PetrWrap is based on Petya V.3 ransomware.
PetrWrap is based on Petya V.3 ransomware.

A previously unknown ransomware family called PetrWrap has been discovered specifically designed to attack large organizations and capable of spreading the malware to its endpoints and servers.

Kaspersky Labs' researchers noted that PetrWrap, detected by the company as Trojan-Ransom.Win32.PetrWrap and PDM:Trojan.Win32.Generic, has several interesting and unique qualities, including using Petya V.3 ransomware to encrypt files, but it also replaces several of Petya's usual functionality with a few homegrown ideas.

“To get a workable version of the ransomware, the group behind PetrWrap created a special module that patches the original Petya ransomware “on the fly”. This is what makes this new malware so unique,” wrote Kaspersky researchers Anton Ivanov and Fedor Sinisyn.

After the malware is inside an endpoint it waits 90 minutes before going into action. At that point it start the mass boot record overwrite process and at about the same time it halts several of Petya's normal functions and replaces them with those exclusive to PetrWrap. This includes making the necessary cryptographic computations along with the generation of the configuration data, dubbed petya_generate_config, and for the MBR overwrite process, dubbed petya_infect), the researchers said.

One issue PetrWrap's creators faced and conquered was figuring a way around using the encryption keys generated by Petya, which are only accessible by that malware's operators. So PetrWrap replaced Petya's Elliptic Curve Diffie-Hellman (ECDH) key agreement algorithm with cryptographic routines from OpenSSL, Kasperky found.

At the end of these processes the victim's computer is locked, Petya locks entire systems down not just the files, and posts a lockscreen with their demands.

Unfortunately, the high level of encryption used in these attacks precludes the use of any decryption tool, but the researchers suggested victims try a third-party tool such as R-Studio.