Mischa encrypts not only the infected PC but the entire Windows Network.
A new Ransomware called “Mischa” has encrypted the entire network of a reported “large, well-known Austrian organization.” This claim was made on a security forum by a user who chose to retain the name of the organization, which he dubbed as his “client.”
There are also indications Switzerland is also affected. As of now, these are the only two registered cases of infection. From the urgent analysis of the security experts, it appears Mischa ransomware encrypts not only the computer it infected, but also spreads through the server and locks the entire network. This was the case with the anonymous Austrian organization, which fell as the first victim of this new ransomware threat. The organization responded quickly after the malware was detected and shut down the server. However, the encryption started immediately after the server was restarted again, leaving it to a bleak fate.
Mischa ransomware encrypts not only the computer it infected, but also spreads through the server and locks the entire network.
Security specialists were quick to point that Mischa ransomware ‘s ransom note (see it in the screenshot below) definitely appears to be a twin of the one presented by Petya ransomware. And of course, the two names suggest a common origin.
Mischa ransomware uses a new method that encrypts all files on the connected Network shares. It uses a military grade encryption algorithm and suffixes files with extensions like .3P7m, .aRpt, .eQTz, 3Rnu, which is particularly worrying for a reason very few outside the security sphere will understand: up until now, extensions were used by victims to find additional information about the ransomware they are faced with.
By employing a confusing number of different extensions, it seems Mischa may have found a solution how to block victims from finding help, at least partially. We can only hope this lesson will not be taken to heart by future ransomware.
The ransomware note contains the following message:
You became victim of the MISCHA RANSOMWARE!
The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to
restore your data without a special key. You can purchase this key on the darknet page shown in step 2.
To purchase your key and restore your data, please follow these three easy steps:
1. Download the Tor Browser at “https:// www.torproject.org/”.If you need
help, please google for “access onion page”.
2. Visit one of the following pages with the Tor Browser:
http:// mischapuk6hyrn7 2.onion/3P7mas
http:// mis cha5xyix2mrhd.onion/3P7mas
3. Enter your personal decryption code there:
The Austrian victim reported that Mischa ransomware was delivered by an email with a german domain (@maills.de), masked as a job application, with a link to a file in the German Magenta Cloud (magentacloud.de/share/…) The Switzerland organization received the same email. The email has been opened by an employee of the Central and then the entire network was encrypted.
Security experts are still investigating these two attacks in order to analyze the malicious script. A detailed report will be announced after the competent analysis and the origin of the ransomware has thus far been traced to Russia.
The initial suspicion is that Mischa is a whole new type of ransomware. This assumption has not been confirmed presently, as there still isn’t enough evidence and analysis to point either way.
The next few days will likely shed more light on the situation.