Petwrap Ransomware Analysis

Petwrap Ransomware Analysis

Petwrap Ransomware Analysis

Petwrap ransomware or Petya/NotPetya, is the recent new ransomware affecting computer networks.

On the morning of June 27, 2017, a new ransomware outbreak—similar to the recent WannaCry malware—was discovered in the Ukraine. The malware quickly spread across Europe, affecting varied industries such as banks, government, retail, and power, among others.

Although at first, it seemed that the ransomware was a variant of the Petya family, researchers have determined that they are not related, and have now named the malware “NotPetya.” This ransomware is potentially more devastating than WannaCry, as it does not require vulnerable, unpatched systems to spread on the local network.

Petya / NotPetya Tools, Techniques, and Procedures (TTPs)

After infection on the initial victim, NotPetya enumerates all saved SMB credentials on the system and uses these credentials to log onto other machines on the local network. Because the ransomware uses existing SMB credentials to connect to the systems, even patched Windows machines are subject to infection.

NotPetya can infect additional network systems in one of two ways:

  • Using the remote administration tool “psexec” to execute the malware on the remote host
  • Using the built-in Windows Management Instrumentation Command-line tool (WMIC)

In the case of the first method, NotPetya attempts to write a copy of the Windows Sysinternals tool “psexec,” which is embedded in its resource section, to %WinDir%\dllhost.dat.

The second method uses WMIC, which is included by default on Windows systems, and allows for connection to remote systems to perform administrative tasks. In the command above, the malware connects to the (IP address or hostname) using the and credentials, and executes the NotPetya DLL on the remote system.

Differences Between Petya / NotPetya and WannaCry Ransomware

Unlike WannaCry, this version of NotPetya does not require vulnerability to the EternalBlue SMB exploit in order to spread to other systems on a network. Successful infection of one host allows the ransomware to spread to any connected systems for which the infected system has SMB credentials. Therefore, patching the SMB vulnerability and disabling SMBv1 will not prevent the spread of the malware as in WannaCry.

– LogRhythm

Students or Professionals engaged in cyber security, can use the below links to be updated on Security related issues