Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Mischa Ransomware Bonds with Petya Ransomware

STF-mischa-ransomware-logo-copy-of-petya-ransomware

Petya ransomware now spreads with a copy of itself – Mischa. Petya, as before, asks for admin privileges to encrypt the MBR, but now if that fails, Mischa ransomware is loaded, which encrypts files on the infected PC. Considering how the two crypto-viruses operate and their names, the James Bond movie GoldenEye comes to mind. In the movie, there is a weapon named GoldenEye, consisting of two satellites named Petya and Mischa. The criminals in the film worked for the organization Janus – the ransomware owners identify themselves with the same name.

Mischa encrypts files with an extension consisting of four random symbols. To see how to remove the ransomware viruses and what you can try to restore your files, you should read the whole article.

UPDATE! New version of Petya and Mischa has been found, calling itself GoldenEye Ransomware. More information and decryption attempts below:
Remove GoldenEye Ransomware and Decrypt Encrypted Drives

Threat Summary

Name Mischa Ransomware
Type Ransomware
Short Description Petya ransomware encrypts the MBR. If that fails, Mischa ransomware loads and encrypts files.
Symptoms The ransomware creates a file named YOUR_FILES_ARE_ENCRYPTED. Mischa puts a four random character extension to each encrypted file.
Distribution Method Spam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by Mischa Ransomware

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Mischa Ransomware.

STF-mischa-ransomware-ransom-message-note-instructions

Mischa Ransomware – Delivery

Mischa ransomware comes bundled with Petya ransomware. The delivery method is the same as the previous variant of Petya – through spam emails. The emails are very detailed and are written with proper German grammar and vocabulary. The attached files have the names Bewerbungsfoto.jpg and PDFBewerbungsmappe.exe. The malware is found in these attachments, mainly in the executable file. Don’t open such emails which look suspicious and are from an unknown source.

STF-mischa-ransomware-email-attachment-picture-bewerbungsfoto

On the right you can see how the attached picture looks. Beware that social media sites and file-sharing services might also have files that employ the malware, as the creators could have masked them and put them there. In addition, there could also be a link to DropBox as before. Along the link, you could see the statement that there’s a CV or related document in DropBox because the files are too big to attach inside the email.

Mischa Ransomware – More Information

The Petya ransomware now has a double with which is bundled with, called Mischa.

Petya still asks for administrative privileges so that it can encrypt the Master Boot Record (MBR). Only, this time, there is a backup plan if the user does not grant those permissions. In case that fails, the Mischa ransomware is loaded, which will encrypt files on the infected machine.

STF-mischa-and-petya-ransomware-bond-goldeneye

Judging from how the two crypto-viruses operate, like a double-edged sword, and putting their names together, one can only think of GoldenEye. In this James Bond movie, there is a weapon named GoldenEye, consisting of two satellites named Petya and Mischa. Not to mention that the criminals in the movie worked for an organization called Janus – the same name is used here for the cyber crooks to identify themselves. The GoldenEye weapon in the film could destroy all electronic devices, and the crippling effect that these crypto-viruses aim for is not far from that.

Petya ransomware will still encrypt the MBR, which contains information about loading Operating Systems on a computer. No OS will load if the MBR is missing or damaged (in this case – encrypted). If a user gives administrative privileges to the malware and restarts the computer, the MBR is locked, and the same ASCII-generated skull is shown, this time in green:

STF-mischa-ransomware-boot-screen-green-acsi-skull

Mischa creates the following files:

  • YOUR_FILES_ARE_ENCRYPTED.HTML
  • YOUR_FILES_ARE_ENCRYPTED.TXT

They contain the ransomware instructions, which you can see in the image below:

STF-mischa-ransomware-ransom-message-note

The file reads the following:

You became victim of the MISCHA RANSOMWARE!

The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to
restore your data without a special key. You can purchase this key on the darknet page shown in step 2.

To purchase your key and restore your data, please follow these three easy steps:

1. Download the Tor Browser at “https://www.torproject.org/”. If you need
help, please google for “access onion page”.

2. Visit one of the following pages with the Tor Browser:

http://mischapuk6hyrn72.onion/1MZKMy
http://mischa5xyix2mrhd.onion/1MZKMy

3. Enter your personal decryption code there:

The price for the ransom is 1.93 BitCoins or nearly 880 US dollars, which is more than double from the previous variant. Do NOT pay the ransom. Giving money to the creators will only encourage them to make more variants or worse. Also, there exists no guarantee that you will get your files back if you pay.

The Mischa ransomware locks all kinds of files with almost any kind of extension, even files with a .exe extension. In that way, you might not be able to run programs, including anti-malware ones.The encryption process combines RSA 4096 bit algorithm and 256 bit AES ciphers.

After Mischa completes the encryption process, all files will have an extension appended to them, consisting of four random symbols. The extension varies from user to user, but these are the known ones:

  • .cRh8
  • .3P7m
  • .aRpt
  • .eQTz
  • .3Rnu

Mischa ransomware probably could also delete or damage Shadow Volume Copies of the Windows Operating System. Nevertheless, you should check the instructions after removal for ways to possibly restore your files.

Remove Mischa Ransomware and Restore Encrypted Files

If you got your PC infected by the Mischa ransomware, you should have a bit of experience with removing viruses. You should remove the malware as soon as possible as it could encrypt more files and spread wider across the network. We recommend that you remove the ransomware and follow the step-by-step instructions given below to see how you might be able to restore your files.

Manually delete Mischa Ransomware from your computer

Note! Substantial notification about the Mischa Ransomware threat: Manual removal of Mischa Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Mischa Ransomware files and objects.
2. Find malicious files created by Mischa Ransomware on your PC.
3. Fix registry entries created by Mischa Ransomware on your PC.

Automatically remove Mischa Ransomware by downloading an advanced anti-malware program

1. Remove Mischa Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Mischa Ransomware in the future
3. Restore files encrypted by Mischa Ransomware
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.