CIPHER ALERT - New Global Threat Petya or Petwrap

News of a new global ransomware attack began to emerge this morning (6-27-2017). Companies in Ukraine, Spain, the Netherlands, Denmark and the United Kingdom have already been impacted and some have determined the interruption of their operations.

Petya Update (3).jpg

The new threat is a variant of the ransomware known as Petya, called Petwrap, that behaves differently from traditional threats of this type. Instead of encrypting files one by one, the malware totally denies access to the system by attacking the boot sector of hard disks on infected devices.

To do this, attackers created a boot loader and a small kernel that rewrites the master boot record on disks, this sector registers which files should be executed to start the computer, which totally blocks access to operating system and files.  The Master File Table is also encrypted, rendering data inaccessible.

According to the VirusTotal portal, only 13 of the 61 antivirus software available on the market are able to detect and block the threat and there are already reports of users paying for the ransom demanded by the attackers.

Malware analysis indicates that it is delivered through phishing-type emails, which contain a Zip file stored in Dropbox. Once the user runs this file, the system crashes and restarts automatically allowing boot sectors to be corrupted.

After restarting the machine, an imitation of the Check Disk application (CHKDSK) is loaded and initiates the encryption process, showing a screen with ransom details to be paid by the user in Bitcoins after the process is completed.

What is most noticeable is that, despite all the damage caused by WannaCry that exploited the SMBv1 vulnerability on Windows operating systems, the new threat is apparently also using the same exploit to infect systems. Even more surprising is that Microsoft has released a patch to correct this security breach months ago.

While Petya requires administrative permissions to function, this variant also includes a second ransomware payload named Mischa that does not require admin perms.  Mischa encrypts files themselves, both data files and executables.

CIPHER recommendations are:

  • Do not open, download, or run files on suspicious e-mail messages and links;
  • Use VirusTotal portal ( to scan suspicious files, the tool is free and uses the best antivirus engines available to create an infection report on files;
  • Keep operating systems up to date;
  • Use a paid antivirus and make sure its vaccines are up-to-date as well.

guide to modern ransomware attacks

Did you enjoy this blog article? Share it with your friends or comment below.


Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited Managed Security Services holding ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best in class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Subscribe to Us!

Recent Security Posts


Twitter Feed