In March 2016, reports of a new crypto-ransomware strain, PETYA (detected by Trend Micro as RANSOM_PETYA.A) surfaced with a lethal infection that didn't just hold files hostage, but also triggered the "blue screen of death" on Windows systems to increase the sense of urgency to pay the ransom.
This time, PETYA is back, and it comes with Mischa (detected as RANSOM_MISCHA.A)—a ransomware type that has reportedly succeeded in infecting an entire public institution in Australia. When PETYA arrives in a system, the ransomware strain tricks the victim into allowing administrative privileges that could, in turn, lead to the execution of the malware. Thanks to some modifications, it prompts the installation of Mischa if it's unable to gain the necessary administrative privileges. The back to back ransomware attack is a clever move that ensures infection.
The distribution of Mischa is reminiscent of methods used by its predecessor. It starts with a bogus email supposedly coming from a job applicant vying for a job title. The message comes with a poisoned link that leads to a cloud storage service, Magentacloud—much like how PETYA has directed its would-be victims to a Dropbox folder. The link contains the files masquerading as the applicant’s image and resume.
After infection, Mischa encrypts not just image and documents with common extensions such as JPG, PNG, and DOCX, it is also capable of encrypting .EXE files, appending them with a 4-character extension to signify compromise. Once the encryption is in motion, each folder will then contain two ransom notes in HTML and text format that expounds on how the files have been rendered useless to the victim unless the payment instructions are followed. Currently, the authors of Mischa are asking for 2.0098 bitcoins (around US$909), which is slightly higher than the amount demanded by PETYA, which asks for 1.967 bitcoins (US$892).
The FBI statistics on the surge of ransomware success continues to be a cause for concern for users and organizations. In the United States alone, $209 million in damages has been recorded within the first three months of 2016—an astonishing growth from the recorded $25 million extorted from ransomware victims in all of 2015.
Ransomware infections and now, the rise of newer and evolved ransomware strains have been so rampant that it is quickly becoming a common occurrence—far from when it was first sighted. In Trend Micro 2016 Security Predictions, online extortion was projected to be one of the most significant cybersecurity challenges for 2016. The evolution of PETYA, packaged with Mischa, is similar to how recently-discovered ransomware strains, CryptXXX and 7ev3n, received major updates. These developments signify how adaptable malware authors are in creating more effective ways to extort money from their victims.
Trend Micro endpoint solutions such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security can protect users and businesses from this threat. Strong password policies and the disabling of automatic macro loading in Office programs, along with regular patching schedules, are also among the valid and tested ways to keep ransomware at bay. And despite this threat's attempt to render backup files useless, it is still an effective defense.Additionally, Trend Micro™ Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. This comprehensive, centrally-managed platform helps simplify security operations while enabling regulatory compliance and accelerating the ROI of virtualization and cloud projects.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).