Petya ransomware has been hijacked and is being used in ransomware attacks on businesses without the ransomware authors’ knowledge. The criminals behind the new PetrWrap campaign have added a new module to Petya ransomware that modifies the ransomware ‘on the fly’, controlling the encryption process so that even the ransomware authors would not be able to unlock the encryption.
Petya ransomware first appeared in May last year. The ransomware uses a different method of attack than most other forms of ransomware. Instead of simply encrypting files such as documents, spreadsheets, images and databases, the ransomware replaces the master boot record on the hard drive and encrypts the master file table.
Since the master boot record is accessed on boot and starts the operating system, the ransomware prevents the computer from locating files stored on the hard drive. No actual files are encrypted; however, the computer is rendered useless as the operating system will not start. Instead users will be presented with a ransom demand. If the ransom is paid, the attackers will supply the key to decrypt the master file table.
Ransomware authors typically incorporate protective mechanisms to prevent their ransomware from being reverse-engineered by security researchers. While earlier variants of Petya ransomware contained flaws that allowed security researchers to develop tools to decrypt computers without the need for a decryption key, the latest variant – version three – contains no known flaws. There is no decryptor available for version three of Petya ransomware.
Petya ransomware has been made available on a ransomware-as-a-service model. Affiliates are able to pay to use the ransomware and infect end users and take a share of the ransom payments they receive. A portion of those payments go to the ransomware authors. However, the hijacking of the ransomware means the gang behind PetrWrap keep 100% of the payments they generate.
Anton Ivenov, a senior researcher from the Anti-Ransomware team at Kaspersky Lab that discovered PetrWrap said “We are now seeing that threat actors are starting to devour each other and from our perspective, this is a sign of growing competition between ransomware gangs.”
While PetrWrap is being used in targeted ransomware attacks on businesses, this does not represent a new threat. The only difference for victims is who their ransom payment is sent to. The same methods of prevention should be used to block attacks.
Systems should be backed up and backups should be stored on air-gapped devices. Measures should be implemented to prevent malicious emails from being delivered to end users and antivirus and antimalware solutions should be deployed.