M@r1a is a cryptovirus, released this early November 2018. This threat is a new creation of a ransomware family that has been active earlier this year, releasing all of the previous variants, such as SF ransomware, Spartacus, BlackRouter, Satyr, BlackHeart in April 2018. Although there has been a 6-month gap between the initial versions and M@r1a virus, it doesn’t seem like hackers improved much apart from the basic exterior like the ransom note, extension, contact information and demanded payment amount.
Mr1a Ransomware quicklinks
- How does M@r1a ransomware work
- How does M@r1a virus disseminate
- How to delete M@r1a virus and recover locked files
- Automatic Malware removal tools
- How to eliminate M@r1a ransomware yourself
- How to recover M@r1a ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover M@r1a ransomware encrypted files
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
Ransomware – the dying kind of malware, that’s rapidly being replaced by the crypto miners, is still not completely gone and users keep facing issues from these notorious viruses, like M@r1a, which locks personal files and asks for a payment in exchange for the decryption key. Despite the demanded ransom being fairly small, in this case, 50$ or 0.002 BTC, we still do not recommend paying the crooks. If you’d like to learn why and what to do instead to possibly get back your inaccessible .mariacbc marked files, then continue on reading this article.
How does M@r1a ransomware work
On November 3rd, 2018 @malwrhunterteam reported about a newly discovered SF cryptovirus variant called M@r1a ransomware. This malware seems to be working the same old way it’s previous predecessors did, meaning that it uses AES and RSA algorithms to encrypt files and asks for a ransom in Bitcoins in exchange for the decrypting key. The only separating features are the GUI format ransom note ‘M@r1a’ and appended ‘.mariacbc’ extension to all compromised files. It seems a lot, but it only takes seconds for this crypto demanding virus to fully execute its evil tasks.
Once M@r1a cryptovirus gets inside the computer it runs tons of different processes at the same time. Most of them are designed to make it persistent and undiscoverable by AV and some to encrypt all the data that is not a System file. This is done so that the victim would have the ability to connect to the internet and send the demanded ransom, moreover understand what happened to the PC. Also pictures, videos and etc. are way more precious than some system data, so targeted users are more likely to pay for their encrypted memories. (More technical information on VirusTotal.com)
‘.mariacbc’ marked files are all encrypted with a double cipher. First with https://thebestvpn.com/advanced-encryption-standard-aes/ (ECB mode), which generates the key and then with RSA-2048, that encrypts the latter. It is much harder to decrypt this combination, rather than just one of them, so crooks have more chances to get the payment. This is what the displayed ransom note says.
M@r1a GUI ransom note:
Personal Key
[unique string of letters]Warning: Please Don’t Restart or Shutdown Your PC ,
If do it Your Pesonal Files Permanently Crypted.For Decrypt Your Personal Just Pay 50$ or 0.002 BTC . After Pay You Can send personal key to
Telegram: @MAF420 or Email: [email protected]BTC Transfer Address: 1EME4Y8zHLGQbzjs9YZ5fnbaSLt4ggkRso
Compared to the Demanded ransom average, M@r1a does really ask for a low price for your data, but it is important not to engage with hackers because they might simply take the money and never return the decryptor. Continue below for our suggested solution options and take a look at the Ultimate security guide against ransomware for the future.
How does M@r1a virus disseminate
M@r1a ransomware has the ability to spread via Socially engineered emails, which contain an infected file that compromises victims’ computers after it gets opened. The secret that allows crooks to basically make recipients initiate the infection is not just very well written and targeted messages urging the victim to click on the attachment, but also MS Macros, which is currently is the Most popular vector of distributing ransomware.
Hacker made emails can be of any topic, depending on your location, workplace and etc. M@r1a virus supposedly targets only personal computer users and not companies, therefore the received message can look something that is either very common in your routine, like a bill for some services, a letter from your bank or healthcare facility, maybe an employer or an offer for a job, as well as an immediate attention requiring emails, e.g. bogus data breach report asking to open the file and check your information if it is correct, a complaint, won prize and etc.
While many infections can be avoided with a sophisticated antivirus program, M@r1a ransomware is extremely dangerous, because its invasion depends on how well the user can recognize the Malspam. Once the victim opens the attached .docx file and enables Macros, the malicious processes start running and silently M@r1a virus locks all the precious data.
How to delete M@r1a virus and recover locked files
Recovering your Windows from M@r1a ransomware requires two steps. You cannot mix them and must follow the sequence as instructed or else your files will get locked twice and never be possible to restore. Firstly, you should remove the virus from your system completely by using any reputable malware removal tool, for example SpyHunter Just get the security software, run a full system scan and wait for it to hunt and delete M@r1a crypto infection. There is no difference which anti-spyware program you use, as long as the virus gets fully eliminated. Also be aware of rogue antivirus software.
Only after the completion of the first move, you can look into possible ways how to restore your files from M@r1a ransomware damage. At the moment of writing, there is no special decryptor for the M@r1a cryptovirus, yet you should keep an eye on NoMoreRansom.org project that is constantly renewed and has probably the largest database of decryption tools. Unfortunately, this crypto demanding threat deletes Shadow Copies by executing the command ‘cmd.exe /C vssadmin.exe delete shadows /all /Quietcmd.exe’, therefore the only other way to recover your lost data is to use special file recovery programs (mentioned below in the instructions) or keep .mariacbc encrypted info and wait for the decryptor.
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
How to eliminate M@r1a ransomware yourself
Users, who were responsibly making Backups themselves or had an automatic tool making restore points, have a more promising solution from the M@r1a ransomware infection. All you will need to do is to recover your computer from the point back in time, right before M@r1a virus invasion. This will bring back your files as well as eliminate the virus all at once. Below we have full step-by-step instructions on how to do it. However, if you don’t have backups, this will not be useful at all. If you do want to just get rid of the virus and losing files does not bother you, then simply go with the full System Restore.
How to recover M@r1a ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before M@r1a ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of M@r1a ransomware
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to M@r1a ransomware. You can check other tools here.Step 3. Restore M@r1a ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually M@r1a ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover M@r1a ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.