Petrwrap ransomware outbreak | KPMG | CA
Share with your friends

Petrwrap ransomware outbreak

Petrwrap ransomware outbreak

An outbreak of ransomware, referred to as Petrwrap is impacting organizations globally


Partner, Advisory Services, Cyber Security

KPMG in Canada


Related content

Another major ransomware attack occurred yesterday and is impacting organizations across the globe. With developments and news continuing to unfold, we want to share an overview of what we know thus far about this ransomware, which has been referred to as Petrwrap.

In summary, the Petrwrap ransomware is designed to encrypt the NTFS file system of an infected Windows system, denying users access to data. It will also replace the master boot record of the computer with code to display a ransom demand for $300 in bitcoins. The ransomware is designed to spread aggressively within local network environments.

Petrwrap background

  • Petrwrap has considerable commonality of code to Petya, a ransomware strain first seen in March 2016, but is a distinct strain of ransomware.
  • Initial infection vectors are believed to include phishing emails, which in some cases are known to have originated from the source address “wowsmith123456@posteo[.]net”. The phishing email included an attached file (Order-20062017.doc) which is a carefully crafted rich text file (RTF) designed to exploit a known vulnerability in Microsoft Office and WordPad (CVE-2017-0199). Microsoft issued a patch for this issue on the 11 April 2017.
  • Previewing or opening the attached file will trigger the vulnerability and a bootstrap sequence which results in the download and execution of a HTA file “myguy.xls” from IP address This then executes a Powershell command to download an executable file from french-cooking[.]com. This file connects to two web servers 111.90.139[.]247 and COFFINOFFICE[.]XYZ.
  • The ransomware will create a scheduled task to reboot the infected system between 10-60 minutes after infection, as well as overwriting the master boot record (MBR) with a customized loader and ransom note.
  • The ransomware does not appear to communicate back to an external host, but will scan all IP addresses on the local network to attempt to locate systems with open TCP ports 445 and 139 used by the Microsoft Server Message Block (SMB) protocol. Any machines with these ports open will then be exploited using Code from the EternalBlue or EternalRomance exploits released by the Shadow Brokers hacker group on 14 April 2017. These vulnerabilities were addressed by Microsoft Security Bulletin 17-010 and the associated patches issued on 14 March 2017, and the subsequent emergency patch issued for unsupported Windows XP, Windows 8 and 2003 systems on the 15 May 2017.
  • Credentials will also be harvested from the infected system’s local security authority (lsass) process, in a manner similar to the Mimikatz tool. These credentials will be used to exploit other systems using the Windows Management Instrumentation (WMI) interface or PsExec tool. An infected system with administrative credentials can result in this malware propagating all other systems on the network.
  • On system reboot, the ransomware will begin encrypting the master file table of NTFS file system partitions, as well as displaying a ransomware message demanding payment of $300 in bitcoin.
  • All major anti-virus vendors are in the process of updating their signature files to detect this malware.

Immediate measures

  1. Patch your systems – particularly MS17-010
  2. Ensure you have the latest anti-virus software
  3. Be wary of unsolicited emails that demand immediate action
  4. Do not click on links or download email attachments sent from unknown users or which seem suspicious
  5. Conduct regular backups.

KPMG is committed to helping you understand, prioritize and manage your cyber security risks. We continue to assess the impact of Petrwrap ransomware and will keep you apprised on any critical developments. Please reach out to Yassir Bellout with any questions or concerns, or visit our Cyber Services page. As always, please be extra vigilant with unsolicited emails and notify your IT helpdesk if you receive any suspicious emails.

Connect with us


Request for proposal