MRCR and CryptoMix ransomware viruses are already decryptable

Ransomware attacks are always threatening and damaging experience, especially for those who do not back up their files regularly. In some cases, data decryption is impossible for several months or even years. Therefore, victims of the ransomware sometimes risk to pay the ransom and hope to get their files back. Sadly, the risky deal doesn’t always end up as good as victims expect. Cyber security specialists work hard to help victims to restore their files safely and without charge, and fortunately, once in a while they succeed. Today we have good news from Emsisoft and Avast companies. They managed to release two new tools that can decrypt files encoded by MRCR and CryptoMix ransomware viruses.

MRCR and CryptoMix ransomware viruses are decryptable

Developers of MRCR, or MerryChristmas ransomware, can be called Grinches. They ruined Christmas for many computer users who was tricked to open a malicious email attachment. Unfortunately, some Christmas gifts cannot be returned. Malware researchers expected the virus to be active only during Christmas time; however, once in a while the virus still launches an attack. Just like any other file-encrypting virus, this one also damages targeted data and might append these file extensions: PEGS1, .RARE1, .MRCR1, RMCM1 or .MERRY. Luckily, these file extensions might be easily broken with Emsisoft Decrypter[1]. Therefore, paying the ransom should not be considered. After virus removal, victims can install the decryption tool from the official website and by following simple instructions to recover their files.

On February 2017, security company Avast[2] in cooperation with CERT.PL released a decryption tool for CryptoMix ransomware. Spotted on March 2016, malware has been renamed to CryptoShield at the beginning of this year. For almost a year ransomware has been mostly spreading via malicious email attachments and tricked many computer users to open the safely looking document. Malware encrypts files using a strong algorithm and usually appends one of these file extensions: .rmd, .lesli, .scl, .rscl,.rdmk, .code, or .CRYPTOSHIELD, However, security specialists find the way how to help victims of the ransomware. They found out that after infiltration ransomware connects to its Command and Control server in order to get a unique encryption key. However, sometimes it faces connection problems and uses fixed offline encryption keys. CryptoMix Decryptor allows decrypting files using the “offline key.” Though, if victim’s files were encrypted using a key generated by C&C server, this tool won’t help to decrypt the files.

Ransomware attacks were one of the most popular cyber threats last year[3], and the number of attacks is expected to grow this year[4]. Hence, it’s important to pay attention to online security. Unfortunately, cracking ransomware codes and creating decryption software is not an easy task. It’s better to protect your data than believing that you won’t be another victim of the ransomware. We highly recommend making data backups and updating them regularly[5]. When your files are backed up, the ransomware attack won’t cause you damage.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions