The Petya Ransomware is one of the most popular pieces of crypto-threat that attack the Master File Tables (MFT) on NTFS partitions, as well as the Master Boot Record (MBR) to prevent users from accessing their files and even their desktop. This threat is notorious for the fact that it can prevent Windows from booting and, instead, displays a ransom note when users attempt to start their computers. For some time, the Petya Ransomware also has been involved in a Ransomware-as-a-Service project but, apparently, some cyber crooks have managed to get their hands on some of the Petya Ransomware’s source code and modify it according to their preferences. The result of this action is the Petrwrap Ransomware – a threat that acts exactly like the original Petya Ransomware but also brings some new things to the table. Malware researchers who discovered and analyzed the PetrWrap Ransomware are of the opinion that the project is unlikely to be associated with the authors of the Petya Ransomware since the code appears to have been changed and patched a lot to get it to work as expected. The author of the original Petya Ransomware is ready to provide everyone with a binary of the threat, as long as they agree to share a percent of their profits with the original creator. However, someone not happy with this offer has opted to craft the PetrWrap Ransomware, and this threat appears to avoid any of the Petya’s payment portals completely so that the new authors get all the profits from their harmful operation.
An Unbreakable Encryption Routine is Wrapped in the PetrWrap Ransomware’s Core
The PetrWrap Ransomware’s encryption is identical to the one used by the Petya Ransomware which, unfortunately, means that it is impossible to fully recover from the PetrWrap Ransomware’s attack without paying the ransom sum. Apart from working around the original RaaS project, the authors of the PetrWrap Ransomware also have modified the ransom message with which the threat overwrites the hard drive’s MBR. The new message is free of the Petya Ransomware’s notorious ASCII skull, as well as from the colorful background that its variants were known for. Instead, the authors of the PetrWrap Ransomware have opted to use a plain black background and gray text that delivers the same message as the original Petya Ransomware. As for the encryption, the PetrWrap Ransomware uses a heavily customized encryption routine that ends up locking the MFT tables, rendering all files on the partition inaccessible.
The distribution pattern that the PetrWrap Ransomware relies on is also quite peculiar. Instead of opting to use traditional spam e-mails, the authors of the PetrWrap Ransomware have used their skills set to develop a more targeted campaign that relies on brute forcing the RDP (Remote Desktop Protocol) passwords of vulnerable servers and then loading the PetrWrap Ransomware’s binary onto them. If the victims do not have an offline or cloud-based backup of their files, then recovering all of their files without paying the ransom sum would be out of the question. As for individual users, they might be able to recover some of their files with the help of 3rd-party file restoration utilities, but the results of using this method are not guaranteed.