Cyber-criminals are stealing from their peers in the latest ransomware family example, dubbed PetrWrap.
The bug exploits the original Petya ransomware to perform targeted attacks against organizations, according to Kaspersky Lab. PetrWrap uses a special module that modifies Petya on the fly, leaving its authors helpless against the unauthorized use of their malware. It’s being distributed through a ransomware-as-a-service platform.
Petya now has an almost flawless cryptographic algorithm, so it’s no surprise PetrWrap creators are taking advantage of it. PetrWrap authors use their own private and public encryption keys, allowing them to operate without needing a private key from the Petya operators for decryption of the victim’s machine, should the ransom be paid.
“In May 2016, Kaspersky Lab discovered Petya ransomware that not only encrypts data stored on a computer, but also overwrites the hard disk drive's master boot record (MBR), leaving infected computers unable to boot into the operating system,” said Anton Ivanov, senior security researcher, Anti-Ransom, Kaspersky Lab, in a blog. “In order to get their part of the profit, the Petya authors inserted certain protection mechanisms in their malware that do not allow the unauthorized use of Petya samples. The authors of the PetrWrap trojan, which first had activities detected in early 2017, managed to overcome these mechanisms and have found a way to use Petya without paying its authors a penny.”
The lock screen shown to PetrWrap victims does not reflect any mentions of Petya, making it challenging for security experts to assess the situation and quickly identify what family of ransomware has been used.
“We are now seeing that threat actors are starting to devour each other and from our perspective, this is a sign of growing competition between ransomware gangs,” Ivanov added. “Theoretically, this is good, because the more time criminal actors spend on fighting and fooling each other, the less organized they will be, and the less effective their malicious campaigns will be. The worrying thing here is the fact that PetrWrap is used in targeted attacks. This is not the first case of targeted ransomware attacks and, unfortunately, it is most likely not the last. We urge organizations to pay as much attention as possible to the protection of their networks from this kind of threat, because the consequences can be really disastrous.”
In order to protect organizations from such attacks, Kaspersky Lab security experts advise using a security solution with behavior-based detection technologies; managing proper and timely backup of data so it may be used to restore original files after a data loss event; conducting a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes; reviewing external vendor and third-party security policies in case they have direct access to the control network; and training employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.