PetrWrap targets Windows OS and is distributed through targeted attacks using the PsExec tool to execute the ransomware on all endpoints and servers on a network. Once a system is infected, PetrWrap encrypts the Master File Table (MFT) of NTFS partitions and overwrites the Master Boot Record (MBR) before displaying a ransom note. PetrWrap is a modified version of the Petya variant and security researchers believe this variant may be “unauthorized” by the Petya developer and deployed by an separate threat actor. PetWrap uses a modified version of Petya’s binaries but has replaced the embedded public key found in Petya with its own so that its operators would be able to manage file decryption and payments outside of Petya’s Ransomware-as-a-Service (RaaS) platform. The ransom payment demand for PetrWrap is currently unknown. To protect systems and servers against this targeted attack, the NJCCIC recommends blocking access to ports 135 and 445.
UPDATE 6/27/2017: For information about the widespread Petya ransomware attack, please see our Petya threat profile.
- Bleeping Computer provides more information about PetrWrap here.
- The NJCCIC is currently unaware of any decryption tools available for PetrWrap.