A new group of criminals have taken control of Petya ransomware and are using it in ransomware attacks against businesses without the participation or knowledge of those who created the ransomware. Those responsible for the new PetrWrap campaign developed Petya ransomware by adding a module to it that serves to modify the ransomware ‘on the fly’, taking control of the encryption process in such a manner that even the authors of Petya would be unable to crack the encryption.
The first appearance of Petya ransomware was in May 2016. It employs a method of attack than differs from most other know types of ransomware. Rather than encrypting files such as documents and other files, Petya replaces the master boot record on the computer’s hard drive and then encrypts the master file table.
Given that the master boot record is accessed on boot and commences the operating system, the ransomware stops the device from finding files that are stored onits hard drive. The files are not actually encrypted, but the computer becomes useless because the operating system can not start, and a ransom demand will be presented to users instead. Theoretically, should payment of the ransom be made, the attackers supply the key to the victims in order to decrypt the master file table.
Normally, most authors of ransomware build in protective mechanisms to stop their ransomware being reverse-engineered by security researchers. Although earlier versions of Petya ransomware includedd flaws that permitted security researchers to design tools that could decrypt computers in the absence of a decryption key, the most recent variant – version three – has no identified flaws. As of yet, no decryptor for version three of Petya ransomware exists.
It has become possible to obtain Petya ransomware on a ransomware-as-a-service model. Third parties can to pay to use the ransomware, infect end users and if successful receive a portion of the ransom payment received. Another part of such ransom payments go to the authors. Be that as it may, the hijacking of Petya ransomware now means that the gang responsible for PetrWrap retain the entirety of the ransom payments they generate.
A high-ranking researcher from the Anti-Ransomware team at Kaspersky Lab, which discovered PetrWrap, named Anton Ivenov has stated that threat actors are beginning to cannibalise each other, which may indicate that there is growing competition between different ransomware gangs.
Although PetrWrap is now being employed in targeted ransomware attacks against businesses, this does not in fact represent a new form of threat. For the victims the only concrete difference is where the ransom payment is sent to. The methods of preventing attack are the the same.
All systems should be adequately backed up and moreover, those backups should be properly stored on air-gapped devices. Procedures should be applied to avoid the delivery of malicious emails to end users and both antivirus and antimalware solutions should be put into effect.
