Petya ransomware has reemerged in a new guise, according to researchers. The new variant of Petya, dubbed Petwrap, has been seized from the hands of its original authors and built upon, showing a heated competition between cyber-criminals.
One of this variant's more novel features is a special module that patches the original ransomware ‘on the fly'.
This development reveals an intriguing look into the cyber underworld. Petya originally operated as a rentable piece of ransomware. In such models, the original authors lease their products to other cyber-criminals and then get a slice of the profits from their successful scams.
In order to ensure this slice of revenue, the authors built into Petya certain protections that ensure their control. This new development means that another party has essentially hijacked the ransomware and made it their own.
As a part of that appropriation the operators who are now using Petwrap have exchanged Petya's original public and private encryption with its own. Kaspersky researchers noted,
“This ransomware family now has a rather flawless cryptographic algorithm that is hard to break – the most important component of any encryption ransomware.”
In a certain way, said Anton Ivanov, senior security researcher for anti-ransom at Kaspersky Lab, this is a good thing “because the more time criminal actors spend on fighting and fooling each other, the less organised they will be, and the less effective their malicious campaigns will be”.
What might be more worrying about the emergence of a piece of ransomware like Petwrap is “the fact that PetWrap is used in targeted attacks. This is not the first case of targeted ransomware attacks and unfortunately it is most likely not the last.”
Kaspersky researchers have already managed to attain the signature for the ransomware, allowing them to decrypt files affected by it.
While “there is no failsafe method for preventing ransomware”, Matt Kingswood, UK head of managed service provider IT Specialists, told SC Media UK, “The best way to prepare for an attack is to back up data regularly to the cloud. Secure cloud-to-cloud backup solutions create another, encrypted version of your data and maintain prior versions ‒ in the case of a ransomware attack, the versions before the attack. And, of course, this second copy has the added benefit of preventing data loss via accidental deletion.”