May 18, 2016

Mischa: a friend for Petya and yet more ransomware for the rest of the world

News Threats

[Updated on June 28, 2017]

Petya and Mischa are friends. They usually do everything together….

Oh, wait, this is not some “Russian for Dummies” book, it’s the Kaspersky Daily blog. So, Petya and Mischa are both ransomware, and they are delivered to the user together, in one package.

Mischa ransomware: Petya's accomplice

If you are a regular visitor to this blog, or if you keep track of cybersecurity news, you probably know what Petya is. We dedicated two separate posts to it, because in couple of weeks after Petya emerged Twitter user @leo_and_stone came up with a decryptor for Petya.

Petya stood out from the ransomware crowd because it didn’t just encrypt certain types of files, but rather made the whole hard drive of a computer unreadable by encrypting its Master File Table. For this reason, any user who fell victim to Petya needed another PC just to pay the ransom. Well, after leo_and_stone created his encryption tool, Petya victims still needed another PC, but it was to decrypt their files without paying the ransom.

Meet Mischa

Petya had a weakness. To start doing its dirty job, Petya required root access privileges. Unless a user agrees to grant those privileges by pressing ‘Yes’ button, Petya could not harm the user’s computer. So Petya’s creators remedied their slip-up by bundling Petya with another piece of ransomware — one with another Russian-sounding name, Mischa.

There are two main differences between Petya and Mischa. Petya deprives you of the whole hard drive, whereas Mischa encrypts only certain file types, and that is probably the good news. The bad news is that unlike Petya, Mischa doesn’t require administrator access privileges. Looks like their creators think that Petya and Mischa complement each other very well.

Mischa looks more like a common piece of ransomware of the sort that pops up every now and then. It uses AES encryption to encrypt data files on your computer. As the Bleeping Computer blog notes, it adds a four-character extension to the encrypted files so that, for example, test.txt becomes test.txt.7GP3.

The list of file types that Mischa prefers for its grim dinner is rather huge; it even includes .exe files, meaning that Mischa prevents users from running almost any programs. However, while encrypting, Mischa skips the Windows folder and the folders of installed browsers. After its dirty job is done, Mischa creates two files with payment instructions for the user: YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.

Petya and Mischa are distributed via phishing letters pretending to be job applications. When Mischa malware was discovered, it came in a file called PDFBewerbungsmappe.exe (German for “PDF job application documents”). The use of German language in the file name and the way this ransomware is distributed indicates its main target: German-speaking enterprises.

When a user attempts to open the .exe file that contains both Mischa and Petya, a User Account Control window pops up, asking if the user is willing to grant administrative access privileges to the program. This is one of those unpleasant moments when both choices are bad. If the user chooses “Yes,” Petya is installed. Selecting “No” installs Mischa.

Mischa seems to be even greedier then Petya: It demands about 1.93 bitcoins as ransom, which is approximately $875. Petya asked for 0.9 bitcoins.

Fun fact (if there can be anything fun about ransomware at all): Petya is a Russian name, and Mischa may also look like one, but actually, it isn’t. A Russian-speaking person would use Misha, without the “c” in the middle — it sounds quite weird with the “c”!

Unfortunately, no decryption tools are available for Mischa yet. There is one for Petya, but running it requires spare PC and some skills.

So, to avoid falling victim to Petya or Misсha, or whatever Vasya, SuperCrypt, El Rapto, etc. comes next, we recommend you do the following:

1 Make backups. Do it frequently and diligently. If you have current backups of your files, you can tell this ransomware to … well, whatever you want it to do.

2. Trust no one and be educated. A job application has an .exe extension? Hmm, looks suspicious — don’t open it. Better safe than sorry!

3. Install a good security solution. Kaspersky Internet Security has multiple levels of protection, and it won’t let Mischa or other ransomware through.

Kaspersky Internet Security has an anti-spam component that protects you from spam and phishing mails. It has anti-virus that detects Mischa and Petya, aka Trojan-Ransom.Win32.Mikhail and Trojan-Ransom.Win32.Petr, and gets rid of them. It also has a System Watcher feature, which detects unusual activity (for example, attempts to encrypt multiple files) and blocks it. Kaspersky Total Security has all of the aforementioned features, plus a tool for creating automated backups.

Update from June 28, 2017

If you’re looking for information regarding the new Petya / NotPetya / ExPetr ransomware outbreak, we have a dedicated post with advice on how to protect your files.