This article is more than 1 year old
Petya ransomware returns, wrapped in extra VX nastiness
'PetrWrap' tries to blame its predecessor for attacks
Researchers have spotted a variant of last year's Petya ransomware, now with updated crypto and ransomware models.
Kaspersky's Anton Ivanov and Fedor Sinitsyn say the attack, which they've dubbed “PetrWrap”, uses the PsExec tool to install ransomware on any endpoint it can access.
Rather than use the original Petya, which was cracked last April, “the group behind PetrWrap created a special module that patches the original Petya ransomware 'on the fly'”, the Kaspersky post states.
The on-the-fly patching is designed to hide the fact that Petya is handling the infection, and PetrWrap uses its own crypto routines.
If the PetrWrap vxers had stuck with Petya's ransomware-as-a-service model, they would need a Petya private key to decrypt victims' data. Their solution is to replace the ECDH implementation with their own crypto, and their own public and private keys.
The cryptography uses OpenSSL library components instead of the
mbedtls library that Petya used.
Once it's installed, a victim ends up with their NTFS partitions' master file table (MFT) encrypted with a better scheme than in the old Petya. The new malware's authors didn't write their own low-level bootloader, so didn't make other mistakes seen in earlier versions of Petya.
Kaspersky says it's got a signature for PetrWrap, and we presume other A/V vendors will follow soon. ®