It looks like cybercriminals are dedicated to “keeping it in the family.” Petya Ransomware, a Ransomware-as-a-Service (RaaS) portal available on the Dark Web to rent, now has a new offspring. That offspring comes in the form of a heavily modified and “unauthorized” version called PetrWrap.
For starters, Petya itself is particularly vicious, as it not only encrypts victim’s files, but also their entire hard drive simply by overwriting the master boot record. This essentially prevents the computer from loading the operating system, and, of course, it demands a payment in bitcoin to release a device from its hold.
To provide historical context, the original Petya (discovered March 2016) needs to gain administrative access to the victims’ system before it can infect the master boot record (MBR). If it doesn’t gain admin access, then the system would not get infected. Following its initial release, Petya was modified to include the Mischa ransomware in May 2016. This was quite the upgrade — if Petya failed to gain admin access, it would then drop Mischa on the system, since no access to the MBR was gained (because of no admin rights). Then, come December 2016, GoldenEye emerged from the same cybercriminals as a combo of Petya and Mischa, and first encrypts as many files as possible and then encrypts the MBR.
And now we have PetrWrap. This new variant takes advantage of the latest version of Petya (now version 3), by using the same bootloader code as Petya. However, this PetrWrap Trojan, which has apparently been operating on its own since February, tries to hide the fact that Petya is being used to encrypt the files by using different encryption keys and as well as a different ransom note.
And here’s the catch– this modification potentially occurred without permission, as there’s a chance a threat actor may have managed to crack the Petya code on their own, and is now using it to perform ransomware attacks on victims without paying the creators of Petya.
Now, what does PetrWrap mean for the threat landscape, and more importantly, cybercriminal dynamic? Would these attackers really rip each other off?
It’s possible the cybercriminals of the original Petya ransomware are attempting new ways to infect users. This assumption is based on the history of Petya, and the fact that it’s not uncommon for ransomware to evolve over time in an attempt to stay under the radar. It’s also important to point out that the criminal’s Twitter page (which hasn’t been updated since May 2016) does not claim responsibility for this attack.
However, the alternative — that cybercriminals could have somehow gotten their hands on the Petya code– seems odd, as this is the first time I have heard of one criminal borrowing or stealing another criminals code. If this is the case, then it means the original cybercriminals of Petya are careless or that the original authors sold the code to someone else.
But, no matter who created this threat, the ultimate question still stands – how do you protect yourself from PetrWrap?
The good news is McAfee Endpoint Protection has detected this “new” (PetrWrap) ransomware since early February. So, make sure to use a solution such as this to strengthen your endpoints and avoid becoming a victim of any kind of ransomware, especially PetrWrap.
To learn more about Petya, PetrWrap, and other kinds of ransomware like them, follow us on Twitter @McAfee