Threat Database Ransomware Mich78 Ransomware

Mich78 Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 18
First Seen: July 19, 2017
Last Seen: February 19, 2023
OS(es) Affected: Windows

The Mich78 Ransomware is an encryption ransomware Trojan that was first observed on July 18, 2017. PC security analysts have analyzed the Mich78 Ransomware and do not suspect it to belong to a larger family of ransomware, such as EDA2 or HiddenTear. The Mich78 Ransomware's characteristics seem to indicate that the Mich78 Ransomware is an independent project by an unknown threat developer. PC security researchers have not determined whether there is a clear distribution campaign associated with the Mich78 Ransomware, but attacks seem to target Europe, and North and South America. The Mich78 Ransomware uses a strong encryption algorithm to make the victim's files inaccessible, then demanding that the victim writes an email to the con artists in exchange for the decryption key necessary to decipher the affected files. This tactic is quite common and has been observed countless times in other ransomware Trojans.

How a Mich78 Ransomware Attack Works

The most likely way in which the Mich78 Ransomware is being delivered to victims is through the use of corrupted spam email messages. The Mich78 Ransomware will be delivered in a spam email attachment, which will use corrupted macro scripts to download and install the Mich78 Ransomware on the victim's PC. The Mich78 Ransomware will then encrypt the victim's files and display a ransom note (usually by dropping it on the infected computer's Desktop) demanding that the victim pays a large ransom to recover the affected files.

The Mich78 Ransomware Scrambles the Files Names

There is very little to differentiate the Mich78 Ransomware from the countless other ransomware Trojans that are active currently in the wild. During its attack, the Mich78 Ransomware will target a wide variety of media files, as well as numerous user-generated files ranging from databases to Microsoft Office documents. The Mich78 Ransomware will look for files smaller than 50 MB, probably as a way to make the encryption process faster. The Mich78 Ransomware will encrypt files on local drives, as well as on removable devices linked to the affected computer and directories shared on a network. The Mich78 Ransomware will rename the affected files by scrambling the file's name using an encryption algorithm and adding the string '[]' as a file extension to the end of the affected files' names. PC security researchers have uncovered various other email accounts associated with this attack.

How the Mich78 Ransomware Demands Its Ransom Payment

The Mich78 Ransomware will display a ransom note after encrypting the victim's files. This ransom note takes the form of a text file with the names 'Instruction for file recovery.txt' or 'recovery.txt.' The text of the Mich78 Ransomware ransom note reads:

'Your files are now encrypted!
Your personal ID :
What happened?
Your important documents, databases, documents, network folders are encrypted for your PC security problems.
No data from your computer has been stolen or deleted.
Follow the instructions to restore the files.
How to get the automatic decryptor:
1) Contact us by e-mail: In the letter, indicate your personal identifier (look at the beginning of this document) and the external ip-address of the computer on which the encrypted files are located.
2) After answering your request, our operator will give you further instructions that will show what to do next (the answer you will receive as soon as possible)
** Second email address
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10 Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc)..'

The Mich78 Ransomware ransom note also includes information on how to purchase BitCoins and establish an anonymous connection to pay the ransom. This characteristic has been observed in other similar ransomware Trojans. Having file backups, you can prevent the Mich78 Ransomware and other types of attacks, and remove the need to pay the ransom in case of an attack.


Most Viewed