Petrwrap/PetyaWrap seems to be very similar to a less prevalent variant of ransomware that was seen last year, called GoldenEye. Specifically, they both vary slightly to other more common ransomware, in that they target the master boot record of the OS rather than individual files. This renders the machine fairly useless – requiring a rebuild, as opposed to file encrypting ransomware where the victim could simply choose to live without their data or recover from backup.
Below is a screenshot of a machine infected with Petrwrap/PetyaWrap. As yet, a fix for infected machines is unknown, and so prevention is better than cure:
The good news is that customers using (up to date) Sophos Endpoint Protection are protected against all known variants of this ransomware. We first issued protection on June 27th at 13:50 UTC and have provided several updates since then to provide further protection against possible future variants.
In addition, customers using Sophos Intercept X / EXP were proactively protected with no data encrypted, from the moment this new ransomware variant appeared. Intercept X / EXP customers may need to take further steps to reboot an infected computer, post cleanup.
Please direct any customers asking about this threat to: https://community.sophos.com/kb/en-us/127027