Today news reports are providing early insight into the Petrwrap virus, which has hit major corporate companies throughout the world. Reports are coming in from banks, supermarkets and energy companies with suggestions that the virus was compiled (read created) on 18 June 2017. The cyber attack has been classified as a ransomware virus and has been likened to WannaCry. However, in reality, it is a different type of cryptolocker using a more complex set of instructions. This appears to be a natural evolution in the ransomware virus by creating a more complex style of attack.
WannaCry was a virus which would encrypt single files living on a Hard Disk Drive ("HDD"). Petrwrap is known to modify the Master Boot Record ("MBR") resulting in the systems being unable to boot. The consequences of which are to cause a system's data to be inaccessible. Without access to their data, systems are limited in their usefulness...
The MBR is a set of low level instructions that allow the computer to set out the partitions on the HDD, which enable access to the files that reside on it. Failing to do this (Petrwrap is blocking this set of instructions) the HDD will not be able to load the Operating System and, as a consequence, the user will be unable to log into or use the system.
As forensic practitioners, we find ourselves asking a series of questions, not only from a personal interest but a cyber insurance perspective, such as:
- If the HDD has full disk encryption, what damage does the Petrwrap virus do?
- Could the MBR of the HDD be replaced by a good copy of the MBR?
- What protection could vendors provide who develop full HDD encryption software?
The virus was discussed on Kaspersky's website on 14 March 2017 where it outlined the nature of the infection, how to remove the threat and how to protect yourself. It stated that this attack vector is linked to the well-known 'Petya' ransomware which caused havoc at the beginning of this year. Kaspersky had released a virus definition to help prevent this attack spreading. In essence, a flu shot was made available to allow people to take the steps in advance, and limit their vulnerability to such a virus.
However, as we saw from the WannaCry incident, IT departments are not continuously updating their systems, not getting their flu shots, and are allowing their systems to remain susceptible to "known" attacks.
The same old questions keep arising time after time following events like WannaCry and now Petrwrap:
- What will be next?
- When will we be able to protect our systems not only from the "known" viruses but the unknown too?
- When will the security and infrastructure engineers find a more robust way to protect their systems?
These are very complex questions. And they are not only difficult to answer, but more importantly, will require a change in the industry to stop new attacks. To develop a system that will not only prevent attacks but also future proof itself could be a long way off... in the meantime, we must be ready to handle the impact of events such as these attacks.