Mischa is distributed using malicious email attachments that are commonly delivered as fake job application forms.
When infected email attachments are opened and administrator permission given, Petya is installed. If, however, the user decides to declines permission, Mischa ransomware is installed.
Unlike Petya (which locks computers), Mischa behaves like other regular ransomware. Mischa demands 1.9404 Bitcoin (~$882.88). Compared to other viruses, this ransom is quite large, since the size often fluctuates between 0.5 and 1.5 Bitcoin. Unfortunately, there currently are no tools capable of decrypting files compromised by this ransomware. Therefore, victims can only restore their files/system from a backup.
It then drops a text file which reads:
You became victim of the MISCHA RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "hxxps://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: hxxp://mischapuk6hyrn72.onion/cSAH2A hxxp://mischa5xyix2mrhd.onion/cSAH2A 3. Enter your personal decryption code there: dcSAH2A1hBYo7jv9mnsEd3JD9HN9wuxa73CoKaZRLQDLLCiFkB7MJfSpWAyD5QFbDef3ksUf7rttp