{
	"id": "6adc3cee-ac0f-41cd-a228-fae78abaf00f",
	"created_at": "2026-04-06T00:14:35.787306Z",
	"updated_at": "2026-04-10T03:20:00.91946Z",
	"deleted_at": null,
	"sha1_hash": "5d36ff49540bdecbfd8208a9ffb3ad43b7742afe",
	"title": "Inside Petya and Mischa ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 840978,
	"plain_text": "Inside Petya and Mischa ransomware\r\nBy Threat Intelligence Team 20 Sep 2016\r\nArchived: 2026-04-05 21:17:08 UTC\r\nThe Avast Threat Intelligence team takes a deeper look into the double ransomware, Petya and Mischa.\r\nPetya and Mischa ransomware, come as a package deal, distributed by its creators, Janus. They are very unusual in\r\nthat they combine two different methods to encrypt user data. Unlike most other ransomware, Petya primarily\r\nencrypts MFT (Master File Table) and MBR (Master Boot Record). If Petya has insufficient privileges to access\r\nMBR on HDD (Hard Disk Drive), the Mischa module is deployed and encrypts files one by one.\r\nThe first version of Petya was only able to encrypt MBR and MFT sectors. This version of Petya used red for its\r\nlogo, font, etc.. The authors have now changed the color to green and added the Mischa module in the second and\r\nthird versions of Petya.\r\nDuring development, the authors have made some mistakes when implementing the salsa20 encryption algorithm,\r\nwhich enables retrospective file decryption via genetic algorithms or the use of bruteforce, without paying a\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 1 of 19\n\nransom fee. The latest Petya MBR loader implementation has been fixed and the previous methods that could be\r\nused for decryption do not work anymore.\r\nPetya and Mischa can also work offline, meaning they don’t need to communicate back to their C\u0026C servers,\r\nsomething other ransomware needs to do in order to download the encryption key.\r\nThe names of the modules, Petya and Mischa, and the creator's nickname, Janus, were inspired by the James Bond\r\nfilm “Goldeneye.”\r\nLet's look at some interesting features of this double ransomware:\r\nFake email\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 2 of 19\n\nThis ransomware is primarily spread via spam email campaigns using different variations with different types of\r\nattachments (zip, pif, .pdf.exe, ..) or links to various online storage services. The fake emails looks like job\r\napplications, job offers, legal proceedings, among other things. The ransomware doesn’t use any sophisticated\r\nmethods or exploit kits to infect devices, it purely relies on user action to run the infected attachments.\r\nDropper\r\nWhen we analyzed Petya, the dropper posed as a Machine Debug Manager* and included the original compilation\r\ndate, as well as fragments of the original Machine Debug Manager binary. It also imported a lot of unnecessary\r\nAPI functions.\r\n* Machine Debug Manager, Mdm.exe, is a program that is installed with the Microsoft Script Editor to provide\r\nsupport for program debugging.\r\nThe dropper is simple and doesn’t contain any anti-debugging tricks, but it is very strongly obfuscated with a ton\r\nof junk code instructions and also uses self modifying methods.\r\nObfuscated code before modification:\r\nAnd after SMC (Self Modifying Method):\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 3 of 19\n\nThe dropper includes the XORed payload, which contains Petya’s bootloader and the Mischa module.\r\nPayload\r\nThe payload is a DLL file named “Setup.dll” with significant export “_ZuWQdweafdsg345312@0” and “.xxxx”\r\nsection name in the PE header. This section contains encrypted modules.\r\nIn the first step, the Petya bootloader and the Mischa module are decrypted, using a simple 1-byte XOR algorithm.\r\nIn the next step, the payload checks which privileges it has via the GetTokenInformation API function and decides\r\nwhich module will be deployed.\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 4 of 19\n\nA random encryption key is generated via the CryptGenRandom API function from the Windows CryptoAPI\r\nlibrary. This key is encrypted and represented as a Base58 encoded string. This atypical encoding with the BitCoin\r\nalphabet is used in other modules too.\r\nA little structure with the user OS identification (red) and the user’s installed AV product (orange) is added at the\r\nend of the encoded key (green). As you can see, the authors kept several free spaces (purple) probably for further\r\nusage.\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 5 of 19\n\nThe OS version verification is performed using an interesting method via the API functions VerSetConditionMask\r\nand VerifyVersionInfoW. This method ensures compatibility on Win8 and higher where the API function\r\nGetVersion(Ex) was deprecated.\r\nEach OS version represents an ASCII character from the Base58 alphabet.\r\nHex ASCII Windows version\r\n0x44 D Windows 10\r\n0x43 C Windows 8.1 or Windows Server 2012 R2\r\n0x42 B Windows 8 or Windows Server 2012\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 6 of 19\n\n0x41 A Windows 7 SP1 or Windows Server 2008 R2 SP1\r\n0x39 9 Windows 7 or Windows Server 2008 R2 (without Service Pack)\r\n0x38 8 Windows Vista SP2 or Windows Server 2008 SP2\r\n0x37 7 Windows Vista SP1 or Windows Server 2008 SP1\r\n0x36 6 Windows Vista or Windows Server 2008 (without Service Pack)\r\n0x35 5 Windows XP SP3\r\n0x34 4 Windows XP SP2\r\n0x33 3 Windows XP SP1\r\n0x32 2 Older version\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 7 of 19\n\nThe verification of the installed AV product is done by searching folder names inside “Program Files” or “Program\r\nFiles (x86)” and comparing the results with the hardcoded list. The payload will store value “1” if nothing is found\r\nor add a character from Base58 alphabet that corresponds to the AV product that was found.\r\nTable of AV products:\r\nHex ASCII AV product directory string\r\n0x31 1 nothing found\r\n0x32 2 AhnLab\r\n0x33 3 AVAST Software\r\n0x34 4 AVG\r\n0x35 5 Avira\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 8 of 19\n\n0x36 6 Bitdefender\r\n0x37 7 BullGuard Ltd\r\n0x38 8 CheckPoint\r\n0x39 9 COMODO\r\n0x41 A ESET\r\n0x42 B F-Secure\r\n0x43 C G DATA\r\n0x44 D K7 Computing\r\n0x45 E Kaspersky Lab\r\n0x46 F Malwarebytes Anti-Malware\r\n0x47 G McAfee\r\n0x48 H McAfee.com\r\n0x4A J Microsoft Security Client\r\n0x4B K Norman\r\n0x4C L Panda Security\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 9 of 19\n\n0x4D M Quick Heal\r\n0x4E N Spybot - Search \u0026 Destroy 2\r\n0x50 P Spybot - Search \u0026 Destroy\r\n0x51 Q Norton Security with Backup\r\n0x52 R Norton Security\r\n0x53 S NortonInstaller\r\n0x54 T VIPRE\r\n0x55 U Trend Micro\r\nThe folder search is carried out using the GetFileAttributesA API function and the results are checked with the\r\nvalue 0x10 = FILE_ATTRIBUTE_DIRECTORY.\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 10 of 19\n\nThe next step is to select the correct .onion URL address and append part of the generated key to them.\r\nThe authors have been using the following TOR addresses for a long time:\r\nhxxp://petya3jxfp2f7g3i.onion/\r\nhxxp://petya3sen7dyko2n.onion/\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 11 of 19\n\nhxxp://mischapuk6hyrn72.onion/\r\nhxxp://mischa5xyix2mrhd.onion/\r\nNow, everything is ready to run Petya for the MBR infection or Mischa to encrypt user’s files.\r\nPetya\r\nThe malware author behind Petya showed his or her art in the field of low-level programming, and his or her deep\r\nknowledge of MBR and MFT technologies in this module. Petya not only includes the bootloader, but also\r\nincludes a micro kernel for MFT encryption. This process looks like a CHKDSK utility, but during its operation it\r\nencrypts MFT.\r\nPetya uses atypical salsa20 encryption.The authors had problems correctly implementing the encryption in\r\nprevious versions, but they seemed to have figured everything out now.\r\nOfficial source code:\r\nImplementation of sigma constant inside Petya’s micro kernel:\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 12 of 19\n\nThe Petya code hasn’t changed since the last update in July, which makes us think the authors probably consider\r\nthe code to be stable enough.\r\nRight after the bootloader and micro kernel are successfully written into the MBR, the ransomware rudely restarts\r\nthe computer, without giving any warning, by using the undocumented NtRaiseHardError API function with\r\nspecifically selected parameters:\r\nHARD_ERROR_RESPONSE_OPTION = 0x06 | OptionShutdownSystem\r\nNTSTATUS = 0xC0000350 | STATUS_HOST_DOWN\r\nMischa\r\nMischa encrypts individual files based on their extensions, as most ransomwares does. The version that we\r\nanalyzed can encrypt 241 file types.\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 13 of 19\n\nMischa is able to encrypt data on all local drives, connected USB drives and remote drives. For drive verification\r\nit uses the GetLogicalDriveStringsA and GetDriveTypeA API functions.\r\nMischa avoids the following directories, because they also encrypt EXE and DLL files:\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 14 of 19\n\nMischa is injected into one of the running system processes (explorer.exe, taskhost.exe, conhost.exe etc.), so the\r\nentire encryption process is less noticeable and the malicious process can better avoid some behavioral detection\r\nsystems.\r\nMischa uses open-source ReflectiveLoader code for this purpose.\r\nOfficial source code:\r\nImplementation inside Mischa:\r\nThe file encryption is based on an XOR operation (CBC - Cipher Block Chaining - style) from a randomly\r\ngenerated key (initial vector for the CBC) and the previously generated master key, in its decrypted form.\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 15 of 19\n\nLike every other ransomware, Mischa also saves help files (txt and html) in each folder along with the encrypted\r\nfiles. The file extension of the encrypted files are the same as the identification string in the .onion URL. Help\r\nfiles aren’t obfuscated.\r\nWe found a bug in Windows XP, in which Mischa encrypted important system files and the entire system became\r\nunusable.\r\nThis error (Error Code 0x8007002 = ERROR_FILE_NOT_FOUND)\r\noccurs before logging into Windows and if you click on the “OK” button the message will pop up again, causing a\r\nnever ending loop....\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 16 of 19\n\nRansomware as service\r\nThe authors also offer their services as an affiliate program. If Janus earns a profit of more than 125 BTC, they\r\npay the distributor 85% of the profit, which could be very attractive to other cybercriminals or even employees\r\nworking in big companies.\r\nAccording to discussions we read on their TOR pages, it is evident that the attacks targeting large companies may\r\nnot always be an attack from the “outside”, but quite possibly and frequently “insider jobs”. Janus’ offer of giving\r\ndistributors a large percentage of the profit made from attacks could entice employees within bigger companies to\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 17 of 19\n\ncarry out the attack. Each affected PC has a unique key to decrypt devices, so a company would need to pay to\r\ndecrypt each infected computer, that is a lot of money...\r\nConclusion\r\nThe creators of Petya are very skilled programmers. The ransomware is written in a very pure form and is\r\nconstantly being reviewed and improved. Over a relatively short time, the authors released several versions, added\r\nthe Mischa module and fixed bugs in the implementation of the encryption, which previously made decryption\r\nwithout paying a ransom fee possible.\r\nAs you can see below, the authors also monitor what the AV industry is saying about their products, especially at\r\nsecurity conferences.\r\nIt is unusual to see double ransomware, and we will see how Petya and Mischa will evolve in the future ...\r\nHow to stay safe\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 18 of 19\n\nAvast protects against ransomware such as Petya and Mischa. Compare security solutions on our website.\r\nAs always, don’t open suspicious attachments (e.g. zipped .js, .wsf or .vbs files)\r\nDisable Microsoft Office macros by default and never enable macros in strange/unknown attachments that\r\nyou receive via email\r\nKeep recent backup copies of important data in a secure place either online or offline\r\nEnsure that your system and applications are fully updated and patched\r\nSHA-256: EEFA052DA01C3FAA1D1F516DDFEFA8CEB8A5185BB9B5368142FFDF839AEA4506\r\nSource: https://blog.avast.com/inside-petya-and-mischa-ransomware\r\nhttps://blog.avast.com/inside-petya-and-mischa-ransomware\r\nPage 19 of 19\n\n  https://blog.avast.com/inside-petya-and-mischa-ransomware \n0x36 6 Bitdefender \n0x37 7 BullGuard Ltd\n0x38 8 CheckPoint \n0x39 9 COMODO \n0x41 A ESET \n0x42 B F-Secure \n0x43 C G DATA \n0x44 D K7 Computing \n0x45 E Kaspersky Lab\n0x46 F Malwarebytes Anti-Malware\n0x47 G McAfee \n0x48 H McAfee.com \n0x4A J Microsoft Security Client\n0x4B K Norman \n0x4C L Panda Security \n   Page 9 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.avast.com/inside-petya-and-mischa-ransomware"
	],
	"report_names": [
		"inside-petya-and-mischa-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434475,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d36ff49540bdecbfd8208a9ffb3ad43b7742afe.pdf",
		"text": "https://archive.orkl.eu/5d36ff49540bdecbfd8208a9ffb3ad43b7742afe.txt",
		"img": "https://archive.orkl.eu/5d36ff49540bdecbfd8208a9ffb3ad43b7742afe.jpg"
	}
}