Major ransomware is malware string that is distributed from Poland via spam email attachments

Major ransomware (alternatively known as Bmps ransomware) is file locking malware that was first spotted in early April 2019[1] and did not have any connections to other malware. Researchers tracked Major ransomware being delivered via spam email attachments coming from Poland, although other distribution methods are not excluded.
As soon as Major virus detects files with predetermined file extensions, it employs a combination of AES and RSA[2] encryption algorithm to lock them. Victims can then see modified versions of files, which are changed as follows: [original file name].[random number].bmps@tutanota.com.major. In other cases, the appendix varies and includes .core, .mars or .cube.
Shortly after the encryption, Major ransomware drops one of the following ransom notes:
- EAD_ME.txt, READ_ME.major;
- READ_ME.core;
- READ_ME.mars.
Inside these files, users can find a message from the author(s), which claims that the only way to restore data is by emailing them via bmps@tutanota.com, bmps@protonmail.com or xlsx@tutanota.com emails and paying a ransom in Bitcoin. Additionally, .major file virus also swaps the wallpaper that includes a brief message including hacker contact addresses.
As usual, experts urge users not to contact cybercriminals and rather focus on Major ransomware removal, after which alternative recovery methods can be tried. Threat actors seem to be using the text body borrowed from Xorist–TaRoNiS ransom note – it raises questions whether or not the developers are related in some ways.
| Name | Major |
| Type | Ransomware |
| Also known as | Bmps ransomware |
| Distribution | Malicious spam email attachments from Polish email address avuqywyhydoz1989@o2.pl; can also be deployed with the help of exploits, malicious executables, fake updates, hacked websites, etc. |
| Cipher | AES + RSA |
| File extension | .major, .core, .mars, .cube |
| Ransom note | READ_ME.txt, READ_ME.major, READ_ME.core, READ_ME.mars |
| Contact | bmps@tutanota.com, bmps@protonmail.com, xlsx@tutanota.com |
| Termination | Use anti-malware software to scan your computer |
| Recovery | To recover from ransomware infection, make use of FortectIntego |
While Major ransomware was recently spotted being distributed via malicious spam email attachments from Poland, other distribution methods are most likely used by cybercriminals. This way, bad actors can ensure the highest volume of attacks, which consequently can provide more victims willing to pay the demanded ransom. Ransomware propagation techniques include:
- Brute force attacks;
- Exploits;
- Fake or hacked installers;
- Cracks/keygens;
- Fake updates;
- Unprotected RDP, etc.
Therefore, users should be extremely careful when browsing the internet, as casual clicking on links or downloading unsafe files might lead to Major ransomware infection.
Before proceeding with the encryption, Major ransomware heavily modifies Windows OS. For example, it alters registry to retain persistence, disables recovery and repair functions, and also deletes Shadow Volume Copies to complicate the file retrieval for the victims.
As soon as Major ransomware completes system modifications, it drops a ransom note which reads the following:
ATENTION!!!
I am truly sorry to inform you that all your important files are crypted.
If you want to recover your encrypted files you need to follow a few steps.
You need to buy bitcoins and send them to the address you receive by mail.
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site.You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
write to Google how to buy Bitcoin in your country?
in order to guarantee the availability of our key
we can decrypt one file for free
the size of the files <1 mb, doc.docx.xls.xlsx.pdf.jpg.bmp.txt file format
other formats will not be free decryption
after payment we will send a decryption program
Do not try to decrypt your files with programs by the decoder,
you will only damage your data and lose them forever.
Only we can decrypt your data, write to the original mails specified in this file,
otherwise you will become a victim of scammers.Contact email address xlsx@tutanota.com or xlsx@protonmail.com
As you can see, hackers even offer a test decryption service, that would allow deciphering one file. This feature has been practiced by malware authors for a while now, as it implies that you can trust them. Nevertheless, remember that these people are causing harm to your computer purposely in order to retrieve money from you. Do not trust them and rather remove Major ransomware with the help of reputable security application.

In some cases, you might have to enter Safe Mode as Major ransomware might be tampering with the anti-malware tool. Only after that, you can attempt to recover your files using alternative methods or wait till the decryptor is released by security experts. After that, we suggest you scan your device with FortectIntego to restore the system to its original state.
New Major ransomware variants and distribution tactics
Major ransomware has been spotted being delivered via avuqywyhydoz1989@o2.pl email address. The email includes a malicious attachment Faktura_8800.tar which, when executed, populates the computer with the malicious malware's payload. It is yet unknown whether the authors of the virus are actually from Poland, however.
With this new distribution tactic, crooks also employed new file extensions, as well as contact emails. Once of such variants appends .cube file extension and uses mikrotik@tutamail.com, paydear@aol.com contact emails.
While later Major ransomware variants used previously known file extensions, the contact addresses were changed once more to rootcopper@aol.com, rootcopper@tutanota.com or rootcopper@protonmail.com. The ransom note, under the name of READ_ME.mars, was also changed from the original, stating:
All your important files are encrypted.
To recover encrypted files, you need:
1. Buy bitcoins. The easiest way to buy bitcoins is the LocalBitcoins site. You must register, click “Buy Bitcoins” and select a seller by payment method and price. https://localbitcoins.com/buy_bitcoins
You can also find other places to buy bitcoins and a beginner's guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
write to google how to buy bitcoin in your country?
to guarantee the availability of our key
we can decrypt three files for free.
2. Send bitcoins to the address you receive in the mail. After payment, we will send a decryption program
Do not try to decrypt your files using third-party programs, decoders. You only damage your data and lose them forever.
Only we can decrypt your data!
Contact email address rootcopper@aol.com or rootcopper@tutanota.com or rootcopper@protonmail.com
While none of Major ransomware variants are decryptable, it is not recommended paying hackers and instead focus on its termination and alternative data recovery methods.

Hackers are actively trying to infect as many users as possible: here's how to protect yourself
It is true that ransomware does not infect half of the internet users. However, those who neglect adequate protection measures are most likely to get infected. Therefore, experts[3] provide several tips on how to avoid ransomware infections in the first place:
- Beware of spam emails – included attachments might use a macro function to execute the malicious payload, while hyperlinks might be disguised and lead to the infected domain;
- Employ reputable security software with real-time scanning feature;
- Use a Firewall;
- Update your system, along with all the installed programs, as soon as security patches are released (do not postpone the installation);
- Adequately protect all your accounts – use a password manager and two-factor authentication;
- Do not run cracks or keygens – these tools can be infected with malware;
- Scan every executable you download from the third-party site with tools like Virus Total.
Additionally, having backups ready will save you from all the trouble, and you will not have to contemplate whether or not to pay the ransom, which might then result in money loss, along with personal file loss.
Terminate Major ransomware from your device
Ransomware is one of the most devastating computer infections, and it affects not only home users but also high-profile organizations, resulting in millions of dollars in damages. The problem is that even after you remove Major ransomware, the files will remain encrypted. And while many ransomware viruses are now decryptable thanks to the efforts of security researchers, there are still hundreds of infections that will result in permanent data loss.
Nevertheless, after you complete Major ransomware removal (for that, enter Safe Mode and scan your PC with anti-malware software), you can try using alternative solutions that might help you recover files marked with .core, .mars or .bmps file extension. Please follow the guide below.
Was this guide helpful?
Be the first to comment