Contents
MIIA ransomware is a nascent malicious file-encrypting computer virus that belongs to the STOP/DJVU ransomware family. This virus is known to attack computer systems by encrypting all contained in it while equally appending .miia extension to each filename. For instance, a file originally stored as 1.jpg automatically becomes 1.jpg.miia and the same process is repeated continuously. Same time while the cyber-attack is still ongoing, ransom notification will be dropped through a folder known as _readme.txt, in all the folders. Contained in the ransom message is notification informing the victim on how to pay ransom in exchange for MIIA decryption tool.
They will further emphasize that MIIA ransomware has encrypted all files (including documents, pictures and every other data) contained in the computer, using very strong encryption key. Therefore, if they hope to recover their files certain amount of money would have to be paid in exchange for decryption services. To facilitate the ransom payment process, the cybercriminals would make available the following email addresses for communication purposes: manager@mailtemp.ch and helpsupportmanager@airmail.cc.
The note will equally contain specific charges and conditions attached with the ransom payment. For instance, the victim would be informed that paying within 72 hours of being notified, would earn them a 50% discount. In other words, they would now pay $490, but if they fail to comply within the first 3 days, the ransom demand will revert to $980 flat rate.
However, if the victim goes ahead to contact them, he will be told that can only be done with cryptocurrency. So, they will forward a wallet address and instruct the victim to pay the exact cryptocurrency equivalence into it. Obviously, they use such channel because of the anonymity it offers and thus preempt any chance of it being followed by law enforcement agents. In order to convince the victim and influence them into paying the ransom, they may request for excerpts from the encrypted files for them to decrypt as sample.
Nevertheless, cybersecurity experts’ from our company advice that victims of ransomware should not pay ransom, regardless of the situation. Our sentiment is also shared by the FBI that also advice against complying with the demands of cybercriminals. It must be emphasized that complying with their ransom demand does not guarantee you will recover your files, so why pay? In addition to that, always remember that paying cybercriminals such huge amounts of money will only embolden them to continue in their nefarious activities. Worse still, the virus is known to release certain dangerous Trojans in the likes of AZORULT and VIDAR that steals vital information such as banking details, software login credentials, cryptocurrency wallets, passwords saved on browser among others. Such sensitive information in the wrong hands can lead to further blackmail.
Victims of this STOP/DJVU variant should as a matter of urgency, remove MIIA ransomware virus from their computer ASAP. You can make use of any reputable antivirus software while your computer is switched to Safe Mode with Networking. This approach will optimize the ability of the antivirus to scan effectively and completely remove the malware. Our team recommends INTEGO Antivirus software for this task. Furthermore, we advise thinking about downloading RESTORO to repair virus damage on Windows OS files.
Name | MIIA Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | STOP/DJVU |
Encryption type | RSA 2048 + Salsa20 |
Previous versions | MMUZ, RGUY, HFGD, KKIA, SSOI, PPHG, WDLO (find full list here) |
Version | 367th |
Extension | .miia |
Cybercriminal emails | manager@mailtemp.ch, helprestoremanager@airmail.cc |
Additional malware dropped | Azorult or Vidar Trojan |
Damage | The ransomware attacks files on victim’s PC system and encrypts them, using .miia extension to mark affected ones. The virus leaves _readme.txt ransom notes throughout the system. This ransomware often comes with information-stealing Trojans which will be executed on the system. The ransomware removes Volume Shadow Copies to prevent access to existing System Restore Points. Some versions may also edit Windows HOSTS file to block access to a specific cybersecurity-related domains. |
Ransom note | _readme.txt |
Ransom demand | $490-$980 in Bitcoin |
Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico. |
Known software cracks to contain this malware | Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends. |
Detection names | Trojan:Win32/Raccrypt.GV!MTB (Microsoft), Gen:Variant.Babar.30049 (B) (Emsisoft), UDS:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Babar.30049 (BitDefender), Trojan.Agent.UKED (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO. |
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
The most common way through which ransomware (including MIIA virus) are distributed is when computer users download malicious torrents online. The malware often hibernate in pirated software contents, so when users of such dangerous copies try to activate them, they unwittingly trigger the malware. Most victims so far have reported downloading malicious torrents prior to a cyber-attack. We strongly advise against the use of fake crack, key generator or any other software content that is not from genuine sources.
Below are some of the most popular pirated software copies cybercriminals use in distributing ransomware:
Computer users who tend to make use of online software torrents should desist from such acts because it’s not worth the risk. Trying to obtain copyrighted software contents illegally can lead to severe malware attack. Another risk associated with such unwholesome practice is the possibility of being slammed with lawsuit due to copyright infringement. Always consider the bigger picture, by obtaining your software needs from the original content producers or their affiliates; you will be helping the industry to grow. Also, remember that any fee you pay to obtain your software contents legitimately is negligible compared to the outrageous ransom fees cybercriminals will demand from you as a victim of ransomware. Moreover, you won’t be putting your sensitive data at risk of falling into the wrong hands.
Aside online software torrents, another way cybercriminals distribute ransomware is by sending out malicious email attachments. What they do is to compose believable messages while pretending to be family, friend, colleague or even a popular brand. They will then attach files created on maybe PDF, DOCX or XLS (these platforms are mostly used because they enable JavaScript and other macro functions). So, attaching payload on them and releasing on any computer becomes possible.
The worrisome part is that some of these cybercriminals have become sophisticated in recent time, thus trying to decipher if an email is genuine or not can be very difficult sometimes. Sometimes, they impersonate popular brands like DHL, eBay or Amazon and give the accompanying file enticing names like Tracking Details, Invoice or Order Summary etc. They may even decide to hide the sender’s address by using email spoofing techniques to obfuscate it. In such situation, it is best for one to apply common sense and ask some questions like do I have any business with this brand? Why is the sender’s address vague? And so on.
It has been noted that victims of STOP/DJVU ransomware tend to throw caution to the wind in their desperation to have their files decrypted. In so doing, they often end up complicating issues. You should avoid trying to reach out to dubious websites claiming to offer decryption solution because such doesn’t exist at the moment. On the contrary, using fake STOP/DJVU decryptors will put your computer at risk of being infected with other ransomware variants like ZORAB, thereby doubly encrypting your files. However, only DiskTuna and Emsisoft currently offer decryption/repair tools with high chances of recovery.
Some people often wonder about the extent of damage that was done on their computer system following a malware attack. This section will explain in details about the technical aspects concerning the malware. The first thing the malware does is to establish build.exe or build2.exe as well as winupdate.exe (this is what triggers the fake display of Windows update screen). The main executable of the ransomware is named with 4 random characters. For example, one of analysed samples uses 5AD4.exe name. The malware then connects to https[:]//api.2ip.ua/geo.json and sends the response to geo.json file. It then begins to gather every piece of information concerning your computer such as its geolocation, time zone, latitude and longitude, zip code and other details and forwards them to their central server. The image provided below is how geo.json file looks like.
The ransomware also collects information about the compromised system into information.txt file and also takes a screenshot of victim’s desktop and also transmits them to C&C server.
Using the geolocation of the computer, it will profile the country code against their list of encryption-exempted countries (the countries are Russia, Syria, Ukraine, Armenia, Tajikistan, Belarus, Kazachstan, Kyrgyzstan, and Uzbekistan). Once it shows positive with any of the listed countries, it will immediately stop any further attempts at encrypting the files. However, if it doesn’t tally with any of them, the ransomware will now access its server and extract online encryption key which it will merge with the victim’s ID before saving them in bowsakkdestx.txt file and to PersonalID.txt file.
The image below captures how these files look like.
If for any reason the malware couldn’t extract online encryption ID, it will opt for the use of an offline one. The only remarkable difference between online ID and offline ID is that while the former is unique to each victim, the latter is uniform for all. You can easily detect if an offline ID was used if it has t1 characters at the end of the personal ID. If offline ID was used, then the victim’s chance to possibly decrypt .miia files becomes brighter.
More information about this is provided below.
The malware will at this point begin full data encryption by scanning every folder and encrypting them with Salsa20 before locking the encryption key with RSA-2048 key. While the process is still ongoing, the virus will mark each file with additional extension.
Here is a screenshot of _readme.txt ransom note the ransomware leaves in each folder.
Afterwards, the virus will delete all Volume Shadow Copies by prompting a command task as shown below:
vssadmin.exe Delete Shadows /All /Quiet
In completing the process, the virus will add a list of domains to the Windows HOSTS file, before sticking them to localhost IP. This action will effectively prevent the victim from having access to any of the blacklisted websites. Whenever they try to access them, DNS_PROBE_FINISHED_NXDOMAIN error message will appear on their screen. The cybercriminals go to this length just to ensure the victim does not get any help online.
At this point, the virus may drop additional Trojans such as AZORULT or VIDAR on the already compromised computer system.
For victims of the described ransomware, the first step that should be taken is to report the cybercrime to the appropriate local authorities mandated to handle such issues, and of course to remove MIIA ransomware virus as soon as they can. The guide below teaches how to boot a computer using Safe Mode and Networking method.
If you have successfully completed MIIA virus removal, please take note of the steps as recommended by our industry experts:
With all said and done, always remember to be proactive at all times to avoid falling victim to cybercriminals. Do not visit online torrents libraries and do not open emails or attachments from questionable sources. Above all, install and constantly scan genuine and reliable antivirus software so you can detect/prevent any dangerous malware from infecting your computer.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
MIIA Ransomware Virus Removal Guidelines
Before you try to remove MIIA Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
Now, you can search for and remove MIIA Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU ransomware versions are grouped into old and new variants. MIIA Ransomware Virus is considered the new STOP/DJVU variant, just like MMUZ, RGUY, HFGD, KKIA, SSOI, PPHG, WDLO (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt MIIA files, follow the given tutorial.
The MIIA decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your MIIA extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Victims of MIIA Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
You can only open MIIA files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official MIIA decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake MIIA decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
WDLO ransomware uses encryption to lock your personal files WDLO ransomware is a malicious computer…
What is a VPN and how does it work? The term VPN stands for Virtual…
PPHG ransomware encrypts your computer files, threatens to keep them locked until a ransom is…
SSOI ransomware aims to lock all of your data on a computer and then extort…
KKIA ransomware sneakily encrypts your files KKIA ransomware is a newly emerged computer virus that…
HFGD ransomware aims to take your computer files hostage HFGD ransomware is a malicious malware…
This website uses cookies.