A new twist on the Petya ransomware and how it now uses a backup ransomware attack.
Remember, Petya is a new type of ransomware that doesn’t encrypt specific files but makes the entire hard drive inaccessible by overwriting the master boot record. A new version of the Petya installer was released with a really "interesting" feature.
Up to now, the Petya installer required administrative privileges to launch. That meant that if someone said no at the UAC prompt, it didn’t install, and thus no payload released.
The criminal developers behind Petya did something clever though. They now have an installer that offers Petya and a backup "conventional" file-encrypting ransomware called Mischa. When the installer runs, it will try to install Petya and if it does not get admin privs, it defaults back to the Mischa ransomware that installs with standard user privs, making this the first double-barrel ransomware attack.
Unlike Petya, the Mischa Ransomware is your standard garden variety ransomware that encrypts your files and then demands a ransom payment to get the decryption key. Currently the ransom payment for Mischa is set at 1.93 bitcoins or approximately $875 USD.
The Attack Vector: Phishing
The installer for Petya/Mischa is distributed via phishing emails containing what appear to be job applications. These emails contain a link to a cloud storage service that contains an image of the supposed applicant and a downloadable executable that looks like a PDF. Once the executable is downloaded, it will have a PDF icon to make it appear as a PDF resume. This executable, though, when started tries to install Petya, and if that fails, installs the Mischa Ransomware.
Mischa then scans the computer for data files and encrypts them with the AES algorithm and adds an extension to the file name. This ransomware not only encrypts standard file types like PNGs, DOCXs, etc. but also goes after .EXE files.
Right now there is no known free decryption available for Petya/Mischa. It is possible however to restore older versions of the encrypted files provided that Shadow Volume Copies remain intact. Head to this Locky guide to find out how you can do that.
Hat tip to Larry Abrams at Bleeping computer who alerted me about this nasty new flavor. Their full post is here, with much more detail and screen shots.
Get the most informative and complete hostage rescue manual on Ransomware. This 20-page manual (PDF) is packed with actionable info that you need to prevent infections, and what to do when you are hit with malware like this. You also get a Ransomware Attack Response Checklist and Prevention Checklist. (Updated March 2016)