The recent meteoric rise of ransomware in the public domain continues with the latest outbreak of a variant known as Petya or Petrwrap. This originally is thought to have been released on systems throughout the Ukraine and has since spread to a growing number of countries throughout Europe, leaving destruction in its wake.
Petya is a ransomware variant that works quite differently to other forms of ransomware in that it doesn’t encrypt individual files on an infected system, Petya actually takes over the actual filing system rather than the files themselves. It achieves this by replacing the Master Boot Record (MBR) with malicious code and encrypting the Master File Table (MFT) of the infected machines hard disk. The system is then rebooted and the user is faced with the ransom demand screen that is generated by the malicious code. Petya takes over the infected system by restricting access to the physical drive and seizes information about filenames, sizes, locations on the disk.
Upon reboot the system tells the victim that “your files are no longer accessible, because they have been encrypted” and “nobody can recover your files without our decryption service”. The cost of getting the attackers to decrypt your drive? A snip at $300 worth of Bitcoin.
At the time of writing this article it appeared that anything up to 40 victims have paid the ransom in Bitcoin to the prescribed address hoping to get their drives decrypted, the equivalent of around $8976 USD (£6999.96). This amount is sure to increase over the next few days as fear takes hold and more ransoms are paid.
So how does PetrWrap go about causing chaos?
Research from BitDefender, Kaspersky Lab and F-Secure has shown that Petrwrap is written in C and compiled using Visual Studio. It apparently used code from the third generation of Petya ransomware and uses this code to infect the users system. It encrypts this sample code and modifies it in real time to hide the fact that Petya is infecting the machine, making it much harder to detect. In fact, only 48 out of 61 anti-virus services are currently detecting the Petya variant successfully, according to a recent VirusTotal scan. This is a marked improvement though, up from 13 services less than 24 hours ago.
After a machine is infected, the Trojan waits for around 1.5 hours before beginning to execute. It then prepares some functions ready for activation and begins to overwrite the Master Boot Record (MBR). The victims system is locked from access and Petrwrap then securely encrypts the Master File Table (MFT) of NTFS partitions on any local drives. The lockdown screen code is written to the system during the overwrite of the Master Boot Record and doesn’t make any mention of Petya, making it harder to determine the infection and assess damage and future courses of action.
Is it possible to decrypt?
This variant of ransomware uses a very strong encryption algorithm so standard decryption tools are unlikely to work in this situation, although there are tools like R-Studio that may help to restore files. There are also methods posted online that may help to decrypt drives depending on the exact Petya variant that’s been used on an infected system.
Prevention is always better than cure
There is no doubt that company systems are becoming increasing targeted by data encryption attacks and the attackers typically try to “sniff out” vulnerable servers or loosely secured systems with remote access. Once inside the network they can use various tools to allow them to install ransomware across the entire network. Keeping server software up to date and fully patched is vitally important and should always be treated as high priority. The use of secure passwords and tightening down remote access to systems should also be given high importance. These tips and more can be found in our simple ransomware prevention guide and along with keeping secure, tested backups and sensible disaster procedures, your business should be more able to survive a ransomware attack and systems should recover quicker, meaning less downtime and loss of turnover.