Light Dark
May 16, 2016 By Larry Loeb 2 min read

Petya is a ransomware that always did things differently than run-of-the-mill exploits. It didn’t encrypt the files on a hard disk, but rather encrypted the entire hard disk.

To do that, it had to escalate its privileges to the administrative level. If this ploy failed, the ransomware would just shut itself down without performing any malicious action. However, that has now changed.

A New Payload for Petya

The ransomware’s developers decided to bundle another program with it, and it functions quite differently. The additional payload, called Mischa, is a fairly standard ransomware effort: It does not try to encrypt the entire hard disk as Petya does, so it does not require administrative access. It just encrypts all files and promises to decrypt them for money.

Bleeping Computer reported that the installer trail first shows up with an email pretending to be a job application. The email itself is not dangerous, but it contains a malicious link.

That directs users to a cloud storage site, where the victim is prompted to download an executable file that starts with PDF. If the file is indeed downloaded, it first tries to install Petya by corrupting the master boot records. Should that fail, the same file will install Mischa.

Mischa Does Things Differently

Mischa scans the target disk and looks for data files. It will then encrypt them using the AES encryption algorithm, adding a four-character extension to the file name. The decryption key is stored at the end of the encrypted file.

Petya and Mischa are part of a new ransomware-as-a-service (RaaS) platform. Tech Republic reported that the intent is for other cybercriminals to distribute the malware package. Should victims make a payment, the money is split between the coder and distributors.

This RaaS effort highlights a disturbing development in ransomware: Cybercriminals are teaming up to make money in inventive ways, and a wide skill set is no longer needed to cash in. The new dual-payload package shows how vigilance, as well as up-to-date backups, are needed to avoid disaster.

 |  | 
Larry Loeb
Principal, PBC Enterprises

More from

July 26, 2024

test img

8 min read - What is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and…

July 26, 2024

img test

7 min read - test imgWhat is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature