Petya/Petwrap ransomware

Petya/Petwrap ransomware

The evolving digital landscape has brought numerous benefits, from connecting distant corners of the globe to providing instant information access. However, it has also introduced us to challenges and threats, with ransomware being one of the most formidable. Among various ransomware families, Petya, also known as Petwrap, stands out for its unique mechanism and devastating impacts.

Affected Countries

The countries included in the list include the UK, Ukraine, India, The Netherlands, Spain, and Denmark.

Behavior

1. Infection Vector:

Typically, Petya spreads through malicious email attachments. Once the user downloads and executes the file, the infection begins.

2. Master Boot Record (MBR) Attack

Upon infection, Petya overwrites the MBR. This tactic is particularly malicious as it prevents the computer from loading its operating system.

3. Ransom Note Display

Instead of the usual OS loading screen, victims are greeted with a skull logo followed by a ransom note demanding payment in exchange for a decryption key.

Petya/Petwrap Ransomware: Master Boot Record

4. Encryption

Using the Salsa20 algorithm, Petya encrypts the master file table. This makes it nearly impossible for victims to access their files without the specific decryption key.

Actions to be taken

1. Block source E-mail address

2. Block domains

http://mischapuk6hyrn72.onion/

http://petya3jxfp2f7g3i.onion/

http://petya3jxfp2f7g3i.onion/

http://mischa5xyix2mrhd.onion/MZ2MMJ

http://mischapuk6hyrn72.onion/MZ2MMJ

http://petya3jxfp2f7g3i.onion/MZ2MMJ

http://petya3sen7dyko2n.onion/MZ2MMJ

http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin COFFEINOFFICE.XYZ

3. Block IPs

95.141.115.108

185.165.29.78

84.200.16.242

111.90.139.247

4. Apply patches

Refer(in Russian): https://habrahabr.ru/post/331762/

Petya/Petwrap Ransomware: Encryption

5. Disable SMBv1

6. Update Anti-Virus hashes

a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d
myguy.xls

BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FB

Conclusion

Ransomware threats like Petya/Petwrap underscore the importance of robust cybersecurity measures in today’s interconnected world. As cybercriminals grow more sophisticated, awareness and preparedness become our most potent weapons. Stay informed, stay vigilant, and always prioritize the safety of your digital realms.

For more details visit Ideastack.

Frequently Asked Questions

1. Is it advisable to pay the ransom if infected by Petya/Petwrap?

Ransomware threats like Petya/Petwrap underscore the importance of robust cybersecurity measures in today’s interconnected world. As cybercriminals grow more sophisticated, awareness and preparedness become our most potent weapons. Stay informed, stay vigilant, and always prioritize the safety of your digital realms.

2. Can encrypted files be recovered without the decryption key?

It depends on the ransomware variant and the encryption strength. For some older versions of Petya, tools have been developed to decrypt files. However, it’s always best to consult with cybersecurity professionals in the event of an infection.

3. How did Petya/Petwrap become so widespread?

One of the reasons for Petya’s rapid dissemination was its use of the EternalBlue exploit, believed to have been developed by the U.S. National Security Agency (NSA). This exploit took advantage of a Windows vulnerability, allowing the ransomware to spread quickly.

Summary
Article Name
Petya/Petwrap Ransomware
Description
Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.
Author
Publisher Name
Ideastack
Publisher Logo
Tags: , ,

Leave a Reply

Your email address will not be published.