Thieves steal Petya ransomware then use it for free

Modifications make the malware harder to detect

Senior Editor, Network World |

ransomware
Credit: Gerd Altmann
Related

Crooks are stealing code from the purveyors of Petya ransomware and using it to extort money from innocent victims, stiffing the creators of the malware out of the cut they are supposed to get.

Rather than following the rules of licensing Petya, another criminal group is stealing and modifying the ransomware so they can use it without paying, according to the SecureList blog by researchers at Kaspersky Lab.

+More on Network World: DARPA fortifies early warning system for power-grid cyber assault+

The second criminal group modifies Petya using its own malware, called PetrWrap. The modifications force Petra to wait an hour and a half before launching and modifies Petya code at runtime so it won’t be detected by signature-based defenses.

It also uses its own cryptographic scheme to encrypt the victims’ files so when it comes time to decrypt the files of victims who pay the ransom, it doesn’t have to rely on the authors of Petya to supply the private encryption keys, the researchers say.

It makes cosmetic changes, too, such as removing a flashing skull animation that is part of the Petya ransom message.

Petya has been around for a year or so, and distinguished itself by overwriting the master boot record of infected machines. So rather than just encrypt files as most ransomware does, Petya also prevents the operating system from starting up.

+More on Network World: Old nemesis spam becoming significant way for attackers to subvert data+

For victims, the result is the same whether it’s from the PetrWrap band or the Petya service providers. Their machines are compromised and they have to pay ransom in order to get their machines unlocked and files decrypted.

This practice of thief stealing from thief isn’t new among malicious actors. In January, a set of criminals was purging all the data stored on internet-facing MongoDB servers and demanding payment before they would return it. Another set of criminals deleted the ransom notes and replaced them with their own. It was unlikely paying ransom to either party would get the data back.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Tim Greene covers security and keeps an eye on Microsoft for Network World.

Must read: 10 new UI features coming to Windows 10
You Might Like
Don't Miss
pi day
28 facts about pi that you probably didn't know

That's right, March 14 is international Pi Day. Get it -- pi is 3.14, and March 14 is 3/14?

rtx2lmzx1
Cisco jumps on ex-Juniper exec Davidson for service provider biz

That was fast. Networking veteran Jonathan Davidson is re-joining Cisco a little less than a week after...

best buy geek squad car
Why you shouldn't trust Geek Squad ever again

The U.S. government reportedly pays Geek Squad technicians to dig through your PC for files to give to...

Resources
Top Stories
windows bug (public domain)
Microsoft released 18 security bulletins, 9 rated critical, many bugs

Microsoft released 18 security bulletins, 9 rated critical.

Row of diverse young executives seated on chairs waiting for job interview
How would you handle these tough job interview questions?

Sample some of the toughest job interview questions for technology professionals, as rounded up by...

Network World Pi Day Challenge

Network World editors Keith Shaw and Brandon Butler compete against each other to see who can recite...

hp undercompensation
10 cities where IT pros aren’t paid what they’re worth

Though tech careers are lucrative, research from Paysa shows many organizations struggle to keep up...