it is attacked with the latest versions of Petya – so it is clear why the criminals behind PetrWrap decided to use it in their activities.
Moreover, the lock screen shown to PetrWrap victims does not reflect any mentions of Petya, making it harder for security experts to assess the situation and quickly identify what family of ransomware has been used.
“We are now seeing that threat actors are starting to devour each other,” says Anton Ivanov, senior security researcher: anti-ransom at Kaspersky Lab. “From our perspective, this is a sign of growing competition between ransomware gangs.
“Theoretically, this is good, because the more time criminal actors spend on fighting and fooling each other, the less organised they will be, and the less effective their malicious campaigns will be,” he adds.
“The worrying thing here is the fact that PetrWrap is used in targeted attacks. This is not the first case of targeted ransomware attacks and unfortunately it is most likely not the last. We urge organisations to pay as much attention as possible to the protection of their networks from this kind of threat, because the consequences can be really disastrous.”