Mischa Ransomware Bonds with Petya Ransomware - How to, Technology and PC Security Forum | SensorsTechForum.com

Mischa Ransomware Bonds with Petya Ransomware


Petya ransomware now spreads with a copy of itself – Mischa. Petya, as before, asks for admin privileges to encrypt the MBR, but now if that fails, Mischa ransomware is loaded, which encrypts files on the infected PC. Considering how the two crypto-viruses operate and their names, the James Bond movie GoldenEye comes to mind. In the movie, there is a weapon named GoldenEye, consisting of two satellites named Petya and Mischa. The criminals in the film worked for the organization Janus – the ransomware owners identify themselves with the same name.

Mischa encrypts files with an extension consisting of four random symbols. To see how to remove the ransomware viruses and what you can try to restore your files, you should read the whole article.

UPDATE! New version of Petya and Mischa has been found, calling itself GoldenEye Ransomware. More information and decryption attempts below:
Remove GoldenEye Ransomware and Decrypt Encrypted Drives

Threat Summary

NameMischa Ransomware
Short DescriptionPetya ransomware encrypts the MBR. If that fails, Mischa ransomware loads and encrypts files.
SymptomsThe ransomware creates a file named YOUR_FILES_ARE_ENCRYPTED. Mischa puts a four random character extension to each encrypted file.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by Mischa Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Mischa Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.


Mischa Ransomware – Delivery

Mischa ransomware comes bundled with Petya ransomware. The delivery method is the same as the previous variant of Petya – through spam emails. The emails are very detailed and are written with proper German grammar and vocabulary. The attached files have the names Bewerbungsfoto.jpg and PDFBewerbungsmappe.exe. The malware is found in these attachments, mainly in the executable file. Don’t open such emails which look suspicious and are from an unknown source.


On the right you can see how the attached picture looks. Beware that social media sites and file-sharing services might also have files that employ the malware, as the creators could have masked them and put them there. In addition, there could also be a link to DropBox as before. Along the link, you could see the statement that there’s a CV or related document in DropBox because the files are too big to attach inside the email.

Mischa Ransomware – More Information

The Petya ransomware now has a double with which is bundled with, called Mischa.

Petya still asks for administrative privileges so that it can encrypt the Master Boot Record (MBR). Only, this time, there is a backup plan if the user does not grant those permissions. In case that fails, the Mischa ransomware is loaded, which will encrypt files on the infected machine.


Judging from how the two crypto-viruses operate, like a double-edged sword, and putting their names together, one can only think of GoldenEye. In this James Bond movie, there is a weapon named GoldenEye, consisting of two satellites named Petya and Mischa. Not to mention that the criminals in the movie worked for an organization called Janus – the same name is used here for the cyber crooks to identify themselves. The GoldenEye weapon in the film could destroy all electronic devices, and the crippling effect that these crypto-viruses aim for is not far from that.

Petya ransomware will still encrypt the MBR, which contains information about loading Operating Systems on a computer. No OS will load if the MBR is missing or damaged (in this case – encrypted). If a user gives administrative privileges to the malware and restarts the computer, the MBR is locked, and the same ASCII-generated skull is shown, this time in green:


Mischa creates the following files:


They contain the ransomware instructions, which you can see in the image below:


The file reads the following:

You became victim of the MISCHA RANSOMWARE!

The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to
restore your data without a special key. You can purchase this key on the darknet page shown in step 2.

To purchase your key and restore your data, please follow these three easy steps:

1. Download the Tor Browser at “https://www.torproject.org/”. If you need
help, please google for “access onion page”.

2. Visit one of the following pages with the Tor Browser:


3. Enter your personal decryption code there:

The price for the ransom is 1.93 BitCoins or nearly 880 US dollars, which is more than double from the previous variant. Do NOT pay the ransom. Giving money to the creators will only encourage them to make more variants or worse. Also, there exists no guarantee that you will get your files back if you pay.

The Mischa ransomware locks all kinds of files with almost any kind of extension, even files with a .exe extension. In that way, you might not be able to run programs, including anti-malware ones.The encryption process combines RSA 4096 bit algorithm and 256 bit AES ciphers.

After Mischa completes the encryption process, all files will have an extension appended to them, consisting of four random symbols. The extension varies from user to user, but these are the known ones:

  • .cRh8
  • .3P7m
  • .aRpt
  • .eQTz
  • .3Rnu

Mischa ransomware probably could also delete or damage Shadow Volume Copies of the Windows Operating System. Nevertheless, you should check the instructions after removal for ways to possibly restore your files.

Remove Mischa Ransomware and Restore Encrypted Files

If you got your PC infected by the Mischa ransomware, you should have a bit of experience with removing viruses. You should remove the malware as soon as possible as it could encrypt more files and spread wider across the network. We recommend that you remove the ransomware and follow the step-by-step instructions given below to see how you might be able to restore your files.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share