The latest version of Petya based ransomware is PetrWrap. Petya ransomware has been distributed as ransomware-as-a-service wherein the creator of the ransomware shares the malware code as a product and shares the profits (ransom) after any attacker uses the Petya malware and succeeds. Cyber criminals have found a way to use the code without sharing the profits from the attack and they are doing this in a targeted way. No doubt corporates are the victims but this is sign that there is rivalry going on in the cyber underworld.
The Petya ransomware has been particularly vicious because it not only encrypts the victim’s files using a highly advanced cryptographic mechanism but also locks the entire hard drive by overwriting the master reboot record. This prevents the computer to load the Operating System.
The Kaspersky Labs were the first to discover the targeted attacks by new malware. The attacks have been active since February 2017.
Technical details of PetrWrap:
The PetrWrap Trojan is written in C. It is compiled in the MS visual studio. There is a sample of Petya ransomware in the data section and uses Petya to infect the victim’s device. The interesting part is PetrWrap uses its own cryptographic routines modifying the code of Petya to control the execution.
Petya used to generate 16-byte key and uses the Salsa20 cypher to encrypt the MFT of NTFS partitions. Since the decryption is controlled by its creator they use an Elliptic Curve Diffie-Hellman (ECDH) key agreement algorithm. Now PetrWrap creators have completely changed the Decrypting key mechanism- ECDH this makes the criminals escape the fees they would have paid for using Petya and can operate without needing a decrypt key from Petya developers, in case ransom is paid!
The attacks are highly targeted on vulnerable servers with unprotected RDP access. Once the malware is in the network it uses specialized frameworks like Mimikatz to obtain necessary credentials for installing ransomware on the network. The only way to protect against such an attack is to keep updated servers and keep them highly secure with latest cyber security measure.
The best way to save an organization from the attack is not to let it happen in the first place. The cryptography from this ransomware is very strong and there are no decrypting tools available to get rid of the malware without paying the ransom. This means that if attackers succeed the only way out is paying the high ransom.
Logix Infosecurity provides the latest tools and expertise to keep your organization safe from cyber threats. It’s never too late to implement the cyber security measures until you are the victim!