What we now know about “PetrWrap”

Cybersecurity

Dubbed PetrWrap, yet another wave of ransomware hammered organizations in Europe and the United States yesterday. And just as was the case with the WannaCry ransomware, or any ransomware attack for that matter, this widespread PetrWrap ransomware attack finds systems encrypted shortly after infection and the attackers demanding a ransom to be paid. Also just like WannaCry, this attack aggressively swept through government agencies, small businesses, healthcare providers, and multinational corporations.

Fortunately, PetrWrap doesn’t appear to have hit as many organizations as WannaCry. However, because of the way PetrWrap does spread on internal networks, it has managed to hit many of those organizations it managed to infect with a vengeance. I have heard reports from those conducting incident response within organizations where many, of not most, of their internal servers were rendered useless.

According to various reports, PetrWrap is a tweaked version a ransomware malware, Petya. Petya circulated earlier this year.

What we know

Exacty how PetrWrap successfully spread is still not fully clear. Reports indicate that PetrWrap utilizes the same EternalBlue exploit as used in the WannaCry attacks. However, because Microsoft patched the flaw that makes the EternalBlue exploit possible, this vector of attack isn’t as successful as it was previously. According to most analysis, when PetrWrap attacks systems, it inserts attack code that overwrites the system’s master boot record and encrypts the master file table. This makes the drive unreadable.

What happens next isn’t entirely clear, and reports vary, which may be the result of different variants. Some users report seeing a message informing them to reboot. They are then warned by the malware not to turn off the computer. When they do, they see a ransomware message demanding a Bitcoin payment valued at a few hundred dollars. Other victims report that their system rebooted automatically, most likely from the malware tapping the Windows shutdown and scheduling apps.

It also appears that all it takes is one system on a network that has administrative credentials to become infected, and it takes those credentials and uses them to attack surrounding systems using Microsoft’s PsExec and WMI utilities. This is why PetrWrap managed to hit some organizations so hard.

The initial vector of attack still isn’t fully known. Like most attacks, PetrWrap’s assault yesterday came via spam emails and weaponized attachments.

In their post, Petya Ransomware Without the Fluff, the team at Binary Defense has a solid description of their views on what happened. In the post, they detail some of the speculation that the updates from an accounting software firm spread the infections in the Ukraine. This makes a lot of sense based on how the outbreak appeared to occur, but has yet to be confirmed.

How to keep safe

What should enterprises do to keep safe? There’s nothing different in avoiding this malware than most any malware or ransomware attack:

  • Don’t open emails and attachments from strangers or those that look peculiar
  • Keep patches up to date
  • Use the security tools that come with Windows (or any OS for that matter)
  • Depending on the nature of your users and the networks they connect to, consider endpoint anti-malware software

RELATED LINKS

Lessons learned from the WannaCry ransomware attacks

A month after WannaCry: How do we stop the next threat?

Stay safe: Massive database of stolen passwords surfaces

 

 

Trackbacks

  1. […] What we now know about “PetrWrap” […]

    Like

  2. […] we covered in What we now know about PetrWrap, the malware struck organizations in the United States. According to some reports, PetrWrap is […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: