They will further emphasize that MIIA ransomware has encrypted all files (including documents, pictures and every other data) contained in the computer, using very strong encryption key. Therefore, if they hope to recover their files certain amount of money would have to be paid in exchange for decryption services. To facilitate the ransom payment process, the cybercriminals would make available the following email addresses for communication purposes: manager@mailtemp.ch and helpsupportmanager@airmail.cc. The note will equally contain specific charges and conditions attached with the ransom payment. For instance, the victim would be informed that paying within 72 hours of being notified, would earn them a 50% discount. In other words, they would now pay $490, but if they fail to comply within the first 3 days, the ransom demand will revert to $980 flat rate.  However, if the victim goes ahead to contact them, he will be told that can only be done with cryptocurrency. So, they will forward a wallet address and instruct the victim to pay the exact cryptocurrency equivalence into it. Obviously, they use such channel because of the anonymity it offers and thus preempt any chance of it being followed by law enforcement agents. In order to convince the victim and influence them into paying the ransom, they may request for excerpts from the encrypted files for them to decrypt as sample. Nevertheless, cybersecurity experts’ from our company advice that victims of ransomware should not pay ransom, regardless of the situation. Our sentiment is also shared by the FBI that also advice against complying with the demands of cybercriminals. It must be emphasized that complying with their ransom demand does not guarantee you will recover your files, so why pay? In addition to that, always remember that paying cybercriminals such huge amounts of money will only embolden them to continue in their nefarious activities. Worse still, the virus is known to release certain dangerous Trojans in the likes of AZORULT and VIDAR that steals vital information such as banking details, software login credentials, cryptocurrency wallets, passwords saved on browser among others. Such sensitive information in the wrong hands can lead to further blackmail.  Victims of this STOP/DJVU variant should as a matter of urgency, remove MIIA ransomware virus from their computer ASAP. You can make use of any reputable antivirus software while your computer is switched to Safe Mode with Networking. This approach will optimize the ability of the antivirus to scan effectively and completely remove the malware. Our team recommends INTEGO Antivirus software for this task. Furthermore, we advise thinking about downloading RESTORO to repair virus damage on Windows OS files.

Ransomware Summary

REPAIR VIRUS DAMAGE

How Cybercriminals Distribute Ransomware 

The most common way through which ransomware (including MIIA virus) are distributed is when computer users download malicious torrents online. The malware often hibernate in pirated software contents, so when users of such dangerous copies try to activate them, they unwittingly trigger the malware.  Most victims so far have reported downloading malicious torrents prior to a cyber-attack. We strongly advise against the use of fake crack, key generator or any other software content that is not from genuine sources.  Below are some of the most popular pirated software copies cybercriminals use in distributing ransomware: 

Cubase;Adobe Illustrator;Tenorshare 4ukey;AutoCad;Opera browser;Corel Draw;VMware Workstation;Adobe Photoshop;Fifa 20; League of Legends;Internet Download Manager;KMSPico (illegal Windows activation tool).

Computer users who tend to make use of online software torrents should desist from such acts because it’s not worth the risk. Trying to obtain copyrighted software contents illegally can lead to severe malware attack. Another risk associated with such unwholesome practice is the possibility of being slammed with lawsuit due to copyright infringement. Always consider the bigger picture, by obtaining your software needs from the original content producers or their affiliates; you will be helping the industry to grow. Also, remember that any fee you pay to obtain your software contents legitimately is negligible compared to the outrageous ransom fees cybercriminals will demand from you as a victim of ransomware.  Moreover, you won’t be putting your sensitive data at risk of falling into the wrong hands.  Aside online software torrents, another way cybercriminals distribute ransomware is by sending out malicious email attachments. What they do is to compose believable messages while pretending to be family, friend, colleague or even a popular brand. They will then attach files created on maybe PDF, DOCX or XLS (these platforms are mostly used because they enable JavaScript and other macro functions). So, attaching payload on them and releasing on any computer becomes possible.  It has been noted that victims of STOP/DJVU ransomware tend to throw caution to the wind in their desperation to have their files decrypted. In so doing, they often end up complicating issues. You should avoid trying to reach out to dubious websites claiming to offer decryption solution because such doesn’t exist at the moment.  On the contrary, using fake STOP/DJVU decryptors will put your computer at risk of being infected with other ransomware variants like ZORAB, thereby doubly encrypting your files. However, only DiskTuna and Emsisoft currently offer decryption/repair tools with high chances of recovery. 

Further details you need to know about malware

Some people often wonder about the extent of damage that was done on their computer system following a malware attack. This section will explain in details about the technical aspects concerning the malware. The first thing the malware does is to establish build.exe or build2.exe as well as winupdate.exe (this is what triggers the fake display of Windows update screen). The main executable of the ransomware is named with 4 random characters. For example, one of analysed samples uses 5AD4.exe name. The malware then connects to https[:]//api.2ip.ua/geo.json and sends the response to geo.json file. It then begins to gather every piece of information concerning your computer such as its geolocation, time zone, latitude and longitude, zip code and other details and forwards them to their central server. The image provided below is how geo.json file looks like. The ransomware also collects information about the compromised system into information.txt file and also takes a screenshot of victim’s desktop and also transmits them to C&C server. Using the geolocation of the computer, it will profile the country code against their list of encryption-exempted countries (the countries are Russia, Syria, Ukraine, Armenia, Tajikistan, Belarus, Kazachstan, Kyrgyzstan, and Uzbekistan). Once it shows positive with any of the listed countries, it will immediately stop any further attempts at encrypting the files. However, if it doesn’t tally with any of them, the ransomware will now access its server and extract online encryption key which it will merge with the victim’s ID before saving them in bowsakkdestx.txt file and to PersonalID.txt file. The image below captures how these files look like. If for any reason the malware couldn’t extract online encryption ID, it will opt for the use of an offline one. The only remarkable difference between online ID and offline ID is that while the former is unique to each victim, the latter is uniform for all. You can easily detect if an offline ID was used if it has t1 characters at the end of the personal ID. If offline ID was used, then the victim’s chance to possibly decrypt .miia files becomes brighter.  More information about this is provided below. The malware will at this point begin full data encryption by scanning every folder and encrypting them with Salsa20 before locking the encryption key with RSA-2048 key. While the process is still ongoing, the virus will mark each file with additional extension.  Here is a screenshot of _readme.txt ransom note the ransomware leaves in each folder. Afterwards, the virus will delete all Volume Shadow Copies by prompting a command task as shown below: vssadmin.exe Delete Shadows /All /Quiet In completing the process, the virus will add a list of domains to the Windows HOSTS file, before sticking them to localhost IP. This action will effectively prevent the victim from having access to any of the blacklisted websites. Whenever they try to access them, DNS_PROBE_FINISHED_NXDOMAIN error message will appear on their screen. The cybercriminals go to this length just to ensure the victim does not get any help online.    At this point, the virus may drop additional Trojans such as AZORULT or VIDAR on the already compromised computer system. 

Remove MIIA Ransomware Virus and Recover Your Files

For victims of the described ransomware, the first step that should be taken is to report the cybercrime to the appropriate local authorities mandated to handle such issues, and of course to remove MIIA ransomware virus as soon as they can. The guide below teaches how to boot a computer using Safe Mode and Networking method.  If you have successfully completed MIIA virus removal, please take note of the steps as recommended by our industry experts: 

It is necessary to inform any relevant local law enforcement agency about the cyberattackNow is the time to make use of your data backup. However, you must be careful and ensure that the malware is completely removed before attaching any external storage device to your computer.  You may consider learning how to repair/decrypt files that were encrypted by STOP/DJVU variants. No matter how coded your passwords may be, you have got to replace them. These include passwords used on your browser, Telegram, and Steam among others.   

With all said and done, always remember to be proactive at all times to avoid falling victim to cybercriminals. Do not visit online torrents libraries and do not open emails or attachments from questionable sources. Above all, install and constantly scan genuine and reliable antivirus software so you can detect/prevent any dangerous malware from infecting your computer.  OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove MIIA Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove MIIA Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt MIIA files

Fix and open large MIIA files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. MIIA Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt MIIA files, follow the given tutorial.

Meanings of decryptor’s messages

The MIIA decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your MIIA extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of MIIA Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.