Last week we reported about a new type of ransomware affecting businesses and individuals. It’s called Petya and unlike ordinary ransomware, it has the ability to encrypt an entire hard drive - not just individual files - making a victim’s computer unusable until a ransom is paid. However, Petya had a flaw. In order for Petya to take control of a hard drive, it had to be granted access administrative privileges. If the victim does not allow access, the installation of Petya is cancelled and the files are not encrypted.
To get around this flaw, the hackers who created Petya have paired it with another piece of malware. If a user rejects access, instead of cancelling the installation of Petya, the malware installs a different type of ransomware called Mischa. Mischa piggybacks on Petya in order to ensure that hackers get their payday.
Unlike Petya, Mischa is a normal type of ransomware that only encrypts files. Currently, the cost to purchase the decryption key is 1.93 bitcoins or $875, according to bleepingcompter.com
This malware is still being distributed via fake job applications usually sent to HR departments. The malicious email will contain a link to a cloud storage service such as Dropbox or MagentaCloud and it will contain an image of the “job applicant.” The executable file that installs the ransomware will look like a PDF with a name similar to PDFBewerbungsmappe.exe.
Once clicked, Petya will be installed and if it fails due to lack of administrative privileges, Mischa will be installed. There’s no getting out of it for victims. Mischa is especially annoying because in addition to encrypting run-of-the-mill files like JPEGs, PDFs, PNGs, etc., it will also encrypt .EXE files, taking away the ability to launch executable files.
Petya is bad on its own and now developers have found a way for it to be even worse. As we reported last week, hackers are clearly outpacing IT pros and security researchers when it comes to protecting businesses and organizations from the recent surge of ransomware.