Misha viruses what does it do. Who is behind the mass infection of Ukraine?

A few months ago, we and other IT Security specialists discovered a new malware - Petya (Win32.Trojan-Ransom.Petya.A). In the classical sense, it was not an encryptor; the virus simply blocked access to certain types of files and demanded a ransom. The virus modified the boot record on the hard drive, forcibly rebooted the PC and showed a message that “the data is encrypted - waste your money for decryption.” In general, the standard scheme of encryption viruses, except that the files were NOT actually encrypted. Most popular antiviruses began identifying and removing Win32.Trojan-Ransom.Petya.A a few weeks after its appearance. In addition, instructions for manual removal appeared. Why do we think that Petya is not a classic ransomware? This virus makes changes to the Master Boot Record and prevents the OS from loading, and also encrypts the Master File Table. It does not encrypt the files themselves.

However, a more sophisticated virus appeared a few weeks ago Mischa, apparently written by the same scammers. This virus ENCRYPTS files and requires you to pay 500 - 875 $ for decryption (in different versions 1.5 - 1.8 bitcoins). Instructions for “decryption” and payment for it are stored in the files YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.

Mischa virus – contents of YOUR_FILES_ARE_ENCRYPTED.HTML file

Now, in fact, hackers infect users’ computers with two malwares: Petya and Mischa. The first one needs administrator rights on the system. That is, if a user refuses to give Petya admin rights or manually deletes this malware, Mischa gets involved. This virus does not require administrator rights, it is a classic encryptor and actually encrypts files using the strong AES algorithm and without making any changes to the Master Boot Record and the file table on the victim’s hard drive.

The Mischa malware encrypts not only standard file types (videos, pictures, presentations, documents), but also .exe files. The virus does not affect only the \Windows, \$Recycle.Bin, \Microsoft, \Mozilla Firefox, \Opera, \Internet Explorer, \Temp, \Local, \LocalLow and \Chrome directories.

Infection occurs primarily through e-mail, where a letter is received with an attached file – the virus installer. It can be encrypted under a letter from the Tax Service, from your accountant, as attached receipts and receipts for purchases, etc. Pay attention to the file extensions in such letters - if it is an executable file (.exe), then with a high probability it may be a container with the Petya\Mischa virus. And if the modification of the malware is recent, your antivirus may not respond.

Update 06/30/2017: June 27, a modified version of the Petya virus (Petya.A) massively attacked users in Ukraine. The effect of this attack was enormous and the economic damage has not yet been calculated. In one day, the work of dozens of banks, retail chains, government agencies and enterprises of various forms of ownership was paralyzed. The virus spread mainly through a vulnerability in the Ukrainian accounting reporting system MeDoc with the latest automatic update of this software. In addition, the virus has affected countries such as Russia, Spain, Great Britain, France, and Lithuania.

Remove Petya and Mischa virus using an automatic cleaner

An extremely effective method of working with malware in general and ransomware in particular. The use of a proven protective complex guarantees thorough detection of any viral components and their complete removal with one click. Please note that we are talking about two different processes: uninstalling the infection and restoring files on your PC. However, the threat certainly needs to be removed, since there is information about the introduction of other computer Trojans using it.

1. . After starting the software, click the button Start Computer Scan(Start scanning).
2. The installed software will provide a report on the threats detected during scanning. To remove all detected threats, select the option Fix Threats(Eliminate threats). The malware in question will be completely removed.

Restore access to encrypted files

As noted, the Mischa ransomware locks files using a strong encryption algorithm so that encrypted data cannot be restored with a wave of a magic wand - short of paying an unheard-of ransom amount (sometimes reaching up to $1,000). But some methods can really be a lifesaver that will help you recover important data. Below you can familiarize yourself with them.

Automatic file recovery program (decryptor)

A very unusual circumstance is known. This infection erases the original files in unencrypted form. The encryption process for extortion purposes thus targets copies of them. This makes it possible for software such as recovery of erased objects, even if the reliability of their removal is guaranteed. It is highly recommended to resort to the file recovery procedure; its effectiveness is beyond doubt.

Shadow copies of volumes

The approach is based on the Windows file backup process, which is repeated at each restore point. An important condition for this method to work: the “System Restore” function must be activated before the infection. However, any changes to the file made after the restore point will not appear in the restored version of the file.

Backup

This is the best among all non-ransom methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files you simply need to enter the appropriate interface, select the necessary files and launch the data recovery mechanism from the backup. Before performing the operation, you must make sure that the ransomware is completely removed.

Check for possible presence of residual components of the Petya and Mischa ransomware

Manual cleaning risks missing individual pieces of ransomware that could escape removal as hidden operating system objects or registry items. To eliminate the risk of partial retention of individual malicious elements, scan your computer using a reliable security software package that specializes in malicious software.

Illustration copyright PA Image caption According to experts, fighting the new ransomware is more difficult than WannaCry

On June 27, ransomware locked computers and encrypted files at dozens of companies around the world.

It is reported that Ukrainian companies suffered the most - the virus infected the computers of large companies, government agencies and infrastructure facilities.

The virus demands $300 in Bitcoin from victims to decrypt files.

The BBC Russian service answers the main questions about the new threat.

Who was hurt?

The spread of the virus began in Ukraine. The Boryspil airport, some regional divisions of Ukrenergo, chain stores, banks, media and telecommunications companies were affected. Computers in the Ukrainian government also went down.

Following this, it was the turn of companies in Russia: Rosneft, Bashneft, Mondelеz International, Mars, Nivea and others also became victims of the virus.

How does the virus work?

Experts have not yet reached a consensus on the origin of the new virus. Group-IB and Positive Technologies see it as a variant of the 2016 Petya virus.

“This ransomware uses both hacker methods and utilities, as well as standard system administration utilities,” comments Elmar Nabigaev, head of the information security threat response department at Positive Technologies. “All this guarantees a high speed of spread within the network and the massiveness of the epidemic as a whole (if infected at least one personal computer). The result is complete computer inoperability and data encryption."

The Romanian company Bitdefender sees more in common with the GoldenEye virus, in which Petya is combined with another malware called Misha. The advantage of the latter is that it does not require administrator rights from the future victim to encrypt files, but extracts them independently.

Brian Cambell from Fujitsu and a number of other experts believe that the new virus uses a modified EternalBlue program stolen from the US National Security Agency.

After the publication of this program by hackers The Shadow Brokers in April 2017, the WannaCry ransomware virus created on its basis spread all over the world.

Using Windows vulnerabilities, this program allows the virus to spread to computers throughout the corporate network. The original Petya was sent by email under the guise of a resume and could only infect the computer where the resume was opened.

Kaspersky Lab told Interfax that the ransomware virus does not belong to previously known families of malicious software.

“Kaspersky Lab software products detect this malware as UDS:DangeroundObject.Multi.Generic,” noted Vyacheslav Zakorzhevsky, head of the anti-virus research department at Kaspersky Lab.

In general, if you call the new virus by its Russian name, you need to keep in mind that in appearance it looks more like Frankenstein’s monster, since it is assembled from several malicious programs. It is known for certain that the virus was born on June 18, 2017.

Image caption The virus demands $300 to decrypt files and unlock your computer.

Cooler than WannaCry?

It took WannaCry just a few days in May 2017 to become the largest cyberattack of its kind in history. Will the new ransomware virus surpass its recent predecessor?

In less than a day, the attackers received 2.1 bitcoins from their victims - about 5 thousand dollars. WannaCry collected 7 bitcoins during the same period.

At the same time, according to Elmar Nabigaev from Positive Technologies, it is more difficult to fight the new ransomware.

“In addition to exploiting [the Windows vulnerability], this threat is also spread through operating system accounts stolen using special hacking tools,” the expert noted.

How to fight the virus?

As a preventative measure, experts advise installing updates for operating systems on time and checking files received by email.

Advanced administrators are advised to temporarily disable the Server Message Block (SMB) network transfer protocol.

If your computers are infected, under no circumstances should you pay the attackers. There is no guarantee that once they receive payment, they will decrypt the files rather than demand more.

All that remains is to wait for the decryption program: in the case of WannaCry, it took Adrien Guinier, a specialist from the French company Quarkslab, a week to create it.

The first AIDS ransomware (PC Cyborg) was written by biologist Joseph Popp in 1989. She hid directories and encrypted files, demanding payment of $189 for" license Renewal" to an account in Panama. Popp distributed his brainchild using floppy disks by regular mail, making a total of about 20 thousandyachshipments. Popp was detained while trying to cash a check, but avoided trial - in 1991 he was declared insane.

At the beginning of May, about 230,000 computers in more than 150 countries were infected with a ransomware virus. Before the victims had time to eliminate the consequences of this attack, a new one, called Petya, followed. The largest Ukrainian and Russian companies, as well as government institutions, suffered from it.

The cyber police of Ukraine established that the virus attack began through the mechanism for updating the accounting software M.E.Doc, which is used to prepare and send tax reports. Thus, it became known that the networks of Bashneft, Rosneft, Zaporozhyeoblenergo, Dneproenergo and the Dnieper Electric Power System did not escape infection. In Ukraine, the virus penetrated government computers, PCs of the Kyiv metro, telecom operators and even the Chernobyl nuclear power plant. In Russia, Mondelez International, Mars and Nivea were affected.

The Petya virus exploits the EternalBlue vulnerability in the Windows operating system. Symantec and F-Secure experts say that although Petya encrypts data like WannaCry, it is still somewhat different from other types of encryption viruses. “The Petya virus is a new type of extortion with malicious intent: it does not just encrypt files on the disk, but locks the entire disk, making it practically unusable,” explain F-Secure. “Specifically, it encrypts the MFT master file table.”

How does this happen and can this process be prevented?

Virus "Petya" - how does it work?

The Petya virus is also known by other names: Petya.A, PetrWrap, NotPetya, ExPetr. Once it gets into the computer, it downloads ransomware from the Internet and tries to attack part of the hard drive with the data necessary to boot the computer. If he succeeds, the system issues a Blue Screen of Death (“blue screen of death”). After the reboot, a message appears about checking the hard drive asking you not to turn off the power. Thus, the encryption virus pretends to be a system disk scanning program, encrypting files with certain extensions at the same time. At the end of the process, a message appears indicating that the computer is blocked and information on how to obtain a digital key to decrypt the data. The Petya virus demands a ransom, usually in Bitcoin. If the victim does not have a backup copy of his files, he is faced with the choice of paying $300 or losing all information. According to some analysts, the virus is only masquerading as ransomware, while its true goal is to cause massive damage.

How to get rid of Petya?

Experts have discovered that the Petya virus looks for a local file and, if this file already exists on the disk, exits the encryption process. This means that users can protect their computer from ransomware by creating this file and setting it as read-only.

Although this cunning scheme prevents the extortion process from starting, this method can be considered more like “computer vaccination.” Thus, the user will have to create the file themselves. You can do this as follows:

• First you need to understand the file extension. In the Folder Options window, make sure that the Hide extensions for known file types checkbox is unchecked.
• Open the C:\Windows folder, scroll down until you see the notepad.exe program.
• Left click on notepad.exe, then press Ctrl + C to copy and then Ctrl + V to paste the file. You will receive a request asking for permission to copy the file.
• Click the Continue button and the file will be created as a notepad - Copy.exe. Left-click on this file and press F2, then erase the file name Copy.exe and enter perfc.
• After changing the file name to perfc, press Enter. Confirm the rename.
• Now that the perfc file has been created, we need to make it read-only. To do this, right-click on the file and select “Properties”.
• The properties menu for this file will open. At the bottom you will see "Read Only". Check the box.
• Now click the Apply button and then the OK button.

Some security experts suggest creating C:\Windows\perfc.dat and C:\Windows\perfc.dll files in addition to the C:\windows\perfc file in order to more thoroughly protect against the Petya virus. You can repeat the above steps for these files.

Congratulations, your computer is protected from NotPetya/Petya!

Symantec experts offer some advice to PC users to prevent them from doing things that could lead to locked files or loss of money.

1. Don't pay money to criminals. Even if you transfer money to the ransomware, there is no guarantee that you will be able to regain access to your files. And in the case of NotPetya / Petya, this is basically meaningless, because the goal of the ransomware is to destroy data, and not to get money.
2. Make sure you back up your data regularly. In this case, even if your PC becomes the target of a ransomware virus attack, you will be able to recover any deleted files.
3. Don't open emails from questionable addresses. Attackers will try to trick you into installing malware or try to obtain important data for attacks. Be sure to inform IT specialists if you or your employees receive suspicious emails or links.
4. Use reliable software. Timely updating of antivirus programs plays an important role in protecting computers from infections. And, of course, you need to use products from reputable companies in this field.
5. Use mechanisms to scan and block spam messages. Incoming emails should be scanned for threats. It is important to block any types of messages that contain links or typical phishing keywords in their text.
6. Make sure all programs are up to date. Regular remediation of software vulnerabilities is necessary to prevent infections.

Should we expect new attacks?

The Petya virus first appeared in March 2016, and security specialists immediately noticed its behavior. The new Petya virus infected computers in Ukraine and Russia at the end of June 2017. But this is unlikely to be the end. Hacker attacks using ransomware viruses similar to Petya and WannaCry will be repeated, said Stanislav Kuznetsov, deputy chairman of the board of Sberbank. In an interview with TASS, he warned that such attacks will definitely happen, but it is difficult to predict in advance in what form and format they may appear.

If, after all the cyber attacks that have happened, you have not yet taken at least the minimum steps to protect your computer from a ransomware virus, then it is time to get serious about it.

A number of Russian and Ukrainian companies were attacked by the Petya ransomware virus. The online publication site talked to experts from Kaspersky Lab and the interactive agency AGIMA and found out how to protect corporate computers from the virus and how Petya is similar to the equally famous WannaCry ransomware virus.

Virus "Petya"

In Russia there are Rosneft, Bashneft, Mars, Nivea and Alpen Gold chocolate manufacturer Mondelez International. Ransomware virus of the radiation monitoring system of the Chernobyl nuclear power plant. In addition, the attack affected computers of the Ukrainian government, Privatbank and telecom operators. The virus locks computers and demands a ransom of $300 in bitcoins.

In the microblog on Twitter, the Rosneft press service spoke about a hacker attack on the company’s servers. “A powerful hacker attack was carried out on the company’s servers. We hope that this has nothing to do with the current legal proceedings. The company contacted law enforcement agencies regarding the cyber attack,” the message says.

According to company press secretary Mikhail Leontyev, Rosneft and its subsidiaries are operating as normal. After the attack, the company switched to a backup process control system so that oil production and treatment did not stop. The Home Credit bank system was also attacked.

"Petya" does not infect without "Misha"

According to Executive Director of AGIMA Evgeniy Lobanov, in fact, the attack was carried out by two encryption viruses: Petya and Misha.

“They work together. “Petya” does not infect without “Misha”. He can infect, but yesterday’s attack was two viruses: first Petya, then Misha. “Petya” rewrites the boot device (where the computer boots from), and Misha – “encrypts files using a specific algorithm,” explained the specialist. “Petya encrypts the boot sector of the disk (MBR) and replaces it with its own, Misha already encrypts all files on the disk (not always).”

He noted that the WannaCry encryption virus, which attacked large global companies in May of this year, is not similar to Petya, it is a new version.

"Petya.A is from the WannaCry (or rather WannaCrypt) family, but the main difference, why it is not the same virus, is that it is replaced by the MBR with its own boot sector - this is a new product for Ransomware. The Petya virus appeared a long time ago, on GitHab (an online service for IT projects and joint programming - website) https://github.com/leo-stone/hack-petya" target="_blank">there was a decryptor for this encryptor, but no decryptor is suitable for the new modification.

Yevgeny Lobanov emphasized that the attack hit Ukraine harder than Russia.

“We are more susceptible to attacks than other Western countries. We will be protected from this version of the virus, but not from its modifications. Our Internet is unsafe, in Ukraine it is even less so. Basically, transport companies, banks, and mobile operators were attacked ( Vodafone, Kyivstar) and medical companies, the same Pharmamag, Shell gas stations - all very large transcontinental companies,” he said in an interview with the site.

The executive director of AGIMA noted that there are no facts yet that would indicate the geographical location of the spreader of the virus. In his opinion, the virus supposedly appeared in Russia. Unfortunately, there is no direct evidence of this.

“There is an assumption that these are our hackers, since the first modification appeared in Russia, and the virus itself, which is no secret to anyone, was named after Petro Poroshenko. It was the development of Russian hackers, but it’s difficult to say who changed it further. It’s clear. that even if you are in Russia, it is easy to have a computer with geolocation in the USA, for example,” the expert explained.

“If your computer is suddenly “infected,” you must not turn off your computer. If you reboot, you will never log in again.”

“If your computer is suddenly “infected”, you cannot turn off the computer, because the Petya virus replaces the MBR - the first boot sector from which the operating system is loaded. If you reboot, you will never log into the system again. This will cut off the escape routes, even if it appears " tablet" it will no longer be possible to return the data. Next, you need to immediately disconnect from the Internet so that the computer does not go online. An official patch from Microsoft has already been released, it provides a 98 percent security guarantee. Unfortunately, not 100 percent yet. A certain modification of the virus (their three pieces) he’s bypassing for now,” Lobanov recommended. – However, if you do reboot and see the start of the “check disk” process, at this point you need to immediately turn off the computer and the files will remain unencrypted..

In addition, the expert also explained why Microsoft users are most often attacked, and not MacOSX (Apple operating system - website) and Unix systems.

"Here it is more correct to talk not only about MacOSX, but also about all unix systems (the principle is the same). The virus spreads only to computers, without mobile devices. The Windows operating system is subject to attack and threatens only those users who have disabled the automatic system update function. Updates as an exception, they are available even to owners of older versions of Windows that are no longer updated: XP, Windows 8 and Windows Server 2003,” the expert said.

"MacOSX and Unix are not susceptible to such viruses globally, because many large corporations use the Microsoft infrastructure. MacOSX is not susceptible because it is not so common in government agencies. There are fewer viruses for it, it is not profitable to make them, because the attack segment will be smaller than if attack Microsoft,” the specialist concluded.

"The number of attacked users has reached two thousand"

In the press service of Kaspersky Lab, whose experts continue to investigate the latest wave of infections, said that “this ransomware does not belong to the already known Petya family of ransomware, although it has several lines of code in common with it.”

The Laboratory is confident that in this case we are talking about a new family of malicious software with functionality significantly different from Petya. Kaspersky Lab has named its new ransomware ExPetr.

"According to Kaspersky Lab, the number of attacked users reached two thousand. Most incidents were recorded in Russia and Ukraine; cases of infection were also observed in Poland, Italy, Great Britain, Germany, France, the USA and a number of other countries. At the moment, our experts suggest "that this malware used several attack vectors. It was established that a modified EternalBlue exploit and an EternalRomance exploit were used for distribution in corporate networks," the press service said.

Experts are also exploring the possibility of creating a decryption tool that could be used to decrypt the data. The Laboratory also made recommendations for all organizations to avoid a virus attack in the future.

"We recommend that organizations install updates for the Windows operating system. For Windows XP and Windows 7, they should install the MS17-010 security update and ensure that they have an effective data backup system. Backing up data in a timely and secure manner allows you to restore the original files, even if they were encrypted with malware,” advised Kaspersky Lab experts.

The Laboratory also recommends that its corporate clients make sure that all protection mechanisms are activated, in particular, make sure that the connection to the Kaspersky Security Network cloud infrastructure; as an additional measure, it is recommended to use the Application Privilege Control component to deny access to all application groups (and, accordingly, execution) of a file called "perfc.dat", etc.

“If you do not use Kaspersky Lab products, we recommend that you disable the execution of the file called perfc.dat, and also block the launch of the PSExec utility from the Sysinternals package using the AppLocker function included in the Windows OS (operating system – website),” recommended in the laboratory.

May 12, 2017 for many – an encryptor of data on computer hard drives. He blocks the device and demands to pay a ransom.
The virus affected organizations and departments in dozens of countries around the world, including Russia, where the Ministry of Health, the Ministry of Emergency Situations, the Ministry of Internal Affairs, servers of mobile operators and several large banks were attacked.

The spread of the virus was stopped accidentally and temporarily: if hackers changed just a few lines of code, the malware would start working again. The damage from the program is estimated at a billion dollars. After forensic linguistic analysis, experts determined that WannaCry was created by people from China or Singapore.

Viruses are an integral part of the operating system ecosystem. In most cases, we are talking about Windows and Android, and if you are really unlucky, about OS X and Linux. Moreover, if previously mass viruses were aimed only at stealing personal data, and in most cases simply at damaging files, now encryptors “rule the roost.”

And this is not surprising - the computing power of both PCs and smartphones has grown like an avalanche, which means the hardware for such “pranks” is becoming more and more powerful.

Some time ago, experts discovered the Petya virus. G DATA SecurityLabs found that the virus requires administrative access to the system, and it does not encrypt files, but only blocks access to them. Today, remedies from Petya (Win32.Trojan-Ransom.Petya.A‘) already exist. The virus itself modifies the boot record on the system drive and causes the computer to crash, displaying a message about data corruption on the disk. In fact, this is just encryption.

The malware developers demanded payment to restore access.

However, today, in addition to the Petya virus, an even more sophisticated one has appeared - Misha. It does not need administrative rights and encrypts data like classic Ransomware, creating YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT files on the disk or folder with encrypted data. They contain instructions on how to obtain the key, which costs approximately $875.

It is important to note that infection occurs through email, which receives an exe file with viruses, masquerading as a pdf document. And here it remains to be reminded again - carefully check letters with attached files, and also try not to download documents from the Internet, since now a virus or malicious macro can be embedded in a doc file or web page.

We also note that so far there are no utilities to decipher the “work” of the Misha virus.