Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jun 2020

How to remove Mapo ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Jake Doevan · Computer technology expert

Mapo ransomware is a file locking virus which stems from Outsider malware family

Mapo ransomware

Mapo ransomware is a type of malware that focuses money extortion by blackmailing users to pay a ransom after locking all personal files on the infected machine. Just as many other malicious programs of such type, it enters host machines by using various deceptive methods and then encrypts all data by using a sophisticated encryption algorithm (RSA),[1] preventing victims from accessing their pictures, documents, videos, etc. Each of the files modified in such a way is marked by .mapo extension, for example, a picture.jpg is turned into a picture.jpg.mapo.

Additionally, Mapo virus also inserts a MAPO-Readme.txt file into most folders on the machine – it serves as a message from ransomware developers. Hackers claim that victims need to write an email to support.mbox@pm.me or support-mapo@pm.me with the attached ransom note to negotiate the ransom, which is paid in Bitcoin.

Mapo ransomware is a variant of Outsider, which itself stems from GarrantyDecrypt ransomware. This malware strain often targets businesses and organizations, so it encrypts all the files on the connected networks and drives as well. At the time of the writing, there is no Mapo decryptor available, and, while some victims managed to get their data back by paying criminals, some victims never got the decryption software even after paying.

Name Mapo
Type Ransomware, cryptovirus
Malware family  Mapo belongs to malware strain known as GarrantyDecrypt-Outsider ransomware
Encryption method  The virus uses RSA encryption algorithm to lock all personal data located on the HDD and the connected networks/drives
File marker  Pictures, documents, databases, videos, music, and other data is appended with .mapo extension
Ransom note  MAPO-Readme.txt is placed into most folders on the system 
Contact email  support.mbox@pm.me or support-mapo@pm.me 
Ransom size The ransom amount highly varies from victim to victims, but there are few known cases when the attackers asked for $2,000 – $4,000 in Bitcoin
Termination Perform a full system scan in Safe Mode with reputable anti-malware software 
File  decryption Only possible via backups or third-party recovery software
Recovery To restore tour Windows system to pre-infection condition, use repair software FortectIntego

Because Mapo ransomware aims to infect organisations mostly, it is highly likely that is uses one of the following popular malware delivery methods:

  • Weak Remote desktop connections[2]
  • Targeted malicious emails
  • Software vulnerabilities[3]

Nevertheless, malware authors can also use such methods as spam emails, software cracks, fake updates, web infects, and similar methods for Mapo virus propagation when it comes to regular users. Therefore, it is always important to install comprehensive security software that would prevent ransomware intrusions. Keep in mind that Mapo ransomware removal can also only be performed with anti-malware software. To recover from virus damage, we recommend using a PC repair tool FortectIntego.

Once the malicious executable is launched from the Desktop, Mapo ransomware performs a variety of changes to the system, including modification of Windows registry and Master Boot Record, Shadow Volume Copy deletion, etc. Once the system preparations are complete, the virus encrypts all the data on the host machine as well as all the connected networks and contacts a remote server, which allows the communication.

Mapo ransomware virus

After that, users are presented with the MAPO-Readme.txt ransom note which states the following:

——————————————————————————————–

! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES – DATA WILL BE LOST !

——————————————————————————————–
Due vulnerability in local system all of the files has been protected with MAPO RSA.Private.Key to safe them from unathorized 3rd party access.

To RESTORE all of your files, please follow this simple steps:

1. MAPO service charges a payment for file decryption;
2. Contact us with attached (MAPO-Readme.txt) file to the message;
3. Receive your unique decryption tool;
4. Run the decryption tool and successfully restore all files.

We guarantee:

100% Successful restoring of all files
100% Satisfaction guarantee
100% Fast and secure service

As a proof of our trusted decryption service, you can send us 1 file and get it decrypted for free.

——————————————————————————————–
! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES – DATA WILL BE LOST !
! DO NOT DELETE THIS FILE !
! DO NOT MODIFY, FILE CONTAINS SENSITIVE DATA !
——————————————————————————————–

E-mail: support.mbox@pm.me

Payments accepted: Bitcoin (BTC)

ID-KEY:

——————————————————————————————–

support.mbox@pm.me / MAPO © 2019

=== Key verify ===

While it is true that the key required to unlock all files is only accessible to the attackers and that the data might get corrupted after users remove Mapo ransomware, it does not mean that you should oblige to the demands. First of all, it is advisable to make a backup of the encrypted data and then get rid of the virus with anti-malware software.

As for .mapo file recovery, you can try using third-party recovery software if no backups are available to you, or if the malware encrypted backups as well. By all means, there is still an option of paying the ransom for the decryptor, but keep in mind that some users did not receive the tool even after paying a ransom of $2,000 – $4,000.

Protect your machine and all the connected networks from ransomware 

Ransomware developers often operate large campaigns and release new versions of malware to obtain maximum profits from the illegal business. That being said, most hackers are sophisticated individuals who chose the wrong path for using their intelligence, as they are stealing money from innocent people. They also often openly laugh about users not being careful, or even indicate security flaws in the ransom note itself.

Regardless of how gruesome the ransomware business is, getting infected with the malware is something that can be avoided, along with as adequate security measures are practiced. The fundamental rule when it comes to cybersecurity is good online practices that are combined with adequate security tools that reinforce the protection even more. Here are some tips from industry experts[4] that will help you avoid most of malware in the future:

  • Install reputable anti-malware software and keep it updated;
  • Patch Windows along with all the installed applications with the latest security updates;
  • Disable RDP when not used;
  • Use adequate passwords and avoid default TCP port when using RDP;
  • Never allow MS Office documents attached to emails to run macro commands by pressing “Enable Content”;
  • Use strong passwords for everything and never reuse them;
  • Use two-factor authentication where possible;
  • Install ad-block to prevent malicious ads from executing the background scripts;
  • Uninstall Flash Player and Java;
  • Backup all your important files and keep them on a remote server or external device.

Mapo ransomware locked files

Mapo ransomware removal steps 

While it is possible to remove Mapo ransomware manually, the process would require advanced computer and malware operation knowledge. Therefore, it is best to use reputable anti-malware software like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes to do the job. Be aware that malware is constantly evolving, so not all AV engines can recognize new variants straight away – in some cases, you might have to use several anti-malware tools until the malicious payload is terminated.

It is also worth noting that some Mapo ransomware removal might be prevented due to self-protection mechanisms, or the virus might disable anti-malware software altogether. To prevent that from happening, you should access Safe Mode with Networking and perform a full system scan from there.

When it comes to file recovery, it might be possible to recover at least some portion of .mapo encrypted files with the help of third-party recovery tools. The success rate of it declines the more infected machine gets used, and recovery software might not work at all. As previously mentioned, make sure you make a copy of all the encrypted files before you do anything. If the decryption with recovery software is unsuccessful, you should wait till security experts find a bug in the malware code or till law enforcement catches criminals, consequently making them release all the keys.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.