The authors of the once widespread Petya ransomware have coined a new extortion tool that goes by another popular Russian name – Mischa. Whereas these two undoubtedly represent the same family and share some behavioral patterns, the latter is drastically different from its forerunner. The Mischa ransomware is a more ‘classic’ sample, because it encrypts the end user’s personal files rather than corrupting the Master File Table. This somewhat milder impact, which still allows the infected person to actually boot into Windows, doesn’t make the newcomer Trojan any less hazardous, though. It uses a cryptographic algorithm that’s strong enough to prevent data recovery through brute-forcing, which basically means that the victim runs the risk of losing all important files unless they pay up.
Having encrypted one’s data, the malady also appends a unique extension to filenames. Some examples of these strings are .9RWE, .aRpt, .3P7m, .eQTz, .cRh8, and .3RNu. The general pattern here is four symbols that include digits as well as lowercase and capitalized characters. Therefore, a file originally named ‘to-do list.doc’ may morph into something like ‘to-do list.doc.cRh8’ and will become inaccessible.
The Mischa virus also drops two new files into every affected system path and on the desktop. These are ransom instructions titled Your_Files_Are_Encrypted.html and Your_Files_Are_Encrypted.txt. The warning inside them is as follows: “You became victim of the MISCHA RANSOMWARE! The files on your computer have been encrypted with a military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.” The step being referred to recommends the user to visit one of the two available pages with the Tor browser, namely mischapuk6hym72.onion/[6 digits and chars] or mischa5xyix2mrhd.onion/[6 digits and chars]. On the Tor gateway, the victim is told to enter their personal decryption code provided in the ransom instructions and submit somewhere in the range of 1 BTC, or 400-500 USD, to the criminals to get the decryptor.
The Mischa ransomware operators stick with social engineering to distribute their Trojan. The would-be victims receive an email disguised as a job application. It’s noteworthy that the infection chiefly targets German users at this point. The message is titled “Bewerbung Zivildienst” and urges the recipient to click on a link to a page hosted on Magentacloud.de, a popular German cloud provider. The page contains two files: Bewerbungsfoto.jpg, which is the fake applicant’s photo; and PDFBewerbungsmappe.exe. Effectively, the criminals thus want the user to execute the malicious process, which in its turn launches the ransomware on the computer.
There is no automatic decrypt solution for Mischa ransomware as of the time of writing. However, what the compromised users should definitely try is a set of steps that may restore data via the Volume Shadow Copy Service, which is built into the operating system, or through the use of recovery software. And remember that paying the ransom supports cybercrime directly, so it’s best to give all alternative workarounds a shot.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that the Mischa ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that the infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by this ransomware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.