Skip to content

Trending tags

Mira Ransomware Decryptor

Noora Hyvärinen

01.04.19 1 min. read

We investigated some recent Ransomware called Mira (Trojan:W32/Ransomware.AN) in order to check if it’s feasible to decrypt the encrypted files.

Most often, decryption can be very challenging because of missing keys that are needed for decryption. However, in the case of Mira ransomware, it appends all information required to decrypt an encrypted file into the encrypted file itself.

Encryption Process

The ransomware first initializes a new instance of the Rfc2898DeriveBytes class to generate a key. This class takes a password, salt, and iteration count.


The password is generated using the following information:

  • Machine name
  • OS Version
  • Number of processors


The salt, on the other hand, is generated by a Random Number Generator (RNG):


The ransomware then proceeds to use the Rijndael algorithm to encrypt files:


After encryption, it appends a ‘header‘ structure to the end of the file.

This header conveniently contains the salt and the password hash. In addition to that, the iteration count is hard-coded into the sample, in this case, the value was 20.

By retrieving the password, salt, and the iteration count from the ransomware itself, we were able to obtain all the information needed to create a decryption tool for the encrypted files.

Decryption tool

You can download our decryption tool from here.

Here’s a video of how you can use our tool:


Noora Hyvärinen

01.04.19 1 min. read


Leave a comment

Oops! There was an error posting your comment. Please try again.

Thanks for participating! Your comment will appear once it's approved.

Posting comment...

Your email address will not be published. Required fields are marked *

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.