Give us a call
Home|Tech Hub|Cyber Security|What is Petrwrap Petya ransomware?

What is Petrwrap Petya ransomware?

Share on socials

petya ransomware screen

Cyber Security

The recent meteoric rise of ransomware in the public domain continues with the latest outbreak of a variant known as Petya or Petrwrap. This originally is thought to have been released on systems throughout the Ukraine and has since spread to a growing number of countries throughout Europe, leaving destruction in its wake.

Petya is a ransomware variant that works quite differently to other forms of ransomware in that it doesn’t encrypt individual files on an infected system, Petya actually takes over the actual filing system rather than the files themselves. It achieves this by replacing the Master Boot Record (MBR) with malicious code and encrypting the Master File Table (MFT) of the infected machines hard disk. The system is then rebooted and the user is faced with the ransom demand screen that is generated by the malicious code. Petya takes over the infected system by restricting access to the physical drive and seizes information about filenames, sizes, locations on the disk.

Upon reboot the system tells the victim that “your files are no longer accessible, because they have been encrypted” and “nobody can recover your files without our decryption service”. The cost of getting the attackers to decrypt your drive? A snip at $300 worth of Bitcoin.

At the time of writing this article it appeared that anything up to 40 victims have paid the ransom in Bitcoin to the prescribed address hoping to get their drives decrypted, the equivalent of around $8976 USD (£6999.96). This amount is sure to increase over the next few days as fear takes hold and more ransoms are paid.

 

So how does PetrWrap go about causing chaos?

Research from BitDefender, Kaspersky Lab and F-Secure has shown that Petrwrap is written in C and compiled using Visual Studio. It apparently used code from the third generation of Petya ransomware and uses this code to infect the users system. It encrypts this sample code and modifies it in real time to hide the fact that Petya is infecting the machine, making it much harder to detect. In fact, only 48 out of 61 anti-virus services are currently detecting the Petya variant successfully, according to a recent VirusTotal scan. This is a marked improvement though, up from 13 services less than 24 hours ago.

After a machine is infected, the Trojan waits for around 1.5 hours before beginning to execute. It then prepares some functions ready for activation and begins to overwrite the Master Boot Record (MBR). The victims system is locked from access and Petrwrap then securely encrypts the Master File Table (MFT) of NTFS partitions on any local drives. The lockdown screen code is written to the system during the overwrite of the Master Boot Record and doesn’t make any mention of Petya, making it harder to determine the infection and assess damage and future courses of action.

 

Is it possible to decrypt?

This variant of ransomware uses a very strong encryption algorithm so standard decryption tools are unlikely to work in this situation, although there are tools like R-Studio that may help to restore files. There are also methods posted online that may help to decrypt drives depending on the exact Petya variant that’s been used on an infected system.

 

Prevention is always better than cure

There is no doubt that company systems are becoming increasing targeted by data encryption attacks and the attackers typically try to “sniff out” vulnerable servers or loosely secured systems with remote access. Once inside the network they can use various tools to allow them to install ransomware across the entire network. Keeping server software up to date and fully patched is vitally important and should always be treated as high priority. The use of secure passwords and tightening down remote access to systems should also be given high importance. These tips and more can be found in our simple ransomware prevention guide and along with keeping secure, tested backups and sensible disaster procedures, your business should be more able to survive a ransomware attack and systems should recover quicker, meaning less downtime and loss of turnover.

 

Malcolm Kapadia
Malcolm Kapadia
2023-07-10
Corbel have been so kind and helpful in donating a large number of handsets to be used within Primary Schools. Thank you Louise and the rest of a team - such a lovely thing to do for our local communities!
Sue Bloomfield
Sue Bloomfield
2023-07-06
Very helpful company with great customer service. They regularly go the extra mile to make sure that I understand the solutions they have implemented and how I can maximise the use of them.
ann osborn
ann osborn
2023-05-25
Hannah migrated us over to Microsoft 365 back in 2020. The whole migration was planned out really well and managed through to a really high standard. Hannah was a pleasure to work with, friendly, approachable and very patient. Nothing was too much trouble. I would thoroughly recommend Hannah to any local business looking for IT services.
Stuart Dantzic
Stuart Dantzic
2023-04-28
Exceptional service and support. From initial enquiry about our IT support, through to the proposal, sign up and onboarding has been completely seamless. Friendly and helpful team, who respond quick to any IT support tickets and more importantly resolve any issues promptly with minimum disruption. Highly recommend!
Joshua Davey
Joshua Davey
2023-04-21
Very helpful company who have supported us for the last 4 years. Would highly recommend!
Daniel Ashford
Daniel Ashford
2023-04-19
Great customer service, great understanding of our issues, communication fantastic when it was so desperately required to get our business moving. We would highly recommend the team at Corbel Solutions Ltd
Helen Crapnell
Helen Crapnell
2023-04-13
Great installation service. Easy, clear and on the ball. Highly recommend.
Adrian Copeland
Adrian Copeland
2023-03-28
I can’t thank Arran & Louise enough as they both went above & beyond to help me by arranging & setting up a loaned PC whilst I was waiting for a replacement one, nothing was too much trouble for them & I really appreciated the speed of their actions. Adrian C
David Waring
David Waring
2023-03-15
We have recently started working with Corbel and can only praise them for their fast response times to issues raised and how they have kept us informed along the way to resolving them. I would highly recommend Corbel to anyone.
Tracey Ling
Tracey Ling
2023-03-15
We have recently begun working with Corbel and have been really impressed so far. The team are very friendly and have resolved some long-standing IT issues for us that others have been unable to resolve; never hesitating to go above and beyond to exceed expectations. If the team are on a call about one specific issue and notice another unrelated issue, they will look to fix this straight away for us which is greatly appreciated. I would highly recommend Corbel if you were thinking of changing IT Support providers.
Leave Corbel a Google Review
Remote support