Severity scale:  
  (92/100)

Major ransomware. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

Major ransomware is malware string that is distributed from Poland via spam email attachments

Major ransomware
Major ransomware, which is also known as Bmps ransomware, is a new family of crypto-locking malware that demands ransom for the locked files

Major ransomware (alternatively known as Bmps ransomware) is file locking malware that was first spotted in early April 2019[1] and did not have any connections to other malware. Researchers tracked Major ransomware being delivered via spam email attachments coming from Poland, although other distribution methods are not excluded.

As soon as Major virus detects files with predetermined file extensions, it employs a combination of AES and RSA[2] encryption algorithm to lock them. Victims can then see modified versions of files, which are changed as follows: [original file name].[random number].bmps@tutanota.com.major. In other cases, the appendix varies and includes .core, .mars or .cube.

Shortly after the encryption, Major ransomware drops one of the following ransom notes:

  • EAD_ME.txt, READ_ME.major;
  • READ_ME.core;
  • READ_ME.mars.

Inside these files, users can find a message from the author(s), which claims that the only way to restore data is by emailing them via bmps@tutanota.com, bmps@protonmail.com or xlsx@tutanota.com emails and paying a ransom in Bitcoin. Additionally, .major file virus also swaps the wallpaper that includes a brief message including hacker contact addresses.

As usual, experts urge users not to contact cybercriminals and rather focus on Major ransomware removal, after which alternative recovery methods can be tried. Threat actors seem to be using the text body borrowed from XoristTaRoNiS ransom note – it raises questions whether or not the developers are related in some ways.

Name Major
Type Ransomware
Also known as Bmps ransomware
Distribution Malicious spam email attachments from Polish email address avuqywyhydoz1989@o2.pl; can also be deployed with the help of exploits, malicious executables, fake updates, hacked websites, etc.
Cipher AES + RSA
File extension .major, .core, .mars, .cube
Ransom note READ_ME.txt, READ_ME.major, READ_ME.core, READ_ME.mars
Contact bmps@tutanota.com, bmps@protonmail.com, xlsx@tutanota.com
Termination Use anti-malware software to scan your computer
Recovery To recover from ransomware infection, make use of Reimage

While Major ransomware was recently spotted being distributed via malicious spam email attachments from Poland, other distribution methods are most likely used by cybercriminals. This way, bad actors can ensure the highest volume of attacks, which consequently can provide more victims willing to pay the demanded ransom. Ransomware propagation techniques include:

  • Brute force attacks;
  • Exploits;
  • Fake  or hacked installers;
  • Cracks/keygens;
  • Fake updates;
  • Unprotected RDP, etc.

Therefore, users should be extremely careful when browsing the internet, as casual clicking on links or downloading unsafe files might lead to Major ransomware infection.

Before proceeding with the encryption, Major ransomware heavily modifies Windows OS. For example, it alters registry to retain persistence, disables recovery and repair functions, and also deletes Shadow Volume Copies to complicate the file retrieval for the victims.

As soon as Major ransomware completes system modifications, it drops a ransom note which reads the following:

ATENTION!!!

I am truly sorry to inform you that all your important files are crypted.
If you want to recover your encrypted files you need to follow a few steps.
You need to buy bitcoins and send them to the address you receive by mail.
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site.You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
write to Google how to buy Bitcoin in your country?
in order to guarantee the availability of our key
we can decrypt one file for free
the size of the files <1 mb, doc.docx.xls.xlsx.pdf.jpg.bmp.txt file format
other formats will not be free decryption
after payment we will send a decryption program
Do not try to decrypt your files with programs by the decoder,
you will only damage your data and lose them forever.
Only we can decrypt your data, write to the original mails specified in this file,
otherwise you will become a victim of scammers.

Contact email address xlsx@tutanota.com or xlsx@protonmail.com

As you can see, hackers even offer a test decryption service, that would allow deciphering one file. This feature has been practiced by malware authors for a while now, as it implies that you can trust them. Nevertheless, remember that these people are causing harm to your computer purposely in order to retrieve money from you. Do not trust them and rather remove Major ransomware with the help of reputable security application.

In some cases, you might have to enter Safe Mode as Major ransomware might be tampering with the anti-malware tool. Only after that, you can attempt to recover your files using alternative methods or wait till the decryptor is released by security experts. After that, we suggest you scan your device with Reimage to restore the system to its original state.

New Major ransomware variants and distribution tactics

Major ransomware has been spotted being delivered via avuqywyhydoz1989@o2.pl email address. The email includes a malicious attachment  Faktura_8800.tar which, when executed, populates the computer with the malicious malware's payload. It is yet unknown whether the authors of the virus are actually from Poland, however.

With this new distribution tactic, crooks also employed new file extensions, as well as contact emails. Once of such variants appends .cube file extension and uses mikrotik@tutamail.com, paydear@aol.com contact emails. 

While later Major ransomware variants used previously known file extensions, the contact addresses were changed once more to rootcopper@aol.com, rootcopper@tutanota.com or rootcopper@protonmail.com. The ransom note, under the name of READ_ME.mars, was also changed from the original, stating:

All your important files are encrypted.
To recover encrypted files, you need:
1. Buy bitcoins. The easiest way to buy bitcoins is the LocalBitcoins site. You must register, click “Buy Bitcoins” and select a seller by payment method and price. https://localbitcoins.com/buy_bitcoins
You can also find other places to buy bitcoins and a beginner's guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
write to google how to buy bitcoin in your country?
to guarantee the availability of our key
we can decrypt three files for free. 
2. Send bitcoins to the address you receive in the mail. After payment, we will send a decryption program
Do not try to decrypt your files using third-party programs, decoders. You only damage your data and lose them forever.
Only we can decrypt your data!
Contact email address rootcopper@aol.com or rootcopper@tutanota.com or rootcopper@protonmail.com

While none of Major ransomware variants are decryptable, it is not recommended paying hackers and instead focus on its termination and alternative data recovery methods.

Major ransomware variants
Major ransomware has been found spreading via spam email attachments from Polish email address, appending .mars, core, and cube file extensions

Hackers are actively trying to infect as many users as possible: here's how to protect yourself

It is true that ransomware does not infect half of the internet users. However, those who neglect adequate protection measures are most likely to get infected. Therefore, experts[3] provide several tips on how to avoid ransomware infections in the first place:

  • Beware of spam emails – included attachments might use a macro function to execute the malicious payload, while hyperlinks might be disguised and lead to the infected domain;
  • Employ reputable security software with real-time scanning feature;
  • Use a Firewall;
  • Update your system, along with all the installed programs, as soon as security patches are released (do not postpone the installation);
  • Adequately protect all your accounts – use a password manager and two-factor authentication;
  • Do not run cracks or keygens – these tools can be infected with malware;
  • Scan every executable you download from the third-party site with tools like Virus Total.

Additionally, having backups ready will save you from all the trouble, and you will not have to contemplate whether or not to pay the ransom, which might then result in money loss, along with personal file loss.

Terminate Major ransomware from your device

Ransomware is one of the most devastating computer infections, and it affects not only home users but also high-profile organizations, resulting in millions of dollars in damages. The problem is that even after you remove Major ransomware, the files will remain encrypted. And while many ransomware viruses are now decryptable thanks to the efforts of security researchers, there are still hundreds of infections that will result in permanent data loss.

Nevertheless, after you complete Major ransomware removal (for that, enter Safe Mode and scan your PC with anti-malware software), you can try using alternative solutions that might help you recover files marked with .core, .mars or .bmps file extension. Please follow the guide below.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Major virus, follow these steps:

Remove Major using Safe Mode with Networking

To remove Bmps ransomware safely, access Safe Mode with Networking as explained below:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Major

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Major removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Major using System Restore

You can use System Restore to stop malware's activities:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Major. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Major removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Major from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Major, you can use several methods to restore them:

Data Recovery Pro might be used when trying to recover files locked by .core or .bmps

This software is a professional tool that might be helpful when trying to decipher files affected by ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Major ransomware;
  • Restore them.

Try Windows Previous Versions Feature to restore your files

This method might be able to help you recover at least some files (note that it only works if System Restore feature was enabled prior to the attack).

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is a data recovery tool that might help you

In case the virus fails to eliminate Shadow Volume Copies, ShadowExplorer is the program to use.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Major and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunterCombo Cleaner or Malwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References


Your opinion regarding Major ransomware