Kasperky researchers discovered a new variant of last year's Petya Master File Table (MFT) ransomware, with "new and improved" crypto and ransomware models. Remember, MFT ransomware only encrypts the table where access to all files is kept, and does not encrypt the files themselves. It's a very effective way to lock a machine and demand ransom in a few seconds. Kaspersky's Ivanov and Sinitsyn called the new version “PetrWrap” (because it wraps Petya), which uses the PsExec tool to install ransomware on every workstation and server it can access.
Instead of using the original Petya code, which was cracked last April, “the group behind PetrWrap created a special module that patches the original Petya ransomware 'on the fly'”, the Kaspersky post states. This on-the-fly patching was created to hide the fact that Petya is handling the infection, and PetrWrap uses its own crypto routines.
If the PetrWrap malware coders had stuck with Petya's ransomware-as-a-service model, they would need a Petya private key to decrypt victims' data, but with this new version they can use their own keys.
Once the workstation is infected, the victim ends up with the file system's master file table encrypted with a better scheme than the old Petya used. The PetrWrap coders used a tried-and-true, debugged version of Petya's low-level bootloader, ensuring they had "production-quality" criminal software to make sure their infections would be successful.
Free Ransomware Simulator Tool
How vulnerable is your network against a ransomware attack?
Bad guys are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?
KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 10 infection scenarios and show you if a workstation is vulnerable to infection.
