Threat Database Ransomware PetrWrap Ransomware

PetrWrap Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 66
First Seen: March 15, 2017
Last Seen: September 4, 2022
OS(es) Affected: Windows

The PetrWrap Ransomware is a ransomware Trojan that seems to be derived from Petya, a well-known ransomware Trojan. The PetrWrap Ransomware seems to be a heavily modified version of this threat, and it is not likely that the same people as Petya created the PetrWrap Ransomware. The PetrWrap Ransomware is being used in targeted attacks against small businesses and other organizations.

The PetrWrap Ransomware was Developed Using a Technique Called 'Wrapping'

The PetrWrap Ransomware is being used to attack corporate networks, high-profile targets for these attackers. Con artists are using the Windows PsExec utility to hack into the victims' servers and computers and then install the PetrWrap Ransomware. It is unlikely that the PetrWrap Ransomware is an official version of Petya. Instead, it is likely that a third-party has taken the code of Petya and then adapted it to carry out their own attack. Petya was a high-profile ransomware Trojan that belonged to three ransomware families created by a group or author known as the Janus Secretary. Con artists could rent Petya, GoldenEye, or Mischa (three variants of Ransomware) through an RaaS (Ransomware as a Service) website located on the Dark Web. The con artists who rent access to Petya receive a binary that they can distribute using different methods.

The PetrWrap Ransomware and similar ransomware Trojans may be distributed using spam email campaigns. Another common method for distributing these threats involves the use of exploit kits and attack websites. In the case of Petya, when an infection is accomplished, the encryption key and payment are carried out through the Petya RaaS, since Petya's creators get a cut of the attack. The PetrWrap Ransomware replaces the Petya Ransomware's ransom note and removes its ability to connect to the Petya RaaS, allowing the con artists to trick Petya and keep all the money for themselves. Essentially, the PetrWrap Ransomware is the Petya ransomware Trojan modified to work independently. This is a technique referred to as 'wrapping,' which results in the name of the PetrWrap Ransomware.

The Attack of the PetrWrap Ransomware is Powerful

The people carrying out the PetrWrap Ransomware attack have removed all mentions of Petya and have changed the ransom note. The original ransom note included a red flashing image of a skull, which has been removed in the PetrWrap Ransomware version. Petya is one of the top ransomware families active today. The PetrWrap Ransomware locks MFT tables and overwrites the Master Boot Record with a custom loader. This makes the victim's hard drive completely inaccessible. Petya is quite a powerful ransomware attack, and the PetrWrap Ransomware carries out what is, in essence, an identical attack.

Other Connections Between the PetrWrap Ransomware and Additional Ransomware Families

The PetrWrap Ransomware has various characteristics that belong to Petya, and it also has some similarities with Samas, another ransomware Trojan. Samas, also known as SamSam or Kazi, is installed by con artists manually by taking advantage of unsecured networks and weak connections. The PetrWrap Ransomware is installed in a similar way. The people responsible for the PetrWrap Ransomware look for RDP servers that are unsecured and use brute force attacks to compromise these servers. Then, using other tools, they can carry out their attacks once they have gained access to the victim's network. After as many computers as possible have been compromised, the con artists will install the PetrWrap Ransomware on as many computers as possible, demanding payments from the victims. If the victims' organization does not have proper backups of their files, then they may be willing to pay large amounts of money to recover from the PetrWrap Ransomware attack. PC security researchers strongly advise against paying the PetrWrap Ransomware ransom. Instead, computer users are advised to protect servers and access points properly and always have offline backups of all data.


Most Viewed