Petya is back and with a friend named Mischa Ransomware

[Jack]

Content source

http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/

A new installer for Petya was released that also installs the Mischa Ransomware if it is unable to gain Administrative privileges. In the past, when Petya was installed it requested Administrative privileges so that it could modify the master boot record. If it was unable to gain these privs, the installer would not do anything to the computer. This has all changed, though, as now if the installer is unable to gain the required privs, it will instead install the Mischa Ransomware instead.




Petya + Mischa Ransomware = Double the Trouble
There is nothing a ransomware developer hates more than leaving money on the table and this is exactly what was happening with Petya. As Petya required administrative privileges to modify the master boot record, if it was not able to do so, the intallation failed. To counter this, the Petya devs did something clever, they bundled an extra ransomware called Mischa into the installer that will be installed when the Petya is unable to.

When a victim runs the executable, which is disguised as a PDF job resume, the installer will try to gain administrative privileges so that it can modify the MBR of the system drive. If it is unable to do so, whether that be because the user clicks no at the UAC prompt or for other reasons, the installer will instead install the Mischa Ransomware as it does not require administrative privileges.

Read more: Petya is back and with a friend named Mischa Ransomware

 

[Captain Awesome]

Bad news for AV Companies

 

[Deleted member 2913]

Why bundle Mischa with Petya if Mischa doesn't require Admin privilege? Mischa alone could do the job, right? Or Mischa's job is to mitigate Admin privilege only & rest job is done by Petya?

Damn how do they come on those names Petya, Mischa, etc... or the names too are part of some codes, etc...?

 

[LabZero]

But, in fact, Petya has presented Itself as advanced malware, but under my eyes it was little more than an old boot sector virus. This is the reason of the implementation.

 

[Dirk41]

Thanks
What if you simply close the UAC window?

 

[Captain Awesome]

Thanks
What if you simply close the UAC window?

Disaster

 

[yigido]

If it is unknown executable, it goes into sandbox. Period.

 

[hjlbx]

Ransomware is not the great scourge -- unless one relies solely upon protection via signature detection.

If you have a security soft that can be set to block any unrecognized files - e.g. any product with HIPS\BB - or block execution of unrecognized User Space files via policy - e.g. AppGuard, Bouncer - or antiexecutable like NVT ERP, SOB, VooDooShield - then ransomware is no big deal.

Of course there is virtualization (sandboxing), but I've come to the conclusion that it is far safer to block execution than to allow an unknown file to execute on a system - even if sandboxed.

I've noticed that allowing malware - not just ransomware - to execute on a system often causes security softs to malfunction - from GUI failures all the way to complete failures. So it is just best to be very selective in what User Space files you allow to execute on your system.

 

[Entreri]

Money, money, money. Ransomware is here to stay forever, we will see incredible growth. They have even started targeting hospitals.

I have stopped opening pdf's and attachments a long time ago, personal email accounts.

 

[Der.Reisende]

Great share, thank you @Jack
Picked up a sample of it yesterday (thank you @silversurfer), QTS360 picked it up first, but by the time I performed the scan, there were much more entries on VT, just after a few hours. Nice to see AV vendors keeping up pace

Regarding the names, @yesnoo, they sound like names by russian (or something similiar) girls...

As always, backups and the use of Brain.exe will probably save you, if you first check what you're about to open. However, not that easy at the office probably - time is money.

@hjlbx Good input

 

[yigido]

Yes @hjlbx good point, friend Sandbox is better than "Default Allow" thing. Sandbox also gives better usability more than HIPS & Anti-executable softwares. There is no ransomware that can by-pass Comodo's sandbox.

 

[Arkush]

Hi. I received last week a strange Email with a PDF aplication in German language. All strange Mails come to my Spam-Box. I do not open them. I wanted just to read about it, and found some informations on:

http://www.virus-entferner.de/2016/05/23/mischa-virus-entfernen/'

. They write, that many such Mails were send to German people and big Corporations in Germany and Austrian. I think they send such Mails to rich countries, where money is.

 

[jamescv7]

UAC is already been vulnerable because of source code concept of administrator privilege, so Mischa is pretty clever on that case.

So I agree with @hjlbx where these certain times, a product that mainly focus on hardening system will end of all problems.

Honestly for me; it is first time to see a 'double trouble' scheme. Nothing is safe anyways.