Petrwrap/Petya ransomware outbreak | KPMG Netherlands
Share with your friends

Petrwrap/Petya ransomware outbreak

Petrwrap/Petya ransomware outbreak

As you’ve likely heard by now, on Tuesday 27 June there was a major global malware attack from Petrwrap ransomware that is currently affecting various organizations across Europe. This malware is believed to be a variant of the Petya malware first seen in March 2016.


Partner Cyber Security

KPMG in the Netherlands


Related content

Please be assured that KPMG’s teams are dedicated to assisting clients during this time of uncertainty and will be working around the clock to gather all the information we can on the nature of the malware and the mitigation actions. There are a number of appropriate technical and organizational measures that our teams are advising clients to take in order to mitigate the risk of Petrwrap ransomware and to help ensure you have the current details, we have put together a summary of the malware, how it is spread and immediate measures we recommend you take.

Petrwrap ransomware threats

The Petrwrap ransomware is designed to encrypt the NTFS file system of an infected Windows system, denying you access to data. It will also replace the master boot record of the computer with code to display a ransom demand for $300 in bitcoins. The ransomware is also designed to spread aggressively within your local network environment.

How is it spreading?

There is evidence that the malware has been spread by a rich text file (RTF) attachment to a phishing email. This email has been carefully crafted to exploit a vulnerability (now patched) in the way Microsoft Office handles such files.

The malware also spreads with the local area network by exploiting vulnerabilities (also now patched) in the Microsoft Server Message Block (SMB) protocol which supports file sharing between Windows systems. This includes the same vulnerability used in the recent WannaCry malware attack.

The malware also has the capability to “harvest” user credentials from compromised systems and use these credentials to gain access to, and infect, additional systems on the local network.

Unlike the recent WannaCry incident, it has not been possible to discover a means of remotely disabling the malware (a “kill switch”), and as such there is a risk of aggressive spread within local networks.

There are indications that the creation of the file: "C:\Windows\perfc.dat" or blocking execution of this file using tooling such as Microsoft Applocker limits the infection. This does not prevent you from becoming infected, however there are indications that Petrwrap is limited in functionality.

Immediate measures

Ensure the following communication and precautionary measures are undertaken, including:

  • communication to be released to all users on not opening emails from unknown sources
  • be wary of unsolicited emails that demand immediate action 
  • do not click on links or download email attachments sent from unknown users or which seem suspicious
  • all users should be required to ensure that anti-virus software is updated, noting that AV vendors are releasing urgent updates for this malware
  • maintain up-to-date backups of files and regularly verify that the backups can be restored
  • monitor your network, system, media and logs for any malicious software, possible ex-filtration of data, abnormal behaviour or unauthorized network connections
  • patch Windows machines in your environment (post proper testing). In particular ensure that the patches for CVE-2017-0199 (RTF vulnerability) released on 11th April 2017, and for CVE-2017-0147 (SMB vulnerability) released in March 2017 as part of Microsoft Security Bulletin MS17-010 have been applied
  • practice general safe online behaviour
  • report all incidents to IT helpdesk, immediately!

KPMG’s teams are committed to helping you understand, prioritize and manage your cyber security risks. We continue to assess the impact of Petrwrap ransomware and will keep you apprised on any critical developments.

Should you need any additional information or support, please reach out to the contacts below directly.

Ronald Heil
Director Cyber Security,
020 656 8033

Lars Jacobs
Assistant-Manager Cyber Response
020 656 4319

Jeroen de Wit
Manager Cyber Defense
020 656 8785

John Hermans
Partner Cyber Security
020 656 8394

Connect with us


Request for proposal