Thieves steal Petya ransomware then use it for free

Modifications make the malware harder to detect

Crooks are stealing code from the purveyors of Petya ransomware and using it to extort money from innocent victims, stiffing the creators of the malware out of the cut they are supposed to get.

Rather than following the rules of licensing Petya, another criminal group is stealing and modifying the ransomware so they can use it without paying, according to the SecureList blog by researchers at Kaspersky Lab.

+More on Network World: DARPA fortifies early warning system for power-grid cyber assault+

The second criminal group modifies Petya using its own malware, called PetrWrap. The modifications force Petra to wait an hour and a half before launching and modifies Petya code at runtime so it won’t be detected by signature-based defenses.

It also uses its own cryptographic scheme to encrypt the victims’ files so when it comes time to decrypt the files of victims who pay the ransom, it doesn’t have to rely on the authors of Petya to supply the private encryption keys, the researchers say.

It makes cosmetic changes, too, such as removing a flashing skull animation that is part of the Petya ransom message.

Petya has been around for a year or so, and distinguished itself by overwriting the master boot record of infected machines. So rather than just encrypt files as most ransomware does, Petya also prevents the operating system from starting up.

+More on Network World: Old nemesis spam becoming significant way for attackers to subvert data+

For victims, the result is the same whether it’s from the PetrWrap band or the Petya service providers. Their machines are compromised and they have to pay ransom in order to get their machines unlocked and files decrypted.

This practice of thief stealing from thief isn’t new among malicious actors. In January, a set of criminals was purging all the data stored on internet-facing MongoDB servers and demanding payment before they would return it. Another set of criminals deleted the ransom notes and replaced them with their own. It was unlikely paying ransom to either party would get the data back.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Kaspersky

Show Comments
[]