Petya is back and with a friend named Mischa Ransomware

Jack

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
Content source
http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/
A new installer for Petya was released that also installs the Mischa Ransomware if it is unable to gain Administrative privileges. In the past, when Petya was installed it requested Administrative privileges so that it could modify the master boot record. If it was unable to gain these privs, the installer would not do anything to the computer. This has all changed, though, as now if the installer is unable to gain the required privs, it will instead install the Mischa Ransomware instead.




Petya + Mischa Ransomware = Double the Trouble
There is nothing a ransomware developer hates more than leaving money on the table and this is exactly what was happening with Petya. As Petya required administrative privileges to modify the master boot record, if it was not able to do so, the intallation failed. To counter this, the Petya devs did something clever, they bundled an extra ransomware called Mischa into the installer that will be installed when the Petya is unable to.

When a victim runs the executable, which is disguised as a PDF job resume, the installer will try to gain administrative privileges so that it can modify the MBR of the system drive. If it is unable to do so, whether that be because the user clicks no at the UAC prompt or for other reasons, the installer will instead install the Mischa Ransomware as it does not require administrative privileges.

Read more: Petya is back and with a friend named Mischa Ransomware
 
  • Like
Reactions: jamescv7, DardiM, Solarquest and 18 others
D

Deleted member 2913

Why bundle Mischa with Petya if Mischa doesn't require Admin privilege? Mischa alone could do the job, right? Or Mischa's job is to mitigate Admin privilege only & rest job is done by Petya?

Damn how do they come on those names Petya, Mischa, etc... or the names too are part of some codes, etc...?
 
  • Like
Reactions: Der.Reisende, Deleted Member 333v73x and Dirk41
H

hjlbx

Ransomware is not the great scourge -- unless one relies solely upon protection via signature detection.

If you have a security soft that can be set to block any unrecognized files - e.g. any product with HIPS\BB - or block execution of unrecognized User Space files via policy - e.g. AppGuard, Bouncer - or antiexecutable like NVT ERP, SOB, VooDooShield - then ransomware is no big deal.

Of course there is virtualization (sandboxing), but I've come to the conclusion that it is far safer to block execution than to allow an unknown file to execute on a system - even if sandboxed.

I've noticed that allowing malware - not just ransomware - to execute on a system often causes security softs to malfunction - from GUI failures all the way to complete failures. So it is just best to be very selective in what User Space files you allow to execute on your system.
 
Last edited by a moderator:
  • Like
Reactions: DardiM, Solarquest, Xtwillight and 9 others
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Great share, thank you @Jack :)
Picked up a sample of it yesterday (thank you @silversurfer), QTS360 picked it up first, but by the time I performed the scan, there were much more entries on VT, just after a few hours. Nice to see AV vendors keeping up pace :)

Regarding the names, @yesnoo, they sound like names by russian (or something similiar) girls...

As always, backups and the use of Brain.exe will probably save you, if you first check what you're about to open. However, not that easy at the office probably - time is money.

@hjlbx Good input :)
 
  • Like
Reactions: jamescv7, DardiM, Solarquest and 6 others
A

Arkush

New Member
May 23, 2016
1
Hi. I received last week a strange Email with a PDF aplication in German language. All strange Mails come to my Spam-Box. I do not open them. I wanted just to read about it, and found some informations on:
Code: 
http://www.virus-entferner.de/2016/05/23/mischa-virus-entfernen/'
. They write, that many such Mails were send to German people and big Corporations in Germany and Austrian. I think they send such Mails to rich countries, where money is.
 
  • Like
Reactions: DardiM and Der.Reisende
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
UAC is already been vulnerable because of source code concept of administrator privilege, so Mischa is pretty clever on that case.

So I agree with @hjlbx where these certain times, a product that mainly focus on hardening system will end of all problems.

Honestly for me; it is first time to see a 'double trouble' scheme. Nothing is safe anyways.
 
  • Like
Reactions: Der.Reisende, Dirk41 and Captain Awesome
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Wow
    • Like
    • HaHa
Ransomware gangs abuse Process Explorer driver to kill security software
Replies
15
Views
2,376
News Archive
Trident
Trident
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
September was a record month for ransomware attacks in 2023
Replies
0
Views
708
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
Malware News The Week in Ransomware - April 5th 2024 - Virtual Machines under Attack
Replies
0
Views
1,211
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top