{
	"id": "42c2cd2e-e538-49bd-896d-e548e78c6ccc",
	"created_at": "2026-04-06T00:14:00.612692Z",
	"updated_at": "2026-04-10T03:22:08.640013Z",
	"deleted_at": null,
	"sha1_hash": "d8617d049a2d09571d98f5166dee47a78f241e8f",
	"title": "PetrWrap: the new Petya-based ransomware used in targeted attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 101841,
	"plain_text": "PetrWrap: the new Petya-based ransomware used in targeted\r\nattacks\r\nBy Anton Ivanov\r\nPublished: 2017-03-14 · Archived: 2026-04-05 21:54:02 UTC\r\nUPDATE June 27, 2017: About a new wave of Petya/Petrwrap/NotPetya/exPetr ransomware attacks read:\r\nSchroedinger’s Pet(ya)\r\nThis year we found a new family of ransomware used in targeted attacks against organizations. After penetrating\r\nan organization’s network the threat actors used the PsExec tool to install ransomware on all endpoints and servers\r\nin the organization. The next interesting fact about this ransomware is that the threat actors decided to use the\r\nwell-known Petya ransomware to encrypt user data. As you may know, this family of ransomware has a RaaS\r\nmodel, but the threat actor decided not to use this ability. To get a workable version of the ransomware, the group\r\nbehind PetrWrap created a special module that patches the original Petya ransomware “on the fly”. This is what\r\nmakes this new malware so unique.\r\nTech details\r\nThe PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya\r\nransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap\r\nimplements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This\r\nallows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.\r\nModus operandi\r\nAfter being launched PetrWrap delays its execution (sleeps for 5400 seconds = 1.5 hours). After that it decrypts\r\nthe main DLL of Petya from its data section and gets ready to call its exported function ZuWQdweafdsg345312.\r\nThis function normally prepares Petya for further operations and starts the MBR overwrite process. PetrWrap,\r\nhowever, needs to hook a couple of Petya’s functions first, so it replaces the instructions that call Petya’s\r\nDllEntryPoint with NOPs (hex bytes 0x90). This prevents Petya from proceeding on its own and allows PetrWrap\r\nto make all the necessary computations and preparations before letting it continue.\r\nhttps://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/\r\nPage 1 of 5\n\nMain function of PetrWrap\r\nAfter that PetrWrap makes the necessary cryptographic computations (we’ll discuss them in more detail below),\r\nhooks two Petya procedures (which are responsible for the generation of the configuration data, dubbed\r\npetya_generate_config, and for the MBR overwrite process, dubbed petya_infect) and then passes the execution to\r\nPetya. For more information on what the original Petya was capable of, please see our previous publication.\r\nCryptographic scheme\r\nNormally, Petya generates a 16-byte key and uses the Salsa20 cipher to encrypt the MFT of the NTFS partitions\r\nfound on local drives. To make decryption possible only by its operators, it uses the Elliptic Curve Diffie-Hellman\r\n(ECDH) key agreement algorithm with the curve secp192k1 and a public key is embedded into Petya’s body.\r\nThe criminals behind PetrWrap faced a problem: if they used Petya as is, they would be unable to decrypt the\r\nvictim’s machine because they would need the Petya operators’ private key. So what they decided to do was to\r\ncompletely replace the ECDH part of Petya with their own independent implementation and use their own private\r\nand public keys.\r\nPetrWrap implementation uses cryptographic routines from OpenSSL (whereas Petya used the mbedtls library)\r\nand proceeds as follows:\r\nThe Trojan contains an embedded public key master_pub (which is a point on the curve prime192v1 which\r\nis again different from the one chosen by Petya);\r\nDuring each infection PetrWrap generates a new pair of session keys ec_session_priv + ec_session_pub;\r\nComputes ecdh_shared_digest = SHA512(ECDH(master_pub, ec_session_priv));\r\n‘Intercepts’ the salsa key generated by Petya and encrypts it using ecdh_shared_digest (there are a number\r\nof semi-useless manipulations which come down to essentially encrypting the salsa key with AES-256\r\nhttps://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/\r\nPage 2 of 5\n\nusing different parts of ecdh_shared_digest as the key and IV);\r\nConstructs user_id which is a string representation that contains the encrypted salsa key and the\r\nec_session_pub;\r\nPasses this user_id to Petya, which uses it as if it was its own data (puts it into the configuration for the\r\nbootloader to be shown to the user after the PC reboot).\r\nThe ECDH shared key computation implemented in PetrWrap\r\nHooked procedures\r\nPetrWrap hooks two procedures in Petya which we will call petya_infect and petya_generate_config and replaces\r\nthem with its own procedures dubbed wrap_infect and wrap_generate_config.\r\nwrap_infect implements the following functionality:\r\nsaves the salsa key generated by Petya for further use;\r\npatches the Petya bootloader code and ransom text in order to skip the flashing skull animation and to wipe\r\nall mention of Petya in the ransom message;\r\npasses execution to the original petya_infect procedure.\r\nwrap_generate_config in turn does the following:\r\ncalls the original petya_generate_config procedure;\r\ngenerates the user_id string according to the algorithm described in the previous paragraph;\r\nreplaces Petya’s id string with this newly generated user_id.\r\nhttps://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/\r\nPage 3 of 5\n\nThe screen of the infected machine\r\nTechnical summary\r\nAs a result of all the manipulations described above, PetrWrap achieves the following goals:\r\n1. 1\r\nThe victim’s machine is locked and the MFT of NTFS partitions is encrypted securely (because Petya v3\r\nwhich is used in this attack doesn’t have flaws of the earlier versions and implements Salsa20 correctly);\r\n2. 2\r\nThe lockscreen doesn’t show the flashing skull animation and doesn’t contain any mentions of Petya which\r\nmakes it harder to assess the situation and determine the extent of the caused damage;\r\n3. 3\r\nThe developers of PetrWrap didn’t have to write the low-level bootloader code and risk making mistakes\r\nsimilar to the ones observed in earlier versions of Petya.\r\nDecryption\r\nUnfortunately, this family of ransomware uses a strong encryption algorithm, meaning a decryption tool is out of\r\nthe question. However, victims can try restoring files using third-party tools such as R-Studio.\r\nDetection\r\nhttps://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/\r\nPage 4 of 5\n\nKaspersky products successfully detect this ransomware as Trojan-Ransom.Win32.PetrWrap and\r\nPDM:Trojan.Win32.Generic.\r\nConclusion\r\nTargeted attacks on organizations with the main aim of encrypting data are becoming more popular. The groups\r\nusing ransomware in their targeted attacks usually try to find vulnerable servers or servers with unprotected RDP\r\naccess. After penetrating an organization’s network they use special frameworks like Mimikatz to obtain the\r\nnecessary credentials for installing ransomware throughout the network. To protect against such attacks,\r\norganizations need to keep their server software up to date, use secure passwords for remote access systems,\r\ninstall security solutions on their servers and use security solutions with behavioral detection components on their\r\nendpoints.\r\nSample MD5\r\n17c25c8a7c141195ee887de905f33d7b – Trojan-Ransom.Win32.PetrWrap.b\r\nSource: https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/\r\nhttps://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/"
	],
	"report_names": [
		"petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434440,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8617d049a2d09571d98f5166dee47a78f241e8f.pdf",
		"text": "https://archive.orkl.eu/d8617d049a2d09571d98f5166dee47a78f241e8f.txt",
		"img": "https://archive.orkl.eu/d8617d049a2d09571d98f5166dee47a78f241e8f.jpg"
	}
}