EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
|Threat Level:||100 % (High)|
|First Seen:||July 19, 2017|
|Last Seen:||February 19, 2023|
The Mich78 Ransomware is an encryption ransomware Trojan that was first observed on July 18, 2017. PC security analysts have analyzed the Mich78 Ransomware and do not suspect it to belong to a larger family of ransomware, such as EDA2 or HiddenTear. The Mich78 Ransomware's characteristics seem to indicate that the Mich78 Ransomware is an independent project by an unknown threat developer. PC security researchers have not determined whether there is a clear distribution campaign associated with the Mich78 Ransomware, but attacks seem to target Europe, and North and South America. The Mich78 Ransomware uses a strong encryption algorithm to make the victim's files inaccessible, then demanding that the victim writes an email to the con artists in exchange for the decryption key necessary to decipher the affected files. This tactic is quite common and has been observed countless times in other ransomware Trojans.
Table of Contents
How a Mich78 Ransomware Attack Works
The most likely way in which the Mich78 Ransomware is being delivered to victims is through the use of corrupted spam email messages. The Mich78 Ransomware will be delivered in a spam email attachment, which will use corrupted macro scripts to download and install the Mich78 Ransomware on the victim's PC. The Mich78 Ransomware will then encrypt the victim's files and display a ransom note (usually by dropping it on the infected computer's Desktop) demanding that the victim pays a large ransom to recover the affected files.
The Mich78 Ransomware Scrambles the Files Names
There is very little to differentiate the Mich78 Ransomware from the countless other ransomware Trojans that are active currently in the wild. During its attack, the Mich78 Ransomware will target a wide variety of media files, as well as numerous user-generated files ranging from databases to Microsoft Office documents. The Mich78 Ransomware will look for files smaller than 50 MB, probably as a way to make the encryption process faster. The Mich78 Ransomware will encrypt files on local drives, as well as on removable devices linked to the affected computer and directories shared on a network. The Mich78 Ransomware will rename the affected files by scrambling the file's name using an encryption algorithm and adding the string '[email@example.com]' as a file extension to the end of the affected files' names. PC security researchers have uncovered various other email accounts associated with this attack.
How the Mich78 Ransomware Demands Its Ransom Payment
The Mich78 Ransomware will display a ransom note after encrypting the victim's files. This ransom note takes the form of a text file with the names 'Instruction for file recovery.txt' or 'recovery.txt.' The text of the Mich78 Ransomware ransom note reads:
'Your files are now encrypted!
Your personal ID :
Your important documents, databases, documents, network folders are encrypted for your PC security problems.
No data from your computer has been stolen or deleted.
Follow the instructions to restore the files.
How to get the automatic decryptor:
1) Contact us by e-mail: firstname.lastname@example.org. In the letter, indicate your personal identifier (look at the beginning of this document) and the external ip-address of the computer on which the encrypted files are located.
2) After answering your request, our operator will give you further instructions that will show what to do next (the answer you will receive as soon as possible)
** Second email address email@example.com
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10 Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc)..'
The Mich78 Ransomware ransom note also includes information on how to purchase BitCoins and establish an anonymous connection to pay the ransom. This characteristic has been observed in other similar ransomware Trojans. Having file backups, you can prevent the Mich78 Ransomware and other types of attacks, and remove the need to pay the ransom in case of an attack.