:: What is Petrwrap?
Petrwrap or Petya is a powerful form of ransomware which denies access to a computer system and then demands money from users to regain access.
This virus is thought to have been compiled on 18 June and initially started in Ukraine, before spreading across the world where it hit banks, government IT systems and energy firms.
:: How does it work?
Instead of encrypting files one by one, it denies access to the full system by attacking low-level structures on the hard disk.
It writes malicious code at the beginning of the disk, which overwrites the system’s master boot record (MBR) and loads a tiny kernel which allows further encryption.
It does not encrypt the full disk, but makes the file system unreadable by encrypting the master file table.
The virus is usually distributed through spam emails containing a download link to a file. It activates once that file is downloaded and opened.
Some of our gov agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue 👌 pic.twitter.com/RsDnwZD5Oj
— Ukraine / Україна (@Ukraine) June 27, 2017
An error message triggered by the virus tells users to reboot. When that takes place, a message appears on screen warning users not to turn off their machine.
If the user tries to reboot again, a flashing red skeleton appears followed by a ransom note asking people to send hundreds of dollars in BitCoin to regain access to their files.
:: Can you get rid of it?
If it is still in the first stage of infection – when the user has not rebooted following the virus-triggered error message – then malware software will be able to remove the virus without damage to files.
After that, it becomes a lot more difficult because it cannot be removed without restoring the MBR settings.
Even if those settings are fixed and the virus is deleted from the system, the files will remain locked because the documents are still encrypted.
The code is impossible to decrypt without a private key. That key is stored on a remote server, which can only be access by paying a ransom to the creators of the virus.