The current MauriGo ransomware, which started spreading rapidly this April, 2018, is a new improved version of its initial Mauri870 virus release in 2017. The newest iteration of MauriGo crypto-infection appends .encrypted extension to the affected personal files and then leaves a ransom note READ_TO_DECRYPT.txt. which gives further instructions on how to decrypt your files.
How does MauriGo ransomware operate?
Even though this virus has been roaming the cyber world for about a year, yet there are no information about the crooks behind it, neither the way it is being distributed. It is believed that most likely MauriGo malware tries to infiltrate the computer with a help of malicious spam emails with attachments, which after being opened by the targeted victim starts silently running the background processes and scanning the operating system looking for potential files to encrypt. Furthermore, there is a high possibility that this crypto-malware invades the machines together with malicious software installers from shady websites, exploits, fake updates, web injections and through insecure remote desktop connections. Once the MauriGo file is opened by the user it launches and modifies the registry so that the virus would startup every time system is reboot.
MauriGo ransomware just like the majority of other crypto-malwares uses AES-256 encryption to lock all the personal user files like pictures, documents, videos, music and etc., and request a certain fee in order to decrypt them. Ransomware targets such files for a reason, because a victim will be more willing to pay larger amounts of money to get back the files they need most. For one computer MauriGo virus asks for 0.7 BTC = US $6444, for half machines of network (chosen randomly) 2.6 BTC = almost US $24k and for all machines of infected network 5 BTC = US $46k. Unfortunately with cyber criminals you can never be sure if after the payment you will actually get your files back. What is more it is believed that if MauriGo infection doesn’t get removed early it can install crypto currency miner.
The ransom note states:
The important files on your computer have been encrypted with military grade AES-256 bit encryption.
Your documents, videos, images and other forms of data are now inaccessible, and cannot be unlocked without the decryption key.
This key is currently being stored on a remote server.
To acquire this key, please follow the instructions below before the time runs out. ([RANDOM DATE] – you have 7 days)
Prices to recover your files from :
1 machine on your network: 0.7 BTC
Half machines on your network (randomly chosen): 2.6 BTC
All machines on your network: 5 BTCThe BTC must be sent to this address: 19CMTC6U9KMHAn34iKXvofkA2ulNMcd823
Your hostname : [YOUR DEVICE NAME] Your identification number (it is the same for all PC encrypted on your network): ***
After you’ve sent payment to our address, please go to our website (via normal browser):
xxxx://ldqu4hxg2gx6af7j.onion[.]plus/id/***
xxxx://ldqu4hxg2gx6af7j.onion[.]link/id/***
xxxx://ldqu4hxg2gx6af7j.tor2web[.]ch/id/***If it doesn’t work please download Tor Browser on their official page and use this link instead: xxxx://ldqu4hxg2gx6af7j[.]onion/id/***
Once on the website, leave a simple comment to warn us. After that, we will reply with your decryption key(s) as soon as possible.
To demonstrate our sincerity, you can upload 2 encrypted files on the website and we will decrypt it.
Also please understand that we don’t want to taint the reliability of your business. Make a reasonable choice.
Note that if you fail to take action within this time window (7 days), the decryption key will be destroyed and access to your files will be permanently lost.Where to buy bitcoins (BTC)?
Bitcoin is a popular crypto-currency. We advise you to buy coins on https://localbitcoins.com/ because of its speed and anonymity.
You will pay with Western Union. Wire Transfer…
Of course, there are many other ways to get bitcoins (ex: Coinbase), simply type on google “how to buy bitcoins.
What to do if your files get .encrypted?
While malware specialists are still working on a decryptor for the MauriGo ransomware, it is important for an infected user to take action by himself as soon as possible to prevent the further infections and spreading of the virus. It is not uncommon to have more than just one malicious program running in your system, therefore a major detailed computer cleaning should be done to avoid other virtual security problems.
For the manual removal you can follow these steps:
- Rebooting your computer in Safe Mode (Enable Safe Mode with Command Prompt)
- Once Command Prompt launches, type in cd restore and press enter.
- Enter rstrui.exe and press enter again.
- Click “Next” in the Window which appeared.
- Select one of the Restore Points which would suggest a date before MauriGo ransomware infected your device.
- Click “yes” to start a system restore.
You can read a more detailed guide how to restore your system here.
It is important not to get affected by stress and pay the hackers all that requested money. There is no proof that you will get a decryption key and can easily get scammed and robbed. If you follow all the suggested steps correctly to remove MauriGo virus and restore your system to a point prior the infection, you should be able to get all your files back with no cost. As long as you have made the backups, of course.
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,