• Register

Network Solutions Unlimited Blog

Network Solutions Unlimited has been serving the Decatur area since 2013, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

For This Ransomware, “Yes or No” Really Means “Yes or Yes”

For This Ransomware, “Yes or No” Really Means “Yes or Yes”

The ransomware Petya (previously thought to have been eradicated) has unfortunately resurfaced, and it’s brought a friend to the party. Petya was delivered via an email containing an invitation to apply for a job, including the virus in an executable file that was disguised as a PDF job resume. When a hepless user clicked the file, Petya would get to work.

The original version of the ransomware operated by restricting access to the master boot record, allowing access only to a dark web payment portal that may (or may not) fix the problem. Since Petya required administrative privileges to do so, a savvy user could render it useless by denying them. Unfortunately, its developers have come up with an unpleasant way to work around this Achilles heel.

The malware now comes bundled together with a second ransomware program, a more traditionally operating one known as Mischa. Mischa blocks access to files until the user pays a ransom, providing the user with links to TOR payment sites and authentication codes to utilize there as well. The kicker is, Mischa also encrypts executable files, leaving the Windows folder and browser folders untouched. Once the computer has been sufficiently infected, Mischa leaves two files for the user with their payment instructions.

Just as when Petya was originally distributed, an email is delivered containing a file appearing to be a job application, which would ask to run an .exe file. Selecting “yes” will download Petya, and selecting “no” used to foil the attack. Not anymore - now selecting “no” will install Mischa.

The payment site for Mischa works in a very similar manner to Petya’s. After inputting the authentication code, the user is ordered to purchase enough Bitcoins to pay the ransom, currently set to the general equivalence of $875. The user is then provided with the Bitcoin address where they are to send the ransom.

Unlike Petya, there is no known way to recover files affected by Mischa without paying the Bitcoin ransom, but there are tools available online to remove the virus.

However, also to be found online are the rumblings of upcoming copycats of Petya and Mischa. Malwarebytes.com posted a threat analysis of another dual-horned ransomware called Satana. Just like the Petya and Mischa bundle, Satana has the capability to lock the master boot record and the complete file record. The main difference is, while Petya and Mischa would only run one of the two malware options depending on the user’s actions, Satana goes right ahead and runs both, sequentially.

While Malwarebytes reports that Satana is currently flawed and appears to still be in the early stages of development, this news is still unsettling. Imagine how frustrating it would be to have no fighting chance after downloading a virus - and now consider that we could be approaching that point.

However, we will continue to monitor the situation and keep you in the loop with any updates that arise. Keep visiting the Network Solutions Unlimited blog to check in for the latest news and security updates.

A Classic Example of Why You Should Only Allow Tru...
Business Continuity and Disaster Recovery Go Hand ...
 

Comments

No comments made yet. Be the first to submit a comment
Guest
Already Registered? Login Here
Guest
Friday, November 22, 2024

Captcha Image

Mobile? Grab this Article

QR Code

Latest News & Events

While Decatur Computers and Network Solutions Unlimited, Inc. have always been two faces of the same underlying company, this merger represents a unification and consolidation of the services they offer—and as a result, Decatur Computers’ c...

Contact Us

Learn more about what Network Solutions Unlimited can do for your business.

Call Us Today
Call us today
(217) 428-6449

3090 N Main St
Decatur, Illinois 62526