Misha viruses what does it do. The new Petya encryption virus is named after the President of Ukraine - expert

Illustration copyright PA Image caption According to experts, fighting the new ransomware is more difficult than WannaCry

On June 27, ransomware locked computers and encrypted files at dozens of companies around the world.

It is reported that the most affected Ukrainian companies- the virus infected the computers of large companies, government agencies and infrastructure facilities.

The virus demands $300 in Bitcoin from victims to decrypt files.

The BBC Russian service answers the main questions about the new threat.

Who was hurt?

The spread of the virus began in Ukraine. The Boryspil airport, some regional divisions of Ukrenergo, chain stores, banks, media and telecommunications companies were affected. Computers in the Ukrainian government also went down.

Following this, it was the turn of companies in Russia: Rosneft, Bashneft, Mondelеz International, Mars, Nivea and others also became victims of the virus.

How does the virus work?

Experts have not yet reached a consensus on the origin of the new virus. Group-IB and Positive Technologies see it as a variant of the 2016 Petya virus.

"This ransomware uses both hacking techniques and utilities, and standard utilities system administration, - comments the head of the threat response department information security Positive Technologies Elmar Nabigaev. - All this guarantees a high speed of spread within the network and the massiveness of the epidemic as a whole (if at least one personal computer). The result is complete computer inoperability and data encryption."

The Romanian company Bitdefender sees more in common with the GoldenEye virus, in which Petya is combined with another malware called Misha. The advantage of the latter is that it does not require administrator rights from the future victim to encrypt files, but extracts them independently.

Brian Cambell from Fujitsu and a number of other experts believe that the new virus uses a modified EternalBlue program stolen from the US National Security Agency.

After the publication of this program by hackers The Shadow Brokers in April 2017, the WannaCry ransomware virus created on its basis spread all over the world.

Using Windows vulnerabilities, this program allows the virus to spread to computers throughout the corporate network. The original Petya was sent by email under the guise of a resume and could only infect the computer where the resume was opened.

Kaspersky Lab told Interfax that the ransomware virus does not belong to previously known malware families software.

“Kaspersky Lab software products detect this malware as UDS:DangeroundObject.Multi.Generic,” noted Vyacheslav Zakorzhevsky, head of the anti-virus research department at Kaspersky Lab.

In general, if you call the new virus by its Russian name, you need to keep in mind that in appearance it looks more like Frankenstein’s monster, since it is assembled from several malware. It is known for certain that the virus was born on June 18, 2017.

Image caption The virus demands $300 to decrypt files and unlock your computer.

Cooler than WannaCry?

It took WannaCry just a few days in May 2017 to become the largest cyberattack of its kind in history. Will he overtake new ransomware virus his recent predecessor?

In less than a day, the attackers received 2.1 bitcoins from their victims - about 5 thousand dollars. WannaCry collected 7 bitcoins during the same period.

At the same time, according to Elmar Nabigaev from Positive Technologies, it is more difficult to fight the new ransomware.

"In addition to exploiting [the Windows vulnerability], this threat also spreads through accounts operating systems, stolen using special hacker tools,” the expert noted.

How to fight the virus?

As a preventative measure, experts advise installing updates for operating systems on time and checking files received by email.

Advanced administrators are advised to temporarily disable the Server Message Block (SMB) network transfer protocol.

If your computers are infected, under no circumstances should you pay the attackers. There is no guarantee that once they receive payment, they will decrypt the files rather than demand more.

All that remains is to wait for the decryption program: in the case of WannaCry, it took Adrien Guinier, a specialist from the French company Quarkslab, a week to create it.

The first AIDS ransomware (PC Cyborg) was written by biologist Joseph Popp in 1989. She hid directories and encrypted files, demanding payment of $189 for" license Renewal" to an account in Panama. Popp distributed his brainchild using floppy disks by regular mail, making a total of about 20 thousandyachshipments. Popp was detained while trying to cash a check, but avoided trial - in 1991 he was declared insane.

On Tuesday, June 27, Ukrainian and Russian companies reported a massive virus attack: computers at enterprises displayed a ransom message. I figured out who once again suffered because of hackers and how to protect yourself from theft of important data.

Petya, that's enough

The energy sector was the first to be attacked: Ukrainian companies Ukrenergo and Kyivenergo complained about the virus. The attackers paralyzed them computer systems, but this did not affect the stability of the power plants.

Ukrainians began to publish the consequences of the infection online: judging by numerous pictures, computers were attacked by a ransomware virus. A message popped up on the screen of the affected devices stating that all data was encrypted and device owners needed to pay a $300 ransom in Bitcoin. However, the hackers did not say what would happen to the information in case of inaction, and did not even set a countdown timer until the data was destroyed, as was the case with the WannaCry virus attack.

The National Bank of Ukraine (NBU) reported that the work of several banks was partially paralyzed due to the virus. According to Ukrainian media, the attack affected the offices of Oschadbank, Ukrsotsbank, Ukrgasbank, and PrivatBank.

were infected computer networks"Ukrtelecom", airport "Borispol", "Ukrposhta", " New mail", "Kievvodokanal" and the Kyiv metro. In addition, the virus hit Ukrainian mobile operators - Kyivstar, Vodafone and Lifecell.

Later, Ukrainian media clarified that we are talking about the Petya.A malware. It is distributed according to the usual scheme for hackers: victims are sent phishing emails from dummies asking them to open an attached link. After this, the virus penetrates the computer, encrypts the files and demands a ransom for decrypting them.

The hackers indicated the number of their Bitcoin wallet to which the money should be transferred. Judging by the transaction information, the victims have already transferred 1.2 bitcoins (more than 168 thousand rubles).

According to information security specialists from Group-IB, more than 80 companies were affected by the attack. The head of their crime lab noted that the virus is not related to WannaCry. To fix the problem, he advised closing TCP ports 1024–1035, 135 and 445.

Who is guilty

She hastened to assume that the attack was organized from the territory of Russia or Donbass, but did not provide any evidence. Minister of Infrastructure of Ukraine saw clue in the word “virus” and wrote on his Facebook that “it’s no coincidence that it ends in RUS,” adding a winking emoticon to his guess.

Meanwhile, he claims that the attack is in no way connected with existing “malware” known as Petya and Mischa. Security experts claim that the new wave has affected not only Ukrainian and Russian companies, but also enterprises in other countries.

Nevertheless, the current “malware” resembles the well-known interface in its interface Petya virus, which was distributed through phishing links a few years ago. At the end of December, an unknown hacker responsible for creating the Petya and Mischa ransomware began sending infected emails with an attached virus called GoldenEye, which was identical to previous versions cryptographers.

The attachment to the regular letter, which HR department employees often received, contained information about the fake candidate. In one of the files one could actually find a resume, and in the next one - the virus installer. Then the main targets of the attacker were companies in Germany. Over the course of 24 hours, more than 160 employees of the German company fell into the trap.

It was not possible to identify the hacker, but it is obvious that he is a Bond fan. The Petya and Mischa programs are the names of the Russian satellites “Petya” and “Misha” from the film “Golden Eye”, which in the plot were electromagnetic weapons.

The original version of Petya began to be actively distributed in April 2016. It skillfully camouflaged itself on computers and posed as legitimate programs, requesting extended administrator rights. After activation, the program behaved extremely aggressively: it set a strict deadline for paying the ransom, demanding 1.3 bitcoins, and after the deadline, it doubled the monetary compensation.

True, then one of the Twitter users quickly found weak sides ransomware and created a simple program, which in seven seconds generated a key that allowed you to unlock the computer and decrypt all data without any consequences.

Not for the first time

In mid-May, computers around the world were attacked by a similar ransomware virus, WannaCrypt0r 2.0, also known as WannaCry. In just a few hours, he paralyzed the work of hundreds of thousands of workers Windows devices in more than 70 countries. Among the victims were Russian security forces, banks and mobile operators. Once on the victim’s computer, the virus encrypted HDD and demanded to send the attackers $300 in bitcoins. Three days were allotted for reflection, after which the amount was doubled, and after a week the files were encrypted forever.

However, the victims were in no hurry to pay the ransom, and the creators of the malware

A few months ago, we and other IT Security specialists discovered a new malware - Petya (Win32.Trojan-Ransom.Petya.A). In the classical sense, it was not an encryptor; the virus simply blocked access to certain types of files and demanded a ransom. The virus has modified boot entry on the hard drive, forcibly rebooted the PC and showed a message that “the data is encrypted - waste your money for decryption.” In general, the standard scheme of encryption viruses, except that the files were NOT actually encrypted. Most popular antiviruses began identifying and removing Win32.Trojan-Ransom.Petya.A a few weeks after its appearance. In addition, instructions for manual removal appeared. Why do we think that Petya is not a classic ransomware? This virus makes changes to the Master Boot Record and prevents the OS from loading, and also encrypts the Master File Table. It does not encrypt the files themselves.

However, a more sophisticated virus appeared a few weeks ago Mischa, apparently written by the same scammers. This virus ENCRYPTS files and requires you to pay $500 - $875 for decryption (in different versions 1.5 – 1.8 bitcoins). Instructions for “decryption” and payment for it are stored in the files YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.

Mischa virus – contents of YOUR_FILES_ARE_ENCRYPTED.HTML file

Now, in fact, hackers infect users’ computers with two malwares: Petya and Mischa. The first one needs administrator rights on the system. That is, if a user refuses to give Petya admin rights or manually deletes this malware, Mischa gets involved. This virus does not require administrator rights, it is a classic encryptor and actually encrypts files using the strong AES algorithm and without making any changes to the Master Boot Record and the file table on the victim’s hard drive.

The Mischa malware encrypts not only standard file types (videos, pictures, presentations, documents), but also .exe files. The virus does not affect only the directories \Windows, \$Recycle.Bin, \Microsoft, \ Mozilla Firefox,\Opera,\ Internet Explorer, \Temp, \Local, \LocalLow and \Chrome.

Infection occurs mainly through email, where a letter arrives with an attached file - a virus installer. It can be encrypted under a letter from the Tax Service, from your accountant, as attached receipts and receipts for purchases, etc. Pay attention to the file extensions in such letters - if it is an executable file (.exe), then with a high probability it may be a container with the Petya\Mischa virus. And if the modification of the malware is recent, your antivirus may not respond.

Update 06/30/2017: June 27, a modified version of the Petya virus (Petya.A) massively attacked users in Ukraine. The effect of this attack was enormous and the economic damage has not yet been calculated. In one day, the work of dozens of banks, retail chains, government agencies and enterprises of different forms of ownership. The virus spread mainly through a vulnerability in the Ukrainian accounting reporting system MeDoc with the latest automatic update of this software. In addition, the virus has affected countries such as Russia, Spain, Great Britain, France, and Lithuania.

Remove Petya and Mischa virus using an automatic cleaner

An extremely effective method of working with malware in general and ransomware in particular. The use of a proven protective complex guarantees thorough detection of any viral components, their complete removal with one click. Please note that we are talking about two different processes: uninstalling an infection and restoring files on your PC. However, the threat certainly needs to be removed, since there is information about the introduction of other computer Trojans using it.

  1. . After starting the software, click the button Start Computer Scan(Start scanning).
  2. The installed software will provide a report on the threats detected during scanning. To remove all detected threats, select the option Fix Threats(Eliminate threats). The malware in question will be completely removed.

Restore access to encrypted files

As noted, Mischa ransomware locks files using a strong encryption algorithm so that encrypted data cannot be restored with a swipe magic wand– if you do not take into account the payment of an unheard of ransom amount (sometimes reaching $1000). But some methods can really be a lifesaver that will help you recover important data. Below you can familiarize yourself with them.

Automatic file recovery program (decryptor)

A very unusual circumstance is known. This infection erases source files in unencrypted form. The encryption process for extortion purposes thus targets copies of them. This provides an opportunity for such software how to restore erased objects, even if the reliability of their removal is guaranteed. It is highly recommended to resort to the file recovery procedure; its effectiveness is beyond doubt.

Shadow copies of volumes

The approach is based on the Windows procedure Reserve copy files, which is repeated at each recovery point. Important condition for this method to work: the “System Restore” function must be activated before infection. However, any changes to the file made after the restore point will not appear in the restored version of the file.

Backup

This is the best among all non-ransom methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files you simply need to enter the appropriate interface, select the necessary files and launch the data recovery mechanism from the backup. Before performing the operation, you must make sure that the ransomware is completely removed.

Check for possible presence of residual components of the Petya and Mischa ransomware

Manual cleaning risks missing individual pieces of ransomware that could escape removal as hidden operating system objects or registry items. To eliminate the risk of partial retention of individual malicious elements, scan your computer using a reliable security software package that specializes in malicious software.

At the beginning of May, about 230,000 computers in more than 150 countries were infected with a ransomware virus. Before the victims had time to eliminate the consequences of this attack, a new one, called Petya, followed. The largest Ukrainian and Russian companies, as well as government institutions, suffered from it.

The cyber police of Ukraine established that the virus attack began through the mechanism for updating the accounting software M.E.Doc, which is used to prepare and send tax reports. Thus, it became known that the networks of Bashneft, Rosneft, Zaporozhyeoblenergo, Dneproenergo and the Dnieper Electric Power System did not escape infection. In Ukraine, the virus penetrated government computers, PCs of the Kyiv metro, telecom operators and even the Chernobyl nuclear power plant. In Russia, Mondelez International, Mars and Nivea were affected.

Petya virus exploits EternalBlue vulnerability in operating room Windows system. Symantec and F-Secure experts say that although Petya encrypts data like WannaCry, it is still somewhat different from other types of encryption viruses. "The Petya virus is the new kind extortion with malicious intent: it does not just encrypt files on the disk, but locks the entire disk, making it practically unusable, F-Secure explains. “Specifically, it encrypts the MFT master file table.”

How does this happen and can this process be prevented?

Virus "Petya" - how does it work?

The Petya virus is also known by other names: Petya.A, PetrWrap, NotPetya, ExPetr. Once on the computer, it downloads ransomware from the Internet and tries to infect some hard drive with the data necessary to boot the computer. If he succeeds, then the system issues Blue Screen of Death(" blue screen of death"). After reboot, a message appears about checking hard disk with a request not to turn off the power. Thus, the ransomware pretends to be system program to check the disk, encrypting files with certain extensions at this time. At the end of the process, a message appears indicating that the computer is blocked and information on how to obtain a digital key to decrypt the data. The Petya virus demands a ransom, usually in Bitcoin. If the victim does not have a backup copy of his files, he is faced with the choice of paying $300 or losing all information. According to some analysts, the virus is only masquerading as ransomware, while its true goal is to cause massive damage.

How to get rid of Petya?

Experts have discovered that the Petya virus is looking for local file and, if the file already exists on disk, exits the encryption process. This means that users can protect their computer from ransomware by creating this file and setting it as read-only.

Although this cunning scheme prevents the ransomware process from starting, this method can be considered more like a “computer vaccination”. Thus, the user will have to create the file themselves. You can do this as follows:

  • First you need to understand the file extension. In the Folder Options window, make sure that the Hide extensions for known file types checkbox is unchecked.
  • Open the C:\Windows folder, scroll down until you see the notepad.exe program.
  • Left click on notepad.exe, then press Ctrl + C to copy and then Ctrl + V to paste the file. You will receive a request asking for permission to copy the file.
  • Click the Continue button and the file will be created as a notepad - Copy.exe. Left-click on this file and press F2, then erase the file name Copy.exe and enter perfc.
  • After changing the file name to perfc, press Enter. Confirm the rename.
  • Now that the perfc file has been created, we need to make it read-only. To do this, click right click mouse over the file and select "Properties".
  • The properties menu for this file will open. At the bottom you will see "Read Only". Check the box.
  • Now click the Apply button and then the OK button.

Some security experts suggest creating C:\Windows\perfc.dat and C:\Windows\perfc.dll files in addition to the C:\windows\perfc file in order to more thoroughly protect against the Petya virus. You can repeat the above steps for these files.

Congratulations, your computer is protected from NotPetya/Petya!

Symantec experts offer some advice to PC users to prevent them from doing things that could result in locked files or loss of money.

  1. Don't pay money to criminals. Even if you transfer money to the ransomware, there is no guarantee that you will be able to regain access to your files. And in the case of NotPetya / Petya, this is basically meaningless, because the goal of the ransomware is to destroy data, and not to get money.
  2. Make sure you create regularly backups data. In this case, even if your PC becomes the target of a ransomware virus attack, you will be able to recover any deleted files.
  3. Do not open emails with dubious addresses. Attackers will try to trick you into installing malware or try to obtain important data for attacks. Be sure to inform IT specialists if you or your employees receive suspicious emails or links.
  4. Use reliable software. Plays an important role in protecting computers from infections. timely update antivirus software. And, of course, you need to use products from reputable companies in this field.
  5. Use mechanisms to scan and block spam messages. Incoming emails should be scanned for threats. It is important that any types of messages that contain links or typical keywords phishing.
  6. Make sure all programs are up to date. Regular remediation of software vulnerabilities is necessary to prevent infections.

Should we expect new attacks?

The Petya virus first appeared in March 2016, and security specialists immediately noticed its behavior. New virus Petya hit computers in Ukraine and Russia at the end of June 2017. But this is unlikely to be the end. Hacker attacks using ransomware viruses similar to Petya and WannaCry will be repeated, said Stanislav Kuznetsov, deputy chairman of the board of Sberbank. In an interview with TASS, he warned that such attacks will definitely happen, but it is difficult to predict in advance in what form and format they may appear.

If, after all the cyber attacks that have happened, you have not yet taken at least the minimum steps to protect your computer from a ransomware virus, then it is time to get serious about it.

Viruses are an integral part of the operating system ecosystem. In most cases, we are talking about Windows and Android, and if you are really unlucky, about OS X and Linux. Moreover, if previously mass viruses were aimed only at stealing personal data, and in most cases simply at damaging files, now encryptors “rule the roost.”


And this is not surprising - the computing power of both PCs and smartphones has grown like an avalanche, which means the hardware for such “pranks” is becoming more and more powerful.

Some time ago, experts discovered the Petya virus. G DATA SecurityLabs found that the virus requires administrative access to the system, and it does not encrypt files, but only blocks access to them. Today, remedies from Petya (Win32.Trojan-Ransom.Petya.A‘) already exist. The virus itself modifies the boot record on the system drive and causes the computer to crash, displaying a message about data corruption on the disk. In fact, this is just encryption.

The malware developers demanded payment to restore access.


However, today, in addition to the Petya virus, an even more sophisticated one has appeared - Misha. It does not need administrative rights and encrypts data like classic Ransomware, creating YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT files on the disk or folder with encrypted data. They contain instructions on how to obtain the key, which costs approximately $875.

It is important to note that infection occurs through email, which receives an exe file with viruses, masquerading as a pdf document. And here it remains to be reminded again - carefully check letters with attached files, and also try not to download documents from the Internet, since now a virus or malicious macro can be embedded in a doc file or web page.

We also note that so far there are no utilities to decipher the “work” of the Misha virus.



Loading...
Top