Malware analysis

RanRan and PetrWrap Threats: Political and Criminal Abuses in the Ransomware Landscape

Pierluigi Paganini
March 21, 2017 by
Pierluigi Paganini

Ransomware continues to be one of the most profitable cyber threats, for this reason, every week we see strains of malware in the wild with new features.

The stories that I am going to tell you demonstrates that these threats could be abused by threat actors with quite different motivations, from the political to the financial one.

A few days ago, malware researchers at Palo Alto Networks Unit 42 had spotted a new strain of ransomware, dubbed RanRan, which has been used in targeted attacks against government organizations in the Middle East.

"Recently, Unit 42 has observed attacks against multiple Middle Eastern government organizations using a previously unseen ransomware family. Based on embedded strings within the malware, we have named this malware 'RanRan.' " reads the analysis published by PaloAlto Networks.

The name RANRAN comes from the payload "Ran" visible in the following debug path within the binary:


The singularity of the attack is that the threat actors instead of asking for the payment of a ransom requested victims to make a political statement on their website to decrypt their files.

The RanRan ransom attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.

According to PaloAlto Networks, the intent is to force victims to disclose the hack.

The RanRan threat can encrypt various types of files stored on the infected system, including documents, databases, archives, executables, logs, source code, images, and video files.

RanRan ransomware monitors for windows with titles that contain "task manager" and quickly closes them in the attempt to make difficult to kill the process associated with the malware.

The ransomware also monitors the following services and processes and will periodically stop them:

  • SQLWriter
  • SQLServerAgent
  • Microsoft Exchange Information Store
  • OracleASMService+ASM
  • OracleCSService
  • OracleServiceORCL
  • OracleOraDb10g_home1TNSListener
  • usermanager
  • outlook
  • exchange
  • SQL

The malicious uses to kill the processes to be able to encrypt the associated database files and any other locked by the applications.

The ransomware also attempts to dissuade victims from shutting down their system or run any antivirus solution to avoid "accidental damage on files."

The ransomware appends the .zXz extension to encrypted files and adds an HTML file containing instructions on how to recover the files onto the target system.

According to the researchers, the ransomware is not complicated; they defined it as a "fairly rudimentary" malware. The VXers made several mistakes in the implementation of the encryption process; these errors allowed the researchers at Unit 42 to create a script that can decrypt some of the files encrypted by RanRan.

The RanRan ransomware was developed starting from publicly available source code.

"RanRan makes some mistakes when encryption occurs," continues the analysis published by PaloAlto Networks.

"For one, they use a symmetric cipher (RC4) with a re-used key. Additionally, some files are encrypted, but the originals are not deleted. This is due to a number of reasons, one of which being that encryption is attempted against system files and other files that are opened by running processes."

The experts highlighted that victims of RanRan could decrypt some of the files under specific conditions.

"Because we are provided with a situation where we have an original file, a file that has been encrypted, and the RC4 key is re-used against other encrypted files, we have the ability to decrypt some of this data." continues the analysis.

"This only works in certain instances where the following criteria are met:

  • An encrypted and unencrypted file must be present for a given file size group (0-5MB, 5-30MB, etc). Using these two files, we are able to acquire the RC4 stream cipher.
  • The remaining encrypted files must be of lesser size than the previously obtained stream cipher. If a file is of greater size, it is only able to be partially decrypted."

The RanRan ransomware instructs victims to upload to the subdomain a file named "Ransomware.txt" that contains the text message "Hacked!" and the email address of the attacker.

"The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader." continues the analysis.

At the time I was writing, the researchers at Palo Alto Networks did not reveal the name of the organizations targeted by the ransomware neither attributed the attacks to a specific threat actor.

"By performing these actions, the victim, a Middle Eastern government organization, has to generate a political statement against the leader of the country," said Palo Alto Networks researchers. "It also forces the victim to publicly announce that they have been hacked by hosting the Ransomware.txt file."

Another novelty in the threat landscape is represented by an evolution of the Petya ransomware that was hacked to target organizations. The Petya ransomware.was first spotted by the experts at TrendMicro one year ago; the malware overwrites MBR to lock users out of the infected machines.

The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR with malicious code that encrypts the drive's master file table (MFT). When the victim tries to reboot the PC, it will be impossible to load the OS, even in Safe Mode. Users turning on the computer are displayed a flashing red and white screen with a skull-and-crossbones instead.

Figure 1 - Petya ransomware

The threat actors behind the Petya ransomware are offering the threat with a RaaS model, but a group of attackers developed a special module to patch the original Petya ransomware "on the fly."

Figure 2 - PetrWrap ransomware

The authors of the PetrWrap ransomware have devised a method to force Petya in using an encryption key that is different from the one that the original creators have hard coded.

The implementation of this attack scheme against the original Petya ransomware will allow attackers to decrypt the files at any time. The PetrWrap also removes any reference to the original Petya threat from the ransom note, as well as its animation red skull designed in ASCII.

The attackers first compromised the networks of target organizations, then used the PsExec tool to install a ransomware on all endpoints and servers.

The variant of Petya ransomware the group used in the attacks against the organizations was dubbed PetrWrap.

"The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim's machine." reads the analysis published by Kaspersky. "What's more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection."

Why do hackers hijack the Petya ransomware?

The attackers compromised the Petya code to avoid writing a new ransomware from scratch. The attackers also targeted a stable version of the ransomware that is not affected by any flaw that could be exploited by a security firm to decrypt files for free.

The bad news for the victims is that currently there isn't a recovery tool to decrypt the MFT of hard disk volumes infected by Petya. The experts noticed anyway that because this specific ransomware does not encrypt the file contents, it is possible to reconstruct the file from hard disk raw data by using specific recovery tools.

Summarizing, the PetrWrap ransomware achieves the following goals:

  1. The victim's machine is locked, and the MFT of NTFS partitions is encrypted securely (because Petya v3 which is used in this attack does not have flaws of the earlier versions and implements Salsa20 correctly);
  2. The lockscreen does not show the flashing skull animation and doesn't contain any mentions of Petya which makes it harder to assess the situation and determine the extent of the caused damage;
  3. The developers of PetrWrap did not have to write the low-level bootloader code and risk making mistakes similar to the ones observed in earlier versions of Petya.

RanRan and PetrWrap ransomware are two good examples of possible approaches of the hacker communities to this specific family of malware.

In the first case, we have seen a possible politically use of ransomware, in the second case a smart way of cyber criminals to exploit the work done by peers, maximizing their efforts.

No doubts, ransomware will continue to be among the most dangerous threat in the next months.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.