PetrWrap Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 19,008 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 78 |
| First Seen: | March 15, 2017 |
| Last Seen: | December 2, 2025 |
| OS(es) Affected: | Windows |
The PetrWrap Ransomware is a ransomware Trojan that seems to be derived from Petya, a well-known ransomware Trojan. The PetrWrap Ransomware seems to be a heavily modified version of this threat, and it is not likely that the same people as Petya created the PetrWrap Ransomware. The PetrWrap Ransomware is being used in targeted attacks against small businesses and other organizations.
The PetrWrap Ransomware was Developed Using a Technique Called 'Wrapping'
The PetrWrap Ransomware is being used to attack corporate networks, high-profile targets for these attackers. Con artists are using the Windows PsExec utility to hack into the victims' servers and computers and then install the PetrWrap Ransomware. It is unlikely that the PetrWrap Ransomware is an official version of Petya. Instead, it is likely that a third-party has taken the code of Petya and then adapted it to carry out their own attack. Petya was a high-profile ransomware Trojan that belonged to three ransomware families created by a group or author known as the Janus Secretary. Con artists could rent Petya, GoldenEye, or Mischa (three variants of Ransomware) through an RaaS (Ransomware as a Service) website located on the Dark Web. The con artists who rent access to Petya receive a binary that they can distribute using different methods.
The PetrWrap Ransomware and similar ransomware Trojans may be distributed using spam email campaigns. Another common method for distributing these threats involves the use of exploit kits and attack websites. In the case of Petya, when an infection is accomplished, the encryption key and payment are carried out through the Petya RaaS, since Petya's creators get a cut of the attack. The PetrWrap Ransomware replaces the Petya Ransomware's ransom note and removes its ability to connect to the Petya RaaS, allowing the con artists to trick Petya and keep all the money for themselves. Essentially, the PetrWrap Ransomware is the Petya ransomware Trojan modified to work independently. This is a technique referred to as 'wrapping,' which results in the name of the PetrWrap Ransomware.
The Attack of the PetrWrap Ransomware is Powerful
The people carrying out the PetrWrap Ransomware attack have removed all mentions of Petya and have changed the ransom note. The original ransom note included a red flashing image of a skull, which has been removed in the PetrWrap Ransomware version. Petya is one of the top ransomware families active today. The PetrWrap Ransomware locks MFT tables and overwrites the Master Boot Record with a custom loader. This makes the victim's hard drive completely inaccessible. Petya is quite a powerful ransomware attack, and the PetrWrap Ransomware carries out what is, in essence, an identical attack.
Other Connections Between the PetrWrap Ransomware and Additional Ransomware Families
The PetrWrap Ransomware has various characteristics that belong to Petya, and it also has some similarities with Samas, another ransomware Trojan. Samas, also known as SamSam or Kazi, is installed by con artists manually by taking advantage of unsecured networks and weak connections. The PetrWrap Ransomware is installed in a similar way. The people responsible for the PetrWrap Ransomware look for RDP servers that are unsecured and use brute force attacks to compromise these servers. Then, using other tools, they can carry out their attacks once they have gained access to the victim's network. After as many computers as possible have been compromised, the con artists will install the PetrWrap Ransomware on as many computers as possible, demanding payments from the victims. If the victims' organization does not have proper backups of their files, then they may be willing to pay large amounts of money to recover from the PetrWrap Ransomware attack. PC security researchers strongly advise against paying the PetrWrap Ransomware ransom. Instead, computer users are advised to protect servers and access points properly and always have offline backups of all data.
Analysis Report
General information
| Family Name: | Trojan.TrickBot.AA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
130197038c2c02b9465abdccf2966211
SHA1:
06df4b24354e28ec860c2a67a27cb1a29958500b
SHA256:
55A9B423CFE16FF21B5566908F07C8CF4780C877A907D8BBF08403E26D7439B3
File Size:
1.32 MB, 1320340 bytes
|
|
MD5:
9d120cb02b06e5f51230a20aa1c7b778
SHA1:
c05920e854a1abc4f1edadb338f57c1479e8f4fa
SHA256:
0FF0743A895A02B75FF72F691C17ADAF7F9B758CCB42F8E457032AB6B8E768E9
File Size:
1.38 MB, 1381782 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have resources
- File doesn't have security information
- File has TLS information
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Traits
- big overlay
- No Version Info
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 4,582 |
|---|---|
| Potentially Malicious Blocks: | 4 |
| Whitelisted Blocks: | 4,577 |
| Unknown Blocks: | 1 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Ryuk.BH
- Ryuk.BI
- Ryuk.L
- TrickBot.AA
- TrickBot.AF
Show More
- Ursnif.AI
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\downloads\meses.dat | Generic Write,Read Attributes |
