MIIA ransomware aims to lock your files and demand a ransom from you
Contents
MIIA ransomware is a nascent malicious file-encrypting computer virus that belongs to the STOP/DJVU ransomware family. This virus is known to attack computer systems by encrypting all contained in it while equally appending .miia extension to each filename. For instance, a file originally stored as 1.jpg automatically becomes 1.jpg.miia and the same process is repeated continuously. Same time while the cyber-attack is still ongoing, ransom notification will be dropped through a folder known as _readme.txt, in all the folders. Contained in the ransom message is notification informing the victim on how to pay ransom in exchange for MIIA decryption tool.
They will further emphasize that MIIA ransomware has encrypted all files (including documents, pictures and every other data) contained in the computer, using very strong encryption key. Therefore, if they hope to recover their files certain amount of money would have to be paid in exchange for decryption services. To facilitate the ransom payment process, the cybercriminals would make available the following email addresses for communication purposes: manager@mailtemp.ch and helpsupportmanager@airmail.cc.
The note will equally contain specific charges and conditions attached with the ransom payment. For instance, the victim would be informed that paying within 72 hours of being notified, would earn them a 50% discount. In other words, they would now pay $490, but if they fail to comply within the first 3 days, the ransom demand will revert to $980 flat rate.
However, if the victim goes ahead to contact them, he will be told that can only be done with cryptocurrency. So, they will forward a wallet address and instruct the victim to pay the exact cryptocurrency equivalence into it. Obviously, they use such channel because of the anonymity it offers and thus preempt any chance of it being followed by law enforcement agents. In order to convince the victim and influence them into paying the ransom, they may request for excerpts from the encrypted files for them to decrypt as sample.
Nevertheless, cybersecurity experts’ from our company advice that victims of ransomware should not pay ransom, regardless of the situation. Our sentiment is also shared by the FBI that also advice against complying with the demands of cybercriminals. It must be emphasized that complying with their ransom demand does not guarantee you will recover your files, so why pay? In addition to that, always remember that paying cybercriminals such huge amounts of money will only embolden them to continue in their nefarious activities. Worse still, the virus is known to release certain dangerous Trojans in the likes of AZORULT and VIDAR that steals vital information such as banking details, software login credentials, cryptocurrency wallets, passwords saved on browser among others. Such sensitive information in the wrong hands can lead to further blackmail.
Victims of this STOP/DJVU variant should as a matter of urgency, remove MIIA ransomware virus from their computer ASAP. You can make use of any reputable antivirus software while your computer is switched to Safe Mode with Networking. This approach will optimize the ability of the antivirus to scan effectively and completely remove the malware. Our team recommends INTEGO Antivirus software for this task. Furthermore, we advise thinking about downloading RESTORO to repair virus damage on Windows OS files.
Ransomware Summary
Name | MIIA Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | STOP/DJVU |
Encryption type | RSA 2048 + Salsa20 |
Previous versions | KAAA, BGJS, BGZQ (find full list here) |
Version | 367th |
Extension | .miia |
Cybercriminal emails | manager@mailtemp.ch, helprestoremanager@airmail.cc |
Additional malware dropped | Azorult or Vidar Trojan |
Damage | The ransomware attacks files on victim’s PC system and encrypts them, using .miia extension to mark affected ones. The virus leaves _readme.txt ransom notes throughout the system. This ransomware often comes with information-stealing Trojans which will be executed on the system. The ransomware removes Volume Shadow Copies to prevent access to existing System Restore Points. Some versions may also edit Windows HOSTS file to block access to a specific cybersecurity-related domains. |
Ransom note | _readme.txt |
Ransom demand | $490-$980 in Bitcoin |
Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico. |
Known software cracks to contain this malware | Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends. |
Detection names | Trojan:Win32/Raccrypt.GV!MTB (Microsoft), Gen:Variant.Babar.30049 (B) (Emsisoft), UDS:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Babar.30049 (BitDefender), Trojan.Agent.UKED (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO. |
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
How Cybercriminals Distribute Ransomware
The most common way through which ransomware (including MIIA virus) are distributed is when computer users download malicious torrents online. The malware often hibernate in pirated software contents, so when users of such dangerous copies try to activate them, they unwittingly trigger the malware. Most victims so far have reported downloading malicious torrents prior to a cyber-attack. We strongly advise against the use of fake crack, key generator or any other software content that is not from genuine sources.
Below are some of the most popular pirated software copies cybercriminals use in distributing ransomware:
- Cubase;
- Adobe Illustrator;
- Tenorshare 4ukey;
- AutoCad;
- Opera browser;
- Corel Draw;
- VMware Workstation;
- Adobe Photoshop;
- Fifa 20;
- League of Legends;
- Internet Download Manager;
- KMSPico (illegal Windows activation tool).
Computer users who tend to make use of online software torrents should desist from such acts because it’s not worth the risk. Trying to obtain copyrighted software contents illegally can lead to severe malware attack. Another risk associated with such unwholesome practice is the possibility of being slammed with lawsuit due to copyright infringement. Always consider the bigger picture, by obtaining your software needs from the original content producers or their affiliates; you will be helping the industry to grow. Also, remember that any fee you pay to obtain your software contents legitimately is negligible compared to the outrageous ransom fees cybercriminals will demand from you as a victim of ransomware. Moreover, you won’t be putting your sensitive data at risk of falling into the wrong hands.
Aside online software torrents, another way cybercriminals distribute ransomware is by sending out malicious email attachments. What they do is to compose believable messages while pretending to be family, friend, colleague or even a popular brand. They will then attach files created on maybe PDF, DOCX or XLS (these platforms are mostly used because they enable JavaScript and other macro functions). So, attaching payload on them and releasing on any computer becomes possible.
The worrisome part is that some of these cybercriminals have become sophisticated in recent time, thus trying to decipher if an email is genuine or not can be very difficult sometimes. Sometimes, they impersonate popular brands like DHL, eBay or Amazon and give the accompanying file enticing names like Tracking Details, Invoice or Order Summary etc. They may even decide to hide the sender’s address by using email spoofing techniques to obfuscate it. In such situation, it is best for one to apply common sense and ask some questions like do I have any business with this brand? Why is the sender’s address vague? And so on.
It has been noted that victims of STOP/DJVU ransomware tend to throw caution to the wind in their desperation to have their files decrypted. In so doing, they often end up complicating issues. You should avoid trying to reach out to dubious websites claiming to offer decryption solution because such doesn’t exist at the moment. On the contrary, using fake STOP/DJVU decryptors will put your computer at risk of being infected with other ransomware variants like ZORAB, thereby doubly encrypting your files. However, only DiskTuna and Emsisoft currently offer decryption/repair tools with high chances of recovery.
Further details you need to know about malware
Some people often wonder about the extent of damage that was done on their computer system following a malware attack. This section will explain in details about the technical aspects concerning the malware. The first thing the malware does is to establish build.exe or build2.exe as well as winupdate.exe (this is what triggers the fake display of Windows update screen). The main executable of the ransomware is named with 4 random characters. For example, one of analysed samples uses 5AD4.exe name. The malware then connects to https[:]//api.2ip.ua/geo.json and sends the response to geo.json file. It then begins to gather every piece of information concerning your computer such as its geolocation, time zone, latitude and longitude, zip code and other details and forwards them to their central server. The image provided below is how geo.json file looks like.
The ransomware also collects information about the compromised system into information.txt file and also takes a screenshot of victim’s desktop and also transmits them to C&C server.
Using the geolocation of the computer, it will profile the country code against their list of encryption-exempted countries (the countries are Russia, Syria, Ukraine, Armenia, Tajikistan, Belarus, Kazachstan, Kyrgyzstan, and Uzbekistan). Once it shows positive with any of the listed countries, it will immediately stop any further attempts at encrypting the files. However, if it doesn’t tally with any of them, the ransomware will now access its server and extract online encryption key which it will merge with the victim’s ID before saving them in bowsakkdestx.txt file and to PersonalID.txt file.
The image below captures how these files look like.
If for any reason the malware couldn’t extract online encryption ID, it will opt for the use of an offline one. The only remarkable difference between online ID and offline ID is that while the former is unique to each victim, the latter is uniform for all. You can easily detect if an offline ID was used if it has t1 characters at the end of the personal ID. If offline ID was used, then the victim’s chance to possibly decrypt .miia files becomes brighter.
More information about this is provided below.
The malware will at this point begin full data encryption by scanning every folder and encrypting them with Salsa20 before locking the encryption key with RSA-2048 key. While the process is still ongoing, the virus will mark each file with additional extension.
Here is a screenshot of _readme.txt ransom note the ransomware leaves in each folder.
Afterwards, the virus will delete all Volume Shadow Copies by prompting a command task as shown below:
vssadmin.exe Delete Shadows /All /Quiet
In completing the process, the virus will add a list of domains to the Windows HOSTS file, before sticking them to localhost IP. This action will effectively prevent the victim from having access to any of the blacklisted websites. Whenever they try to access them, DNS_PROBE_FINISHED_NXDOMAIN error message will appear on their screen. The cybercriminals go to this length just to ensure the victim does not get any help online.
At this point, the virus may drop additional Trojans such as AZORULT or VIDAR on the already compromised computer system.
Remove MIIA Ransomware Virus and Recover Your Files
For victims of the described ransomware, the first step that should be taken is to report the cybercrime to the appropriate local authorities mandated to handle such issues, and of course to remove MIIA ransomware virus as soon as they can. The guide below teaches how to boot a computer using Safe Mode and Networking method.
If you have successfully completed MIIA virus removal, please take note of the steps as recommended by our industry experts:
- It is necessary to inform any relevant local law enforcement agency about the cyberattack
- Now is the time to make use of your data backup. However, you must be careful and ensure that the malware is completely removed before attaching any external storage device to your computer.
- You may consider learning how to repair/decrypt files that were encrypted by STOP/DJVU variants.
- No matter how coded your passwords may be, you have got to replace them. These include passwords used on your browser, Telegram, and Steam among others.
With all said and done, always remember to be proactive at all times to avoid falling victim to cybercriminals. Do not visit online torrents libraries and do not open emails or attachments from questionable sources. Above all, install and constantly scan genuine and reliable antivirus software so you can detect/prevent any dangerous malware from infecting your computer.
OUR GEEKS RECOMMEND
Our team recommends removing malware using a professional antivirus software.
REMOVE THREATS WITH ROBUST ANTIVIRUS
Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.
Use INTEGO Antivirus to remove detected threats from your computer.
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
MIIA Ransomware Virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove MIIA Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove MIIA Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt MIIA files
Fix and open large MIIA files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
- Create a copy of encrypted file to a separate folder using Copy > Paste commands.
- Now, right-click the created copy and choose Rename. Select the MIIA extension and delete it. Press Enter to save changes.
- In the prompt asking whether you want to make the changes as file might become unusable, click OK.
- Try opening the file.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. MIIA Ransomware Virus is considered the new STOP/DJVU variant, just like KAAA, BGJS, BGZQ (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt MIIA files, follow the given tutorial.
- Download the decryption tool from Emsisoft.
- Click the little arrow next to your download and choose Show in Folder.
- Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
- In UAC window, click Yes.
- Click Yes to agree to software terms in both windows.
- The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work. - Click Decrypt to start restoring MIIA files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.
Meanings of decryptor's messages
The MIIA decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your MIIA extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of MIIA Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
- In the United States, go to the On Guard Online website.
- In Australia, go to the SCAMwatch website.
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
- In Ireland, go to the An Garda Síochána website.
- In New Zealand, go to the Consumer Affairs Scams website.
- In the United Kingdom, go to the Action Fraud website.
- In Canada, go to the Canadian Anti-Fraud Centre.
- In India, go to Indian National Cybercrime Reporting Portal.
- In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
Frequently Asked Questions
You can only open MIIA files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official MIIA decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake MIIA decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply