PetrWrap Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 66 |
First Seen: | March 15, 2017 |
Last Seen: | September 4, 2022 |
OS(es) Affected: | Windows |
The PetrWrap Ransomware is a ransomware Trojan that seems to be derived from Petya, a well-known ransomware Trojan. The PetrWrap Ransomware seems to be a heavily modified version of this threat, and it is not likely that the same people as Petya created the PetrWrap Ransomware. The PetrWrap Ransomware is being used in targeted attacks against small businesses and other organizations.
The PetrWrap Ransomware was Developed Using a Technique Called 'Wrapping'
The PetrWrap Ransomware is being used to attack corporate networks, high-profile targets for these attackers. Con artists are using the Windows PsExec utility to hack into the victims' servers and computers and then install the PetrWrap Ransomware. It is unlikely that the PetrWrap Ransomware is an official version of Petya. Instead, it is likely that a third-party has taken the code of Petya and then adapted it to carry out their own attack. Petya was a high-profile ransomware Trojan that belonged to three ransomware families created by a group or author known as the Janus Secretary. Con artists could rent Petya, GoldenEye, or Mischa (three variants of Ransomware) through an RaaS (Ransomware as a Service) website located on the Dark Web. The con artists who rent access to Petya receive a binary that they can distribute using different methods.
The PetrWrap Ransomware and similar ransomware Trojans may be distributed using spam email campaigns. Another common method for distributing these threats involves the use of exploit kits and attack websites. In the case of Petya, when an infection is accomplished, the encryption key and payment are carried out through the Petya RaaS, since Petya's creators get a cut of the attack. The PetrWrap Ransomware replaces the Petya Ransomware's ransom note and removes its ability to connect to the Petya RaaS, allowing the con artists to trick Petya and keep all the money for themselves. Essentially, the PetrWrap Ransomware is the Petya ransomware Trojan modified to work independently. This is a technique referred to as 'wrapping,' which results in the name of the PetrWrap Ransomware.
The Attack of the PetrWrap Ransomware is Powerful
The people carrying out the PetrWrap Ransomware attack have removed all mentions of Petya and have changed the ransom note. The original ransom note included a red flashing image of a skull, which has been removed in the PetrWrap Ransomware version. Petya is one of the top ransomware families active today. The PetrWrap Ransomware locks MFT tables and overwrites the Master Boot Record with a custom loader. This makes the victim's hard drive completely inaccessible. Petya is quite a powerful ransomware attack, and the PetrWrap Ransomware carries out what is, in essence, an identical attack.
Other Connections Between the PetrWrap Ransomware and Additional Ransomware Families
The PetrWrap Ransomware has various characteristics that belong to Petya, and it also has some similarities with Samas, another ransomware Trojan. Samas, also known as SamSam or Kazi, is installed by con artists manually by taking advantage of unsecured networks and weak connections. The PetrWrap Ransomware is installed in a similar way. The people responsible for the PetrWrap Ransomware look for RDP servers that are unsecured and use brute force attacks to compromise these servers. Then, using other tools, they can carry out their attacks once they have gained access to the victim's network. After as many computers as possible have been compromised, the con artists will install the PetrWrap Ransomware on as many computers as possible, demanding payments from the victims. If the victims' organization does not have proper backups of their files, then they may be willing to pay large amounts of money to recover from the PetrWrap Ransomware attack. PC security researchers strongly advise against paying the PetrWrap Ransomware ransom. Instead, computer users are advised to protect servers and access points properly and always have offline backups of all data.