March 15, 2017
A heavily modified, but "unauthorized" version of the Petya ransomware has been seen by Kaspersky researchers used in targeted attacks on a small number of organizations.
Named PetrWrap, this Petya offspring is part of the arsenal of a new threat actor that's hacking corporate networks and then using the Windows PsExec utility to install PetrWrap on vulnerable servers and endpoints.
Someone's piggybacking Petya ransomware
According to Kaspersky researchers Fedor Sinitsyn and Anton Ivanov, PetrWrap doesn't appear to be an official version of the Petya ransomware, but the work of a rogue actor who wrapped the original Petya ransomware, and then patched its code to execute a series of custom commands.
The Petya ransomware is part of a trifecta of ransomware families created by a malware author/group named Janus Secretary. This actor is renting access to Petya, Mischa, and GoldenEye ransomware via a Ransomware-as-a-Service (RaaS) portal available on the Dark Web.
People who rent Petya through this service receive a binary they have to send to victims via spam campaigns or exploit kit-based distribution methods.
When this Petya binary infects victims, the Petya ransomware sends the encryption key and handles all payment operations via the Petya RaaS backend. Renters never have full control over the Petya infection, and they only receive a part of the Petya ransom payment, after Janus has taken his cut.
PetrWrap uses Petya's encryption, replaces ransom note
Sinitsyn and Ivanov say this new threat actor took one of these Petya binaries and modified it to work independently from the Petya RaaS backend.
The technique is called "wrapping," hence this offspring's name of PetrWrap. Wrapping the original Petya allowed this threat actor to benefit from Petya's rock-solid (currentlu undecryptable) encryption, but store encryption keys and handle payments via their own servers.
PetrWrap ransom screen (via Kaspersky Lab)
In addition, wrapping the original Petya binary also allowed them to modify the Petya ransom note, removing the flashing red skull and any mentions of the Petya name. Victims infected with the PetrWrap ransomware don't know and can't tell that they've been infected with a modified Petya version, as there's no mention of Petya anywhere.
Experienced security researchers will probably guess PetrWrap is somehow related to Petya, as the ransom note still looks similar to Petya's, which is today's top ransomware family that operates by locking MFT tables for NTFS partitions and overwriting the MBR with a custom bootloader.
PetrWrap ransomware used similarly to Samas
While PetrWrap shares actual code with Petya, the ransomware also shares its modus operandi with another ransomware family. This ransomware family is Samas, also known as SamSam, Kazi, or RDN/Ransom, which is installed manually by hackers on the endpoints of networks compromised via to unsecured RDP connections.
According to Kaspersky researchers, the PetrWrap group operates in the same way, by looking for unsecured RDP servers, launching brute-force attacks, compromising the server, and the using other tools to escalate access inside the organization's network.
At the end, when they gained access to as many endpoints as possible, the group installs PetrWrap and waits for payments, hoping victims don't have offline backups.