Kaspersky Lab’s researchers have discovered PetrWrap, a new malware family that exploits the original Petya ransom ware module, distributed through a Ransom ware-as-a-Service platform, to perform targeted attacks against organizations. The PetrWrap creators made a special module that modifies the original Petya ransom ware “on the fly”, leaving its authors helpless against the unauthorized use of their malware. This may be the sign of growing competitiveness on the underground ransom ware market.
In May 2016 Kaspersky Lab discovered Petya ransom ware that not only encrypts data stored on a computer, but also overwrites the hard disk drive’s master boot record (MBR), leaving infected computers unable to boot into the operating system. The malware is a notable example of the Ransom ware-as-a-Service model, when ransom ware creators offer their malicious product ‘on demand’, spreading it by multiple distributors and getting a cut of the profits. In order to get their part of the profit, the Petya authors inserted certain “mechanic protection ms” in their malware that do not allow the unauthorized use of Petya samples. The authors of the PetrWrap Trojan, which first had activities detected in early 2017, managed to overcome these mechanisms and have found a way to use Petya without paying its authors a penny.
It is unclear yet how PetrWrap is being distributed. After infection, PetrWrap launches Petya to encrypt its victim’s data and then demands a ransom. PetrWrap authors use their own private and public encryption keys instead of those that come with “stock” versions of Petya.
In order to protect organizations from such attacks, Kaspersky Lab security experts advise the following:
-Conduct proper and timely backup of your data so it may be used to restore original files after a data loss event.
-Use a security solution with behaviour based detection technologies. These technologies can catch malware, including ransom ware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransom ware.
-Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and 3rd party security policies in case they have direct access to the control network.
Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.