Removing the Mich78 Ransomware

What is Mich78 ransomware? And how does it work?

Mich78 is new file-encrypting threat discovered on July 18, 2017. It appears to be an independent project and does not show any traces of code which are typically seen on HiddenTear and EDA2 ransomware variants like the Luxnut and AnonFive ransomware. Right now, it is not clear who is behind Mich78 ransomware yet.
Although Mich78 ransomware seems to be created by independent group of cyber criminals, however, it has the same traits as Ransed ransomware and Reyptson ransomware. It encrypts images, videos, mp3 files, databases, eBooks, PDF files and other types of files. According to security analysts, Mich78 can also corrupt data on local disks, removable media storage and network assigned memory devices. Moreover, it also modifies the filenames and file extensions of the targeted files. For instance if you save an image entitled image1.jpg, the ransomware changes it to something indecipherable that it’ll be hard to recognize which is which from your files. Mich78 ransomware uses AES encryption algorithm in encrypting files. And drops a text file named Instructions for file recovery.txt or recovery.txt that has the message below:
‘Your files are now encrypted!
Your personal ID :
[RANDOM CHARACTERS]
What happened?
Your important documents, databases, documents, network folders are encrypted for your PC security problems.
No data from your computer has been stolen or deleted.
Follow the instructions to restore the files.

How to get the automatic decryptor:

1) Contact us by e-mail: [email protected]. In the letter, indicate your personal identifier (look at the beginning of this document) and the external ip-address of the computer on which the encrypted files are located.
2) After answering your request, our operator will give you further instructions that will show what to do next (the answer you will receive as soon as possible)
** Second email address [email protected]
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10 Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).’
The ransom note above provides a guide on how to get Bitcoins and you’ll be asked to reach [email protected] or [email protected]. The crooks may promise you free decryption of your files which is preposterous to be honest since you didn’t ask them to encrypt your files in the first place. So instead of contacting them, you need to follow the removal guide below to get rid of Mich78 and try to recover your encrypted files.

How is Mich78 ransomware distributed?

Usually, malwares infects your computer when you download suspicious applications or files or when you click corrupted links and such. It’s the same thing for Mich78. The main distribution methods for this ransomware are as follows:

Exploit kits
Spam emails with infected attachments
Ads that are malware-laden
Illegal and bogus downloads
Fake software updates
Macro-enabled corrupted document files

As you can see, there are many ways in which this malware can spread so you have to be careful in downloading attachments or downloading software from shady sites, or carelessly clicking links.
For the removal of Mich78 ransomware, follow the guide below:
Step 1: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.

Step 2: Go to the Processes tab and look for any suspicious processes and then kill them.

Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.

Step 4: Look for Mich78 ransomware or any suspicious program and then Uninstall.

Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Go to the directories listed below and delete everything in it. Or other directories you might have saved the file related to Mich78 ransomware.

%APPDATA%
%USERPROFILE%\Downloads
%USERPROFILE%\Desktop
%TEMP%

Step 7: Look for the text file created by Mich78 ransomware, recovery.txt.
Step 8: Empty the Recycle Bin.
Step 9: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.

Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 10: After loading the Command Prompt type cd restore and hit Enter.

Step 11: After cd restore, type in rstrui.exe and hit Enter.

Step 12: A new window will appear, and then click Next.

Step 13: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the Mich78 Ransomware.
Step 14: A dialog box will appear, and then click Next.

Step 15: After the system restore process, download SpyRemover Pro to remove any remaining files or residues of the Mich78 Ransomware.
Step 16: Try to recover your encrypted files.
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if the Mich78 Ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

Follow the continued advanced steps below to ensure the removal of the Mich78 ransomware:
Perform a full system scan using SpyRemover Pro.

Turn on your computer. If it’s already on, you have to reboot
After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
Windows will now load the Safe Mode with Networking.
Press and hold both R key and Windows key.

If done correctly, the Windows Run Box will show up.
Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.

A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.