Major ransomware (Virus Removal Instructions) - updated May 2019

Major virus Removal Guide

What is Major ransomware?

Major ransomware is malware string that is distributed from Poland via spam email attachments

Major ransomwareMajor ransomware, which is also known as Bmps ransomware, is a new family of crypto-locking malware that demands ransom for the locked files

Major ransomware (alternatively known as Bmps ransomware) is file locking malware that was first spotted in early April 2019[1] and did not have any connections to other malware. Researchers tracked Major ransomware being delivered via spam email attachments coming from Poland, although other distribution methods are not excluded.

As soon as Major virus detects files with predetermined file extensions, it employs a combination of AES and RSA[2] encryption algorithm to lock them. Victims can then see modified versions of files, which are changed as follows: [original file name].[random number].bmps@tutanota.com.major. In other cases, the appendix varies and includes .core, .mars or .cube.

Shortly after the encryption, Major ransomware drops one of the following ransom notes:

  • EAD_ME.txt, READ_ME.major;
  • READ_ME.core;
  • READ_ME.mars.

Inside these files, users can find a message from the author(s), which claims that the only way to restore data is by emailing them via bmps@tutanota.com, bmps@protonmail.com or xlsx@tutanota.com emails and paying a ransom in Bitcoin. Additionally, .major file virus also swaps the wallpaper that includes a brief message including hacker contact addresses.

As usual, experts urge users not to contact cybercriminals and rather focus on Major ransomware removal, after which alternative recovery methods can be tried. Threat actors seem to be using the text body borrowed from XoristTaRoNiS ransom note – it raises questions whether or not the developers are related in some ways.

Name Major
Type Ransomware
Also known as Bmps ransomware
Distribution Malicious spam email attachments from Polish email address avuqywyhydoz1989@o2.pl; can also be deployed with the help of exploits, malicious executables, fake updates, hacked websites, etc.
Cipher AES + RSA
File extension .major, .core, .mars, .cube
Ransom note READ_ME.txt, READ_ME.major, READ_ME.core, READ_ME.mars
Contact bmps@tutanota.com, bmps@protonmail.com, xlsx@tutanota.com
Termination Use anti-malware software to scan your computer
Recovery To recover from ransomware infection, make use of FortectIntego

While Major ransomware was recently spotted being distributed via malicious spam email attachments from Poland, other distribution methods are most likely used by cybercriminals. This way, bad actors can ensure the highest volume of attacks, which consequently can provide more victims willing to pay the demanded ransom. Ransomware propagation techniques include:

  • Brute force attacks;
  • Exploits;
  • Fake or hacked installers;
  • Cracks/keygens;
  • Fake updates;
  • Unprotected RDP, etc.

Therefore, users should be extremely careful when browsing the internet, as casual clicking on links or downloading unsafe files might lead to Major ransomware infection.

Before proceeding with the encryption, Major ransomware heavily modifies Windows OS. For example, it alters registry to retain persistence, disables recovery and repair functions, and also deletes Shadow Volume Copies to complicate the file retrieval for the victims.

As soon as Major ransomware completes system modifications, it drops a ransom note which reads the following:

ATENTION!!!

I am truly sorry to inform you that all your important files are crypted.
If you want to recover your encrypted files you need to follow a few steps.
You need to buy bitcoins and send them to the address you receive by mail.
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site.You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
write to Google how to buy Bitcoin in your country?
in order to guarantee the availability of our key
we can decrypt one file for free
the size of the files <1 mb, doc.docx.xls.xlsx.pdf.jpg.bmp.txt file format
other formats will not be free decryption
after payment we will send a decryption program
Do not try to decrypt your files with programs by the decoder,
you will only damage your data and lose them forever.
Only we can decrypt your data, write to the original mails specified in this file,
otherwise you will become a victim of scammers.

Contact email address xlsx@tutanota.com or xlsx@protonmail.com

As you can see, hackers even offer a test decryption service, that would allow deciphering one file. This feature has been practiced by malware authors for a while now, as it implies that you can trust them. Nevertheless, remember that these people are causing harm to your computer purposely in order to retrieve money from you. Do not trust them and rather remove Major ransomware with the help of reputable security application.

Major ransomware ransomwareMajor ransomware is a file locking virus that uses RSA + AES to encode all the data on victims' machines

In some cases, you might have to enter Safe Mode as Major ransomware might be tampering with the anti-malware tool. Only after that, you can attempt to recover your files using alternative methods or wait till the decryptor is released by security experts. After that, we suggest you scan your device with FortectIntego to restore the system to its original state.

New Major ransomware variants and distribution tactics

Major ransomware has been spotted being delivered via avuqywyhydoz1989@o2.pl email address. The email includes a malicious attachment Faktura_8800.tar which, when executed, populates the computer with the malicious malware's payload. It is yet unknown whether the authors of the virus are actually from Poland, however.

With this new distribution tactic, crooks also employed new file extensions, as well as contact emails. Once of such variants appends .cube file extension and uses mikrotik@tutamail.com, paydear@aol.com contact emails.

While later Major ransomware variants used previously known file extensions, the contact addresses were changed once more to rootcopper@aol.com, rootcopper@tutanota.com or rootcopper@protonmail.com. The ransom note, under the name of READ_ME.mars, was also changed from the original, stating:

All your important files are encrypted.
To recover encrypted files, you need:
1. Buy bitcoins. The easiest way to buy bitcoins is the LocalBitcoins site. You must register, click “Buy Bitcoins” and select a seller by payment method and price. https://localbitcoins.com/buy_bitcoins
You can also find other places to buy bitcoins and a beginner's guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
write to google how to buy bitcoin in your country?
to guarantee the availability of our key
we can decrypt three files for free.
2. Send bitcoins to the address you receive in the mail. After payment, we will send a decryption program
Do not try to decrypt your files using third-party programs, decoders. You only damage your data and lose them forever.
Only we can decrypt your data!
Contact email address rootcopper@aol.com or rootcopper@tutanota.com or rootcopper@protonmail.com

While none of Major ransomware variants are decryptable, it is not recommended paying hackers and instead focus on its termination and alternative data recovery methods.

Major ransomware variantsMajor ransomware has been found spreading via spam email attachments from Polish email address, appending .mars, core, and cube file extensions

Hackers are actively trying to infect as many users as possible: here's how to protect yourself

It is true that ransomware does not infect half of the internet users. However, those who neglect adequate protection measures are most likely to get infected. Therefore, experts[3] provide several tips on how to avoid ransomware infections in the first place:

  • Beware of spam emails – included attachments might use a macro function to execute the malicious payload, while hyperlinks might be disguised and lead to the infected domain;
  • Employ reputable security software with real-time scanning feature;
  • Use a Firewall;
  • Update your system, along with all the installed programs, as soon as security patches are released (do not postpone the installation);
  • Adequately protect all your accounts – use a password manager and two-factor authentication;
  • Do not run cracks or keygens – these tools can be infected with malware;
  • Scan every executable you download from the third-party site with tools like Virus Total.

Additionally, having backups ready will save you from all the trouble, and you will not have to contemplate whether or not to pay the ransom, which might then result in money loss, along with personal file loss.

Terminate Major ransomware from your device

Ransomware is one of the most devastating computer infections, and it affects not only home users but also high-profile organizations, resulting in millions of dollars in damages. The problem is that even after you remove Major ransomware, the files will remain encrypted. And while many ransomware viruses are now decryptable thanks to the efforts of security researchers, there are still hundreds of infections that will result in permanent data loss.

Nevertheless, after you complete Major ransomware removal (for that, enter Safe Mode and scan your PC with anti-malware software), you can try using alternative solutions that might help you recover files marked with .core, .mars or .bmps file extension. Please follow the guide below.

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Major virus. Follow these steps

Manual removal using Safe Mode

To remove Bmps ransomware safely, access Safe Mode with Networking as explained below:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Major using System Restore

You can use System Restore to stop malware's activities:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Major. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Major removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Major from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Major, you can use several methods to restore them:

Data Recovery Pro might be used when trying to recover files locked by .core or .bmps

This software is a professional tool that might be helpful when trying to decipher files affected by ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Major ransomware;
  • Restore them.

Try Windows Previous Versions Feature to restore your files

This method might be able to help you recover at least some files (note that it only works if System Restore feature was enabled prior to the attack).

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is a data recovery tool that might help you

In case the virus fails to eliminate Shadow Volume Copies, ShadowExplorer is the program to use.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Major and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References