Mira Ransomware
The Mira Ransomware is a variant of the Planetary Ransomware, which itself is based on the HC7 Ransomware. The Mira Ransomware was identified by computer security experts on April 5th, 2019. The Mira Ransomware Trojan might enter systems via corrupted Microsoft Word files, PDF files with double extensions (like 'Sample.PDF.EXE') and pirated software. The Mira Ransomware is a program that can use processes with random names and run code via the Command Line utility by Microsoft to hide its activity. The Mira Ransomware is designed to use a custom version of the Rijndael algorithm that is one of the key components of the trusted AES (Advanced Encryption Standard) cipher. The Trojan at hand enciphers data containers with the following extensions:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, .doc, .epub, .docx, .fb2, .flv, .gif, .gz, .iso .ibooks, .jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
The encrypted data is saved over the original data, and the Shadow Volume snapshots made by Windows are deleted. In other words, the Mira Ransomware reads the files on your PC and overwrites saved content, as well as remove backups made by Windows. Affected files receive the '.mira' extension. For example, 'Tales of Ladybug & Cat Noir.mp4' is renamed to 'Tales of Ladybug & Cat Noir.mp4.mira.' The team behind the Mira Ransomware might offer help with decrypting your data in exchange for $500 and more. Most Ransomware actors accept payments in Bitcoin (BTC), but some accept other cryptocurrencies like Ethereum (ETH), Litecoin (LTC), Dogecoin (DOGE) and others. The Mira Ransomware team remains "orthodox" and requires payments in BTC, but first, you will need to send them an email. The Mira Ransomware Trojan is instructed to write '!!!READ_IT!!!.txt' to the users desktop and offer the following message:
'ALL YOUR DATA WAS ENCRYPTED
If you want to recover your data:
1.Send your personal ID to our emails.
2.You can send us 1 small file for test decryption.
3.After payment you will get decryption tool and opportunity to recover all your data.
To avoid file loss, do not try to rename or modify encrypted files.
Our contacts:
recoverymydata@protonmail.com
recoverydata@india.com
Your personal ID:
[random characters]'
You may want to download a free decryptor for your data that is made available by several AV manufacturers. Type 'Mira Ransomware Decryptor' on your search provider of choice and download the decryptor for free. Computer experts recommend users to employ the services of a credible backup suite. Most backup solutions on the market today can export copies of your data to cloud storage services, which is advisable. Removing the Mira Ransomware is not hard as long as you are running a reputable anti-malware tool.
Detection names for the Mira Ransomware are listed below:
Gen:Heur.Ransom.REntS.Gen.1
Malware@#2gf1aijewhfcy
Ransom_Crypmod.R02CC0WCI19
TR/Crypmod.tnvhf
Trojan.Crypmod.Win32.1054
Trojan.Filecoder!EBeAh8HKZv0
Trojan.Ransom.REntS.Gen.1
Trojan.Win32.Ransom.foqdcq
Trojan/Win32.Ransom.C3123376
Trojan:MSIL/Filecoder.6a8e8122
Trojan:W32/Ransomware.AN
Trojan[Ransom]/MSIL.Crypmod
a variant of MSIL/Filecoder.SB
