How to Recover system after Mischa and Petya Ransomware Attack

Do you remember that aggressive Petya Ransomware? If you do, you must know how dangerous ir will be once a computer is infected by this malware. Fortunately, Petya Ransomware is back with a new installer named Mischa Ransomware! This new installer helps it get requested Administrative privileges so that it could modify the master boot record. Once it is ailed, Mischa Ransomware will get installed on computer instead. No matter which Ransomware is installed, the infected computer will troubled by the same symptoms. If you are troubled by any of these two Ransomware, do follow the guide below to recover system safely.

 

Petya and Mischa Ransomware: A Diploid Trouble to Solve

Mischa Ransomware is a new back up of Petya Ransomware. When Petya fails to request administrative privileges and then unable to encrypt computer user’s master boot record, it starts relying on its new installer Mischa which executes only when the previous program is rejected to be run. Even Mischa Ransomware is just a back up of Petya, it is a form of Ransomware which means that it can cause attack. As a new piece which is developed as a second from the same family, the main purpose of Mischa Ransomware is to help its original malware can be executed on target computer. Since the surface of Petya, it has strained signaled a new escalation for crypto-malware. As it goes beyond encrypting files on local and shared drives and instead set its sights on locking up the master files. However, it takes more times to achieve its malicious goal. And to solve the problems of long times waste and administrative privilege request failure, its developers make use of high technique to create a new installer or tool that avoid being rejected in advance.

5

In fact, just like the original malware, Mischa Ransomware still need to ask for administrative privilege before executed. What kind of files keep it from running on computer? Actually, when computer users refuse to run Petya on computer by clicking “NO” when the UAC window pops up, then this Ransomware will bot be able to activate. However, with Mischa Ransomware file running on computer, it can just automatically run with [admin privileges]. The more files it introduces on system, the more chance it takes to get activated its program as once any related file is clicked by users, it will automatically run this program directly. As this Ransomware will threaten users through blocking screen and scaring them to enter personal data and pay for money, there is necessary for users to learn more about it. No matter how dangerous it claims the infected computer will be, just do not let fear of being hacked and losing data from trying and failing constructively.

 

How does Mischa Ransomware try to trick payment?

 

When it redirects users to TOR payment site, it will display a payment wizard that provides steps to get payments from victims. It requires users to enter some personal code.

payment-page-step-1

Then it shows some information about how to many bitcoins victims must purchase to pay the ransom and information on how to purchase them. Currently the ransom is set to about $875 USD or approximately 1.93 bitcoins.

payment-page-step-2

After, it provides an address which victims should pay to.

payment-page-step-3

There are also other related information users can see from its pages, such as a support page which can be used to ask the malware developers questions and a FAQ as well as some Frequently Asked Questions, pages.

 

faq-page

 

The Distribution of Mischa Ransomware

 

According to experts and victims, most of computer users get Mischa Ransomware from magentaCLOUD. It appears as a bundle file along with a JPG file. These kinds of files will be embed on email attachments and other links that once users click, its program, files and other data will be downloaded on computer. The page of this cloud contain two files: Bewerbungsfoto.jpg, which is the fake applicant’s photo; and PDFBewerbungsmappe.exe. Undoubtedly, the exe file is the carrier of Mischa Ransomware. As long as this file is downloaded, this dangerous Ransomware will be downloaded at the same time. Thus, once users click this file, its program will ask for executing. Computer experts Abrams said “While encrypting a file Mischa will store the encrypted decryption key at the end of the encrypted file,” and Abrams also said. “An annoying aspect of Mischa is that not only will it encrypt your standard data file type (PNGs, JPGs, DOCXs, etc), but it will also encrypt .EXE files.”Mischa Ransomware

Related Files of Mischa and Petya Ransomware

AS this malware is installed on computer, it usually comes with other additional extensions and files. The following files are some common files that program will create. Do note that some files name can be randomly changed at any time. The most possible files created by Mischa Ransomware can be:
.cRh8
.3P7m
.aRpt
.eQTz
.3Rnu

A list of targeted extensions provided by MalwareHunterTeam are:

 

.txt, .doc, .docx, .docm, .odt, .ods, .odp, .odf, .odc, .odm, .odb, .rtf, .xlsm, .xlsb, .xlk, .xls, .xlsx, .pps, .ppt, .pptm, .pptx, .pub, .epub, .pdf, .jpg, .jpeg, .frm, .wdb, .ldf, .myi, .vmx, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .ini, .cdr, .svg, .conf, .cfg, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .cs, .asp, .aspx, .cgi, .cpp, .php, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .js, .jar, .py, .wpd, .crt, .csv, .prf, .cnf, .indd, .number, .pages, .lnk, .po, .dcu, .pas, .dfm, .directory, .pbk, .yml, .dtd, .rll, .lib, .cert, .cat, .inf, .mui, .props, .idl, .result, .localstorage, .ost, .default, .json, .db, .sqlite, .log, .bat, .ico, .dll, .exe, .x3f, .srw, .pef, .raf, .orf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .raw, .rwl, .rw2, .r3d, .3fr, .ai, .eps, .pdd, .dng, .dxf, .dwg, .psd, .ps, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .3g2, .3gp, .asf, .asx, .mpg, .mpeg, .avi, .mov, .flv, .wma, .wmv, .ogg, .swf, .ptx, .ape, .aif, .wav, .ram, .ra, .m3u, .movie, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa, .aa3, .amr, .mkv, .dvd, .mts, .qt, .vob, .3ga, .ts, .m4v, .rm, .srt, .aepx, .camproj, .dash, .zip, .rar, .gzip, .vmdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi

 

 

When go to the folder which Mischa Ransomware locates, users can see many relevant files. And there are two files which are so obvious: YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.

The Content of Text file created by Mischa Ransomware:
    You became victim of the MISCHA RANSOMWARE!
 
    The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to
    restore your data without a special key. You can purchase this key on the darknet page shown in step 2.
 
    To purchase your key and restore your data, please follow these three easy steps:
 

  1. Download the Tor Browser at “https://www.torproject.org/”. If you need

    help, please google for “access onion page”.
 

  1. Visit one of the following pages with the Tor Browser:

 
    http://mischapuk6hyrn72.onion/1MZKMy
    http://mischa5xyix2mrhd.onion/1MZKMy
 

  1. Enter your personal decryption code there:

4

When encrypting files, Mischa will skip files located in the following folders:

\Windows
\$Recycle.Bin
\Microsoft
\Mozilla Firefox
\Opera
\Internet Explorer
\Temp
\Local
\LocalLow
\Chrome

PDFBewerbungsmappe.exe:

This is an executable file which means that it is a program that can be run on computer. It fakes to be a PDF file with similar image. However, it is not a true PDF file. Once users click to open this file on computer, this program will automatically run. Continually, Mischa Ransomware Ransomware will be activated. At the beginning, Petya Ransomware will try to get install by using this EXE file, if it fails to do so, Mischa Ransomware will continue loading on computer. When users open task manager, they can find that PDFBewerbungsmappe.exe is running.

1

 

How to Recover system after Mischa and Petya Ransomware Attack

 

No matter which Ransomware is activated on computer, the final result will be that computer is infected by Petya Ransomware. On condition that users let the system reboot after the blue screen, there is always a chance to recover losing data.


 

Related solutions:

Solution from Hasherezade: download third party tool KALI to recover data.

Source: https://hshrzd.wordpress.com/2016/03/31/petya-key-decoder/

This is a solution written by Hasherezade which only works for Stage 1 of encryption – if the system was not rebooted after the infection. If users follow this solution, they need to download third party tools from another computer first. Then follow the guide provided by third party tool to recover data. This solution does not work when user’s computers are attacked by the new (green) version of Petya.

Here is a video provided by Hasherezade which teaches how to recover data by using third party. It quite complicated and maybe some users can not follow his speed if they are lack of computer skills.


Quick solution to find key in seconds to restore petya ransomware encrypted mft

https://github.com/leo-stone/hack-petya

A quick solution provided by an author who likes to challenge. He find a quick way to find out the related key to restore petya ransomware encrypted mft. However, this is not so easy to understand once computer users do not have any experienced about dealing with keys.


 

Solution from Klondike who build up on leo-stone’s code with a propper cryptanalisys.

http://klondike.es/klog/2016/04/12/cryptanalyzing-petya/

The solution from Klondike is good for experienced users who do not need to rely on third party tools. By following his guide, victims can recover the keys by using their own tools.

 


 

Note: there is no complete efficient solution to totally recover keys and data when computer is attacked by Mischa Ransomware and Petya Ransomware. As an end note, it is also worth pointing out that users can avoid being attacked by such malware through increasing computer security. Users can regret under in paying attention to computer security, the experience seems to be. What users will not regret is being more careful in longer-term professional protection.


Use SpyHunter for Computer Protection

Try SpyHunter which can detect the leftovers on system. It is a multifunctional tool which is able to clean and remove viruses and threats, capable of uninstalling unwanted programs and can back up system data.

Step 1. Download SpyHunter Here and Save related files.

download SPYHUNTER

spuhunter-

 

Step 2. Double click the Exe file, choose run.

SAVE FILES

There will be a language option window pop up, select your language and then click OK.

step 2. languageoption

Step 3. Click continue to forward SpyHunter installer

step 3. spyhunter installer

Step 4. Accept EULA and Privacy Policy to End User License Agreements

step 4. User License Agreements

Step 5. Wait several seconds to complete the installation

step 5. installtion

Step 6. Once the installation is completed, click exit.

step 6. exit

Step 7. Right now, SpyHunter is automatically running on your computer, run a entirely scan on your computer.

step . scan

Note: Do not worry if SpyHunter automatically updates because it will update at the beginning once you download an old version.

Step 8. As long as the scan is finished, remove all threats from your computer by clicking Fix Threats.

fix-threats

Share Button