It would appear that there is indeed to honor among thieves, as hackers have stolen the code of Petya ransomware. After pirating a virus of all things, the cyber criminals used it to launch targeted attacks.
Petya ransomware can be considered a good choice to copy, as the program has advanced capabilities. Like Trend Micro reported upon discovering the virus one year ago, it has been set to overwrite the master boot record (MBR) with a malicious code.
Petya ransomware encrypts the master file table (MFT), locking the victim out of his machine. A blue screen of death (BSoD) appears, showing that the system cannot run properly.
The virus makes the OS inaccessible even in Safe Mode. When the user turns on his computer, he is met by a flashing red and white screen, displaying the “skull and crossbones” symbol.
It should be noted that Petya ransomware has a RaaS model, but the hackers decided to instead patch the original program “on the fly”. They developed a special module for the purpose.
The infiltration pattern of PetrWrap ransomware
The attacks experts observed consisted of two steps. First, the hackers compromised the networks of the targeted organizations. Then, they used the PsExec tool to install the virus on all endpoints and servers.
“The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine,” explain Kaspersky in their analysis. “What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.”
Although PetrWrap is a copy of Petya, the former uses a different encryption key from the latter. The people behind PetrWrap have edited the ransom note, removing all mentions of Petya, as well as the animated red skull.
The reasoning behind stealing a virus
There is no honor among thieves, but there is a purpose behind thievery. The creators of PetrWrap ransomware have spared a lot of time and effort by using a complete build as a template, rather than writing a program from the ground up. Their choice speaks volumes about their knowledge, as the version of Petya ransomware they have chosen to build around does not have major flaws.
Experts have yet to devise a tool which can decrypt the MFT of the hard disk volumes, infected by Petya. The good news is that there is an alternative solution. The virus does not encrypt files. It only locks the victim out of his computer. Therefore, it is possible to recover your files from the hard disk raw data with the use of specific tools.
The key achievements of the developers of PetrWrap ransomware can be summarized as follows:
1. The virus locks the operating system and encrypts the MFT of the NTFS partitions. The Petya v3 build used does not have flaws. Furthermore, it implements Salsa20 correctly. This makes for a secure encryption.
2. The lockscreen has been edited, excluding the flashing skull animation and all mentions of Petya. While the word spreads, earlier victims may not know what they are dealing with. This would make the task of combating against the infection more difficult.
3. By choosing a stable build of the source program, the developers of PetrWrap have eliminated the task of writing the low-level bootloader code which was the cause of mistakes in the early versions of Petya.
