What is the Misha and Petya virus. Similar to Petya, Misha's friend: what is known about the new ransomware virus. Check for possible residual Petya and Mischa ransomware components

In early May, some 230,000 computers in more than 150 countries were infected with ransomware. Before the victims had time to eliminate the consequences of this attack, a new one followed - called Petya. The largest Ukrainian and Russian companies as well as government agencies.

The cyber police of Ukraine found that the attack of the virus began through the mechanism of updating the accounting software M.E.Doc, which is used to prepare and send tax returns. So, it became known that the networks of Bashneft, Rosneft, Zaporozhyeoblenergo, Dneproenergo and the Dnieper electric power system did not escape infection. In Ukraine, the virus has penetrated government computers, the PCs of the Kyiv metro, telecom operators, and even the Chernobyl nuclear power plant. In Russia, Mondelez International, Mars and Nivea suffered.

Petya virus exploits EternalBlue vulnerability in operating room Windows system. Symantec and F-Secure experts say that while Petya encrypts data like WannaCry, it is somewhat different from other types of ransomware. "Petya's virus is the new kind ransomware with malicious intent: it does not just encrypt files on the disk, but blocks the entire disk, making it practically unusable, explain F-Secure. "In particular, it encrypts the MFT master file table."

How does this happen and can this process be prevented?

Petya virus - how does it work?

The Petya virus is also known under other names: Petya.A, PetrWrap, NotPetya, ExPetr. Getting into the computer, it downloads the ransomware from the Internet and tries to hit part hard drive with the data needed to boot the computer. If he succeeds, then the system issues a Blue Screen of Death (“ blue screen of death"). After a reboot, a message appears hard disc asking you not to turn off the power. Thus, the ransomware virus pretends to be system program by checking the disk, while encrypting files with certain extensions. At the end of the process, a message appears about the computer being locked and information on how to obtain a digital key to decrypt the data. The Petya virus demands a ransom, usually in bitcoin. If the victim does not have a backup copy of the files, he is faced with a choice - to pay the amount of $ 300 or lose all information. According to some analysts, the virus only masquerades as ransomware, while its true goal is to cause massive damage.

How to get rid of Petya?

The experts found that the Petya virus looks for a local file and, if this file already exists on the disk, exits the encryption process. This means that users can protect their computer from ransomware by creating this file and setting it to read-only.

Despite the fact that this cunning scheme prevents the extortion process from starting, this method can be considered more like “computer vaccination”. Thus, the user will have to create the file themselves. You can do this in the following way:

• First you need to deal with the file extension. Make sure that in the "Folder Options" window in the checkbox "Hide extensions for known file types" is unchecked.
• Open the C:\Windows folder, scroll down until you see the notepad.exe program.
• Left click on notepad.exe, then press Ctrl + C to copy and then Ctrl + V to paste the file. You will be prompted for permission to copy the file.
• Click the "Continue" button and the file will be created as a notepad - Copy.exe. Left click on this file and press the F2 key, then delete the Copy.exe file name and type perfc.
• After changing the file name to perfc, press Enter. Confirm the rename.
• Now that the perfc file has been created, we need to make it read-only. To do this, click right click mouse over the file and select "Properties".
• The properties menu for that file will open. At the bottom you will see "Read Only". Check the box.
• Now click the "Apply" button and then the "OK" button.

Some security experts suggest that in addition to the C:\windows\perfc file, create the C:\Windows\perfc.dat and C:\Windows\perfc.dll files to better protect against Petya virus. You can repeat the steps above for these files.

Congratulations, your computer is protected from NotPetya / Petya!

Symantec experts give some advice to PC users to prevent them from doing things that could lead to file lock or loss of money.

1. Don't pay money to scammers. Even if you transfer money to ransomware, there is no guarantee that you will be able to regain access to your files. And in the case of NotPetya / Petya, this is basically meaningless, because the purpose of the encryptor is to destroy data, not to get money.
2. Make sure you create regularly backups data. In this case, even if your PC becomes the target of a ransomware attack, you will be able to recover any deleted files.
3. Do not open emails with questionable addresses. Attackers will try to trick you into installing malware or try to get important attack data. Be sure to notify IT professionals if you or your employees receive suspicious emails or links.
4. Use reliable software. Timely updating of antivirus programs plays an important role in protecting computers from infections. And, of course, you need to use the products of reputable companies in this area.
5. Use mechanisms to scan and block spam messages. Incoming emails should be scanned for threats. It is important that any types of messages that contain links or typical keywords phishing.
6. Make sure all programs are up to date. Regular patching of software vulnerabilities is essential to prevent infections.

Should we expect new attacks?

The Petya virus first appeared in March 2016, and security experts immediately noticed its behavior. The new Petya virus hit computers in Ukraine and Russia at the end of June 2017. But this is unlikely to end. Hacker attacks using ransomware viruses similar to Petya and WannaCry will be repeated, said Stanislav Kuznetsov, deputy chairman of the board of Sberbank. In an interview with TASS, he warned that there would definitely be such attacks, but it is difficult to predict in advance in what form and format they might appear.

If, after all the past cyberattacks, you have not yet taken at least minimal steps to protect your computer from an encryption virus, then it is time to get down to it.

A few months ago, we and other IT Security specialists discovered a new malware - Petya (Win32.Trojan-Ransom.Petya.A). In the classical sense, it was not a ransomware, the virus simply blocked access to certain types of files and demanded a ransom. Virus modified boot record on the hard drive, forcibly rebooted the PC and showed a message stating that “the data is encrypted - drive your money for decryption”. In general, the standard scheme of ransomware viruses, except that the files were NOT actually encrypted. Most popular antiviruses started identifying and removing Win32.Trojan-Ransom.Petya.A within a few weeks of its introduction. In addition, there are instructions for manual removal. Why do we think that Petya is not a classic ransomware? This virus makes changes to the Master Boot Record and prevents the OS from booting, and also encrypts the Master File Table (master file table). It does not encrypt the files themselves.

However, a more sophisticated virus emerged a few weeks ago. mischa, apparently written by the same scammers. This virus ENCRYPTS files and requires you to pay $500 - $875 for decryption (in different versions 1.5 - 1.8 bitcoins). Instructions for "decryption" and payment for it are stored in the files YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.

Mischa virus - contents of the YOUR_FILES_ARE_ENCRYPTED.HTML file

Now, in fact, hackers infect users' computers with two malware: Petya and Mischa. The first one needs administrator rights in the system. That is, if a user refuses to give Petya admin rights or removes this malware manually, Mischa gets involved. This virus does not need administrator rights, it is a classic ransomware and really encrypts files using the strong AES algorithm without making any changes to the Master Boot Record and the file table on the victim's hard drive.

Mischa malware encrypts not only standard file types (videos, pictures, presentations, documents), but also .exe files. The virus does not affect only the directories \Windows, \$Recycle.Bin, \Microsoft, \ Mozilla Firefox, \Opera, \ Internet Explorer, \Temp, \Local, \LocalLow, and \Chrome.

Infection occurs mainly through e-mail, where a letter arrives with an attached file - a virus installer. It can be encrypted as a letter from the Tax Office, from your accountant, as enclosed receipts and purchase receipts, etc. Pay attention to the file extensions in such letters - if it is an executable file (.exe), then with a high probability it can be a container with the Petya\Mischa virus. And if the modification of the malware is fresh, your antivirus may not react.

Update 06/30/2017: June 27, a modified version of the Petya virus (Petya.A) massively attacked users in Ukraine. The effect of this attack was enormous and the economic damage has not yet been calculated. In one day, the work of dozens of banks was paralyzed, retail chains, state institutions and enterprises of different forms of ownership. The virus spread primarily through a vulnerability in the Ukrainian accounting system MeDoc with the latest automatic update this software. In addition, the virus has also affected countries such as Russia, Spain, Great Britain, France, Lithuania.

Remove Petya and Mischa virus with automatic cleaner

Exclusively effective method dealing with malware in general and ransomware in particular. The use of a proven security complex guarantees the thoroughness of the detection of any viral components, their complete removal with one click. Please note that there are two different processes: uninstall the infection and restore files on your PC. However, the threat certainly needs to be removed, as there is information about the introduction of other computer Trojans with its help.

1. . After launching the software, click the button Start Computer Scan(Start scan).
2. The installed software will provide a report on threats detected during the scan. To remove all found threats, select the option Fix Threats(Remove threats). The malware in question will be completely removed.

Restore access to encrypted files

As noted, the Mischa ransomware locks files with a strong encryption algorithm so that the encrypted data cannot be restored with a wave of a magic wand - unless you take into account the payment of an unheard-of ransom (sometimes up to $ 1,000). But some methods can really become a lifesaver that will help you recover important data. Below you can familiarize yourself with them.

Automatic file recovery program (decryptor)

A very unusual circumstance is known. This infection erases the original files in unencrypted form. The extortionate encryption process thus targets copies of them. This makes it possible for software tools such as the recovery of deleted objects, even if the reliability of their removal is guaranteed. It is strongly recommended to resort to the file recovery procedure, its effectiveness is beyond doubt.

Volume Shadow Copies

The approach is based on the Windows procedure Reserve copy files, which is repeated in every restore point. Important condition work this method: System Restore must be activated prior to infection. However, any changes made to the file after the restore point will not be reflected in the restored version of the file.

Backup

This is the best among all non-buyout methods. If the procedure for backing up data on external server was used before the ransomware attacked your computer, to recover encrypted files, you simply need to enter the appropriate interface, select necessary files and start the mechanism for restoring data from the backup. Before performing the operation, you need to make sure that the ransomware is completely removed.

Check for possible residual Petya and Mischa ransomware components

Cleaning in manual mode is fraught with omission of individual fragments of ransomware that can avoid removal in the form of hidden objects of the operating system or registry entries. To eliminate the risk of partial preservation of individual malicious elements, scan your computer using a reliable security software package that specializes in malware.

On Tuesday, June 27, Ukrainian and Russian companies reported a massive virus attack: computers at enterprises displayed a message demanding a ransom. I figured out who once again suffered because of hackers and how to protect themselves from the theft of important data.

Peter, enough

The energy sector was the first to be attacked: the Ukrainian companies Ukrenergo and Kyivenergo complained about the virus. The intruders paralyzed them computer systems, but this did not affect the stability of the power plants.

Ukrainians began to publish the consequences of infection on the network: judging by the numerous pictures, computers were attacked by a ransomware virus. On the screen of the affected devices, a message popped up stating that all data was encrypted, and device owners needed to pay a $300 ransom in bitcoins. At the same time, the hackers did not tell what would happen to the information in case of inactivity, and did not even set a countdown timer until the data was destroyed, as was the case with the WannaCry virus attack.

The National Bank of Ukraine (NBU) reported that due to the virus, the work of several banks was partially paralyzed. According to Ukrainian media, the attack affected the offices of Oschadbank, Ukrsotsbank, Ukrgasbank, and PrivatBank.

were infected computer networks Ukrtelecom, Boryspil Airport, Ukrposhta, Novaya Poshta, Kievvodokanal and the Kyiv Metro. In addition, the virus hit Ukrainian mobile operators - Kyivstar, Vodafone and Lifecell.

Later, the Ukrainian media clarified that it was the Petya.A malware. It is distributed according to the usual scheme for hackers: phishing emails are sent to victims from dummies asking them to open an embedded link. After that, the virus enters the computer, encrypts the files and demands a ransom for their decryption.

The hackers indicated the number of their bitcoin wallet to which money should be transferred. Judging by the information about the transactions, the victims have already transferred 1.2 bitcoins (more than 168 thousand rubles).

According to experts in information security from Group-IB, more than 80 companies were affected by the attack. The head of their crime lab noted that the virus was not related to WannaCry. To fix the problem, he advised closing TCP ports 1024–1035, 135, and 445.

Who is guilty

She hastened to assume that the attack was organized from the territory of Russia or Donbass, but did not provide any evidence. Minister of Infrastructure of Ukraine saw hint in the word "virus" and wrote on his Facebook that "it is no coincidence that it ends in RUS", providing his guess with a winking emoticon.

Meanwhile, he claims that the attack has nothing to do with the existing "malware" known as Petya and Mischa. Security officials claim that the new wave hit not only Ukrainian and Russian companies, but also enterprises in other countries.

Nevertheless, the current “malware” in terms of interface resembles the well-known Petya virus, which a few years ago was distributed through phishing links. At the end of December, the unknown hacker responsible for creating the Petya and Mischa ransomware started sending out infected emails with an embedded virus called GoldenEye, which was identical to previous versions cryptographers.

The attachment to a regular letter, often received by the personnel department, contained information about a dummy candidate. In one of the files, one could indeed find a summary, and in the next, a virus installer. Then the main target of the attacker were companies in Germany. During the day, more than 160 employees of the German company fell into the trap.

It was not possible to calculate the hacker, but it is obvious that he is a fan of Bond. The Petya and Mischa programs are the names of the Russian satellites "Petya" and "Misha" from the film "Golden Eye", which according to the plot were electromagnetic weapons.

The original version of Petya began to actively distribute in April 2016. She skillfully disguised herself on computers and posed as legitimate programs, requesting extended administrator rights. After activation, the program behaved extremely aggressively: it set a hard deadline for paying the ransom, demanding 1.3 bitcoins, and after the deadline, it doubled the monetary compensation.

True, then one of Twitter users quickly found the weaknesses of the ransomware and created a simple program, which in seven seconds generated a key that allows you to unlock the computer and decrypt all the data without any consequences.

Not the first time

In mid-May, computers around the world were attacked by a similar ransomware virus, WannaCrypt0r 2.0, also known as WannaCry. In just a few hours, he paralyzed the work of hundreds of thousands of workers on Windows devices in over 70 countries. Among the victims were Russian law enforcement agencies, banks and mobile operators. Once on the victim's computer, the virus encrypted HDD and demanded to send the attackers 300 dollars in bitcoins. Three days were allotted for reflection, after which the amount was doubled, and a week later the files were encrypted forever.

However, the victims were in no hurry to transfer the ransom, and the creators of the "malware"

Viruses are an integral part of the ecosystem operating systems. In most cases, we are talking about Windows and Android, and if you are completely unlucky, about OS X and Linux. Moreover, if earlier mass viruses aimed only at the theft of personal data, and in most cases simply at damaging files, now encryptors “rule the ball”.

And this is not surprising - the computing power of both PCs and smartphones has grown like an avalanche, which means that the hardware for such "pranks" is becoming more powerful.

Some time ago, experts discovered the Petya virus. G DATA SecurityLabs found out that the virus needs administrative access to the system, while it does not encrypt files, but only blocks access to them. As of today, the tools from Petya (Win32.Trojan-Ransom.Petya.A‘) already exist. The virus itself modifies the boot record on the system drive and causes the computer to crash, displaying a message about data corruption on the disk. In fact, this is just encryption.

The developers of the malware demanded payment for restoring access.

However, to date, in addition to the Petya virus, an even more sophisticated one has appeared - Misha. It does not need administrative rights, and it encrypts data like a classic Ransomware, creating files YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT on a disk or in a folder with encrypted data. They contain instructions for obtaining the key, the price of which is approximately $875.

It is important to note that infection occurs through e-mail, which receives an exe file with viruses disguised as a pdf document. And here it remains to remind again - carefully check letters with attached files, and also try not to download documents from the Internet, since now a virus or a malicious macro can be embedded in a doc file or a web page.

We also note that so far there are no utilities for decrypting the "work" of the Misha virus.

Image copyright PA Image caption Fighting the new ransomware is harder than WannaCry, experts say

On June 27, ransomware blocked computers and encrypted files at dozens of companies around the world.

It is reported that Ukrainian companies suffered the most - the virus infected the computers of large companies, government agencies and infrastructure facilities.

For decrypting files, the virus requires victims to pay $300 in bitcoins.

BBC Russian service answers the main questions about the new threat.

Who got hurt?

The spread of the virus began in Ukraine. Boryspil airport, some regional divisions of Ukrenergo, chain stores, banks, media and telecommunications companies were affected. The computers in the government of Ukraine were also switched off.

Following this, it was the turn of companies in Russia: Rosneft, Bashneft, Mondelez International, Mars, Nivea and others also fell victim to the virus.

How does a virus work?

Experts have not yet reached a consensus on the origin of the new virus. Group-IB and Positive Technologies see it as a variation of the 2016 Petya virus.

"This ransomware uses both hacking techniques and utilities and standard utilities system administration, - comments Elmar Nabigaev, Head of Information Security Threat Response Department at Positive Technologies. - All this guarantees high speed distribution within the network and the mass nature of the epidemic as a whole (when at least one personal computer). The result is a complete inoperability of the computer and data encryption."

Romanian company Bitdefender sees more in common with the GoldenEye virus, which pairs Petya with another malware called Misha. The advantage of the latter is that in order to encrypt files, it does not require administrator rights from the future victim, but extracts them on its own.

Brian Campbell from Fujitsu and a number of other experts believe that the new virus uses a modified EternalBlue program stolen from the US National Security Agency.

After the publication of this program by hackers The Shadow Brokers in April 2017, the WannaCry ransomware virus created on its basis spread around the world.

By exploiting Windows vulnerabilities, this program allows the virus to spread to computers throughout corporate network. The original Petya was sent via e-mail under the guise of a resume and could infect only the computer where this resume was opened.

Kaspersky Lab told Interfax that the ransomware virus does not belong to previously known malware families.

"Kaspersky Lab's software products detect this malware as UDS:DangeroundObject.Multi.Generic.", said Vyacheslav Zakorzhevsky, head of the anti-virus research department at Kaspersky Lab.

In general, if you call the new virus by a Russian name, you need to keep in mind that outwardly it looks more like Frankenstein's monster, since it is assembled from several malicious programs. It is known for certain that the virus was born on June 18, 2017.

Better than WannaCry?

It took WannaCry just a few days in May 2017 to reach the status of the most massive cyber attack of its kind in history. Will the new ransomware outrun its recent predecessor?

In less than a day, the attackers received 2.1 bitcoins from their victims - about $5,000. WannaCry collected 7 bitcoins in the same period.

At the same time, according to Elmar Nabigaev from Positive Technologies, it is more difficult to fight the new extortionist.

"In addition to the exploit [vulnerability in Windows], this threat is also spread using operating system accounts stolen using special hacking tools," the expert noted.

How to deal with the virus?

As a preventive measure, experts advise installing updates for operating systems on time and checking files received by e-mail.

Advanced administrators are advised to temporarily disable the Server Message Block (SMB) network communication protocol.

If the computers are infected, in no case do not pay the attackers. There is no guarantee that when they get paid, they will decrypt the files and not demand more.

It remains only to wait for the decryptor program: in the case of WannaCry, a specialist will have to create it French company Adrien Guinier's Quarkslab is gone for a week.

The first AIDS ransomware (PC Cyborg) was written by biologist Joseph Popp in 1989. She hid directories and encrypted files, demanding $189 for" license Renewal" to an account in Panama. Popp distributed his brainchild using floppy disks by regular mail, making a total of about 20 thousandcelldepartures. Popp was detained while trying to cash a check, but escaped trial - in 1991 he was declared insane.