Hit by Petrwrap ransomware? Don’t reboot!

Ransomware seems to be all the rage lately. Less than two months ago various organisations around the world were hit by the WannaCry ransomware virus – its most notable victim here in the UK being the NHS. Petrwrap¬†is the latest virus to have gone global. Initially Ukraine computer systems were affected,but such is the nature of the Internet, it’s spread insanely fast.

What is “Petrwrap”?
Like WannaCry, Petrwrap is a ransomware virus designed to encrypt files on your computer, effectively holding you to ransom. You can obtain a key to decrypt your files and get them back – but not before paying a sum of money, usually using a digital form of currency such as Bitcoin.

It’s a variant of a virus called Petya which hit computers in 2016. Petrwrap is thought to have been compiled on 18th June 2017 and so far it’s reported to have affected government systems, banks and energy companies globally.

What does it do?
Petrwrap is more “destructive” than the WannaCry virus. It doesn’t encrypt files it finds on your computer – it prevents you booting into your system by changing the Master Boot Record (MBR). The MBR is responsible for telling your system where to look for relevant files to boot into your Operating System, so the virus writes its own code to the MBR to allow it to load its own “operating system”, giving it the ability to encrypt more on the disk than it would otherwise be able to.

Is there a way to stop my system becoming infected?
As always, ensure you have up-to-date anti-virus software installed on your computer. Petrwrap is mainly distributed via email, so only open email attachments you are expecting or are from a trusted source. Do not click on links in emails unless you are absolutely certain they’re safe, and be extra vigilant when doing so – check the address bar in your browser!

As a side note, I emailed a UK photographer this morning after receiving an email claiming my PayPal account had been restricted. It looked like the photographer’s website had a vulnerability in their WordPress installation, which allowed the upload of a redirect script to attempt to steal my credentials. Clicking the link in the email could very well have downloaded and infected my machine with Petrwrap or any other virus.

Too late – I was silly, opened an attachment and I’m being told to reboot…
Don’t! Once you reboot it’s game over. Okay, perhaps that’s a bit drastic, but rebooting will load the new code and you’ll be hard pressed to decrypt your system from that point… unless you cough up. Currently it seems that the only way to get around it afterwards is to reset your Master Boot Record – most people won’t know how to do this. That will get you back into Windows or whatever Operating System you use, but your files may still remain encrypted. Your best bet is likely going to then be revert to a backup (I’m assuming you have one. If you haven’t, stop reading and get backing up.) As well as using cloud services such as Dropbox for backups, I have one of these which is extremely useful for this purpose:¬†WD 2TB My Cloud Personal Network Attached Storage

It’s been reported that anti-virus/anti-malware can remove Petrwrap – it may not be able to recover affected files even if the virus has been deleted though, so I would reiterate my previous comment – revert to backup.

I’m concerned about network security for my business – any pointers?
Businesses should always be on top of their IT infrastructure and security; there are a number of companies who can help with network security, training and penetration testing. If you would like to discuss security requirements for your organisation, please get in touch with Brier & Thorn.

Leave a Reply

Your email address will not be published. Required fields are marked *