By Staff Writer at LMG Security   /   Aug 15th, 2017

PetrWrap: Petya Ransomware Infects Systems Worldwide

Ransomware – malware that encrypts files on devices it infects before demanding a ransom (usually in Bitcoin) for the safe return of those files – is the subject of worldwide panic and InfoSec nightmares. After the WannaCry Ransomware attack extended to over 150 countries in May of 2017, enterprises may have believed that the withdrawal of the global attack indicated the worst was over. However, the 27th of June 2017 marked the beginning of another onslaught of ransomware attacks. Experts are referring to this recent ransomware strain as “NotPetya” and “PetrWrap” due to questions about similarity and dissimilarity to Petya, a worm first discovered in 2016. PetrWrap is similar to Petya in its encryption methods, however this version of the worm seems to have patched previous vulnerabilities in the malicious software that had formerly allowed companies to restore their data.

 

UPDATE: On August 11, 2017 the Cyber Police of Ukraine arrested a suspect alleged to have distributed NotPetya. Read more here.

 

What Is NotPetya/PetrWrap?

 

The 2017 PetrWrap cyberattack is being compared to the WannaCry ransomware attack because of PetrWrap’s use of EternalBlue and DoublePulsar. EternalBlue, also stylized as ETERNALBLUE, is a network infection vector that was developed by the National Security Agency. This exploit utilizes a vulnerability in Microsoft’s Server Message Block (SMB) protocol to allow PetrWrap to spread within networks. DoublePulsar is also considered to have been developed by the NSA. It works as a backdoor implant tool, enabling a malicious attacker to maintain persistent access to an infected computer.

 

Upon infection, PetrWrap reboots the computer and encrypts the master file table (MFT), a database that stores information about a computer’s files. It also renders the master boot record (MBR) inoperable, and replaces that MBR with its ransom note. In the case of PetrWrap, this ransom note demands $300 worth of Bitcoin in exchange for the decryption key.

 

However, not only has the email address “[email protected]” – utilized by the attackers to respond to questions and payments – been disabled by the German email provider Posteo, but it appears the ransomware wasn’t intended as ransomware to begin with.

 

After encryption, the ransom note displayed on an infected computer will show an “installation key”. The ransom note claims it should be sent along with the Bitcoin ransom. This installation key is what attackers normally use to ensure that they are sending the correct decryption key to a victim. Malware analysts now claim that PetrWrap’s code shows that the installation key displayed after encryption is bogus. This indicates that the attackers can’t distribute decryption keys, even if a payment is made. The lack of functional ransom mechanics suggests that the motivation behind this attack was destruction, rather than financial gain.

 

What to Do Before and After Infection

 

If your machine exhibits signs of suspicious activity or infection, pull the plug immediately. The encryption process takes place during boot. As long as the machine remains powered off, it’s still possible to do a backup and restore your files. In the case of complete infection – as PetrWrap doesn’t fully encrypt an infected disk – there may be ways to digitally reconstruct your files. However, this would require you to manually carve the information out of your disk, and it’s not guaranteed to restore any, let alone all, of your files. It will also not preserve filenames or file structure.

 

What can an enterprise do to protect themselves against the rapidly spreading threat of ransomware?

 

  • Train employees to guard against spam and phishing emails. Decreasing the risk of initial infection will make great strides against the threat of complete network compromise.
  • Microsoft has released patches for the vulnerabilities utilized by WannaCry and PetrWrap, so companies should download the latest updates immediately. Patching your computers will help in stopping the spread of ransomware if your computers become infected.
  • In order to quickly restore any machines after infection, backups are imperative. Ensure that your company is following industry standards for backups.

 

However, Karen Sprenger – COO of LMG Security – mentions that just having backups isn’t enough to protect an enterprise against attacks. “[Regarding industry best practices] the two most important things in my mind are to store your backups offsite, and test your backups regularly. If you have backups and you’ve never tested them,” says Karen, “you don’t really have backups.”

 

More information

 

 

 

CONTACT US