Petya ransomware is now double the trouble

The master boot record killer now can install a second file-encrypting program

The Petya ransomware now bundles a second file-encrypting program for cases where it cannot replace a computer's master boot record to encrypt its file table.

Petya is an unusual ransomware threat that first popped up on security researchers' radar in March. Instead of encrypting a user's files directly, it encrypts the master file table (MFT) used by NTFS disk partitions to hold information about file names, sizes and location on the physical disk.

Before encrypting the MFT, Petya replaces the computer's master boot record (MBR), which contains code that initiates the operating system's bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves computers unable to boot.

However, in order to overwrite the MBR after it infects a computer, the malware needs to obtain administrator privileges. It does so by asking users for access via the User Account Control (UAC) mechanism in Windows.

In previous versions, if Petya failed to obtain administrator privileges, it stopped the infection routine. However, in such a case, the latest variant installs another ransomware program, dubbed Mischa, that begins to encrypt users' files directly, an operation that doesn't require special privileges.

"There is nothing a ransomware developer hates more than leaving money on the table and this is exactly what was happening with Petya," said Lawrence Abrams, the founder of the tech support forum, in a blog post. "Unlike Petya, the Mischa Ransomware is your standard garden variety ransomware that encrypts your files and then demands a ransom payment to get the decryption key."

The ransom that Mischa currently asks is 1.93 bitcoins, or around US$875 -- higher than some similar ransomware programs.

Another thing that sets Mischa apart is that it encrypts executable (.EXE) files in addition to documents, pictures, videos and other user-generated files typically targeted by ransomware programs. This has the potential to leave installed programs and the OS in a non-functional state, making it harder to pay the ransom from the affected system.

The installer for the Petya-Mischa combo is distributed via spam emails that pose as job applications. These emails contain a link to an online file storage service that hosts a picture of the alleged applicant and a malicious executable file that masquerades as a PDF document.

If it's downloaded and executed, the fake PDF file first tries to install Petya and if that fails, it installs Mischa. Unlike Petya, for which a decryption tool is available, there is currently no known way to restore files encrypted by Mischa without paying the ransom.

Join the PC World newsletter!

Error: Please check your email address.

Tags securityransomeware attackersmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?