Criminals are stealing ransomware code from other criminals

New Malware family overwrites the hard disk of infected machines.

Security researchers have discovered PetrWrap, a new malware family that exploits the original Petya ransomware module, distributed through a Ransomware-as-a-Service platform, to perform targeted attacks against organizations. The PetrWrap creators made a special module that modifies the original Petya ransomware “on the fly,” leaving its authors helpless against the unauthorized use of their malware. This may be the sign of growing competitiveness on the underground ransomware market.

In May 2016, Kaspersky Lab discovered Petya ransomware that not only encrypts data stored on a computer, but also overwrites the hard disk drive’s master boot record (MBR), leaving infected computers unable to boot into the operating system. The malware is a notable example of the Ransomware-as-a-Service model, when ransomware creators offer their malicious product ‘on demand’ spreading it by multiple distributors and getting a cut of the profits. In order to get their part of the profit, the Petya authors inserted certain “protection mechanisms” in their malware that do not allow the unauthorized use of Petya samples. The authors of the PetrWrap Trojan, which first had activities detected in early 2017, managed to overcome these mechanisms and have found a way to use Petya without paying its authors a penny.

It is unclear yet how PetrWrap is being distributed. After infection, PetrWrap launches Petya to encrypt its victim’s data and then demands a ransom. PetrWrap authors use their own private and public encryption keys instead of those that come with “stock” versions of Petya. This means they can operate without needing a private key from the Petya operators for decryption of the victim’s machine, should the ransom be paid.

Hard to Break

It is no coincidence that the developers of PetrWrap have chosen Petya for their malicious activities: this ransomware family now has a rather flawless cryptographic algorithm that is hard to break – the most important component of any encryption ransomware. Although mistakes in previous versions of Petya allowed security researchers to find a way to decrypt the files, since then its authors have fixed almost all mistakes. As a result, a victim’s machine is reliably encrypted when it is attacked with the latest versions of Petya, making it an optimal malware to use. Moreover, the lock screen shown to PetrWrap victims does not reflect any mentions of Petya, making it challenging for security experts to assess the situation and quickly identify what family of ransomware has been used.

“We are now seeing that threat actors are starting to devour each other and from our perspective, this is a sign of growing competition between ransomware gangs,” said Anton Ivanov, Senior Security Researcher, Anti-Ransom, Kaspersky Lab. “Theoretically, this is good, because the more time criminal actors spend on fighting and fooling each other, the less organized they will be, and the less effective their malicious campaigns will be. The worrying thing here is the fact that PetrWrap is used in targeted attacks. This is not the first case of targeted ransomware attacks and unfortunately it is most likely not the last. We urge organizations to pay as much attention as possible to the protection of their networks from this kind of threat, because the consequences can be really disastrous,” he added.

In order to protect organizations from such attacks, Kaspersky Lab security experts advise the following:

  • Use a security solution with behavior-based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.
  • Manage proper and timely backup of your data so it may be used to restore original files after a data loss event.
  • Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and 3rd party security policies in case they have direct access to the control network.
  • Request external intelligence from reputable vendors to help your organization predict future attacks on the company.
  • Train employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
  • Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.

To learn more about PetrWrap on Kaspersky Lab’s blog