Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · May 2018

How to remove MauriGo ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Olivia Morelli · Ransomware analyst

MauriGo – a malicious crypto-ransomware virus targeting both home and enterprise users

MauriGo ransomware

MauriGo ransomware is a severe cyber infection, which has been detected by ransomware researchers at the end of March 2018.[1] Its developers take advantage of systems' vulnerabilities and people's credulity by spreading it via spam, exploit kits, and rogue software updates. Upon infiltration, it enables AES-256 cipher to render personal files useless by appending the .encrypted file extension to each of them. Then the victim is urged to pay the ransom within seven days. The size of redemption depends on the number of PC's compromised maximizing to 5 BTC. Explicit guidance can be found in the READ_TO_DECRYPT.txt ransom note.

MauriGo
Malware type Ransomware
Targets Enterprise users 
File extension .encrypted
Related files READ_TO_DECRYPT.txt
Cryptography AES-256
The size of redemption 0.7, 2.6 or 5 BTC depending on the number of affected PCs. 
Main dangers Permanent data loss, money loss, system's crash
Download FortectIntego and run a full system scan to get rid of ransomware virus. Manual removal is not possible.

Ransomware researchers claim that MauriGo ransomware is not a newly developed cyber threat. Its strains go back to 2017, though no victims have been registered through the whole year. Nevertheless, it seems that malware developers aim to resurrect the virus for the second life.

As we have already pointed out, MauriGo spreads in the same way as other ransomware viruses. It can be dispersed under malicious spam email attachments, rogue software downloads or updates, as well as injected via hacked RDP[2] by initiating brute force attacks.

Regardless of the distribution technique, the MauriGo virus settles down quite easily by running multiple Command Prompt and PowerShell scripts under admin privileges. Then it injects malicious registry entries and starts encryption procedure.

To lock people's files, it eploys the prevailing AES-256 encryption algorithm and targets the most popular file types, including, but not limiting to .mp3, .mp4, .doc, .docx, .ibooks, .jpeg, .jpg, .torrent, .txt, and others. Upon encryption, each file is marked with .encrypted file extension.

Apart from the compromised file extension, another symptom of MauriGo ransomware attack is the READ_TO_DECRYPT.txt ransom note on the desktop and most of the system's folders. The file contains the following information:

The important files on your computer have been encrypted with military-grade AES-256 bit encryption.
Your documents, videos, images and other forms of data are now inaccessible, and cannot be unlocked without the decryption key.

This key is currently being stored on a remote server.
To acquire this key, please follow the instructions below before the time runs out. ([RANDOM DATE] – you have 7 days)

Prices to recover yoor files from :
1 machine on your network : 0.7 BTC
Half machines on your network (randomly chosen): 2.6 BTC
All machines on your network : 5 BTC
The BTC must be sent to this address : 19CMTC6U9KMHAn34iKXvofkA2ulNMcd823
Your hostname : [YOUR DEVICE NAME]
Your identification number (it is the same for all PC encrypted on your network): ***
After you've send payment to our address, please go to our website (via normal browser):
xxxx://ldqu4hxg2gx6af7j.onion[.]plus/id/***
xxxx://ldqu4hxg2gx6af7j.onion[.]link/id/***
xxxx://ldqu4hxg2gx6af7j.tor2web[.]ch/id/***
If it doesn't work please download Tor Browser on their official page and use this link instead: xxxx://ldqu4hxg2gx6af7j[.]onion/id/***

Once on the website, leave a simple comment to warn us.
After that we will reply with your decryption key(s) as soon as possible.
To demonstrate our sincerity, you can upload 2 encrypted file on the website and we will decrypt it.
Also please understand that we don't want to taint the reliability of your business. Make a reasonable choice.
Note that if you fail to take action within this time window (7 days), the decryption key will be destroyed and access to your files will be
permanently lost.

Where to buy bitcoins (BTC) ?

Bitcoin is a popular crypto-currency. We advise you to buy coins on https://localbitcoins.com/ because of its speed and anonymity. You will can pay with Western Union. Wire Transfer…
Of course, there are many other ways to get bitcoins (ex: Coinbase), simply type on google “how to buy bitcoins.”

As you can see, crooks target both home users and enterprise users. Indeed, they prefer corporate networks as they can get up to 5 BTC (approximately 47 000 USD) ransom in exchange of a decryptor, while a home user is expected to transfer 0.7 BTC (approximately 6500 USD).

The PC's owner that wants to get his or her files back has to email criminals and send them a redemption to the 19CMTC6U9KMHAn34iKXvofkA2ulNMcd823 Bitcoin wallet using Tor browser. The deadline – 7 days. In case the victim fails to make the payment, the MauriGo decryptor is removed causing permanent data loss.

Nevertheless, Virukset.fi[3] together with our research team highly do not recommend paying the ransom. That's because no one can assure if the decryptor has been developed altogether. It might be that crooks don't have it at all and simply will run away with your money.

Instead of that, we recommend running a scan with FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes security tool and remove MauriGo virus asap. Following the encryption, you'll be able to take advantage of the alternative data recovery methods, such as Volume Shadow Copies or Previous Windows version.

MauriGo malware

Take precautionary measures while browsing online to protect yourself from ransomware attacks

Throughout a long time of practice, ransomware developers learned people's habits and behavior online. Consequently, they can create multiple catchy strategies to distribute ransomware viruses widely on the Internet. The following are the most frequently used techniques:

  • Malicious spam email attachments;
  • Exploit Kits;
  • Hacked Remote Desktop apps;
  • Fake software updates;
  • Phishing websites;
  • Infected links and advertisements;

For the past ten years, hackers take advantage of people's credulity and keep spreading hazardous cyber infections in the form of malicious email attachments. Rendering spam bots criminals spread legitimate-looking emails, which contain “urgent” information from Microsoft, Apple, IRS, FBI, and similar institutions. If the user opens the attachment, he or she inadvertently runs a ransomware payload, which is going to lock files soon after revelation.

Although there's no hundred percent ransomware protection, keeping a reputable anti-virus installed and updated minimizes the risk of getting infected significantly. Also, you should also download Windows updates to patch security vulnerabilities.

MauriGo removal options

In fact, there aren't many options for the MauriGo removal. All you can choose is an anti-virus program because manual ransomware removal is practically impossible. We would strongly recommend you to use FortectIntego or SpyHunterCombo Cleaner tool, but you are free to choose a program that you prefer.

As soon as you remove MauriGo virus, scroll down to the bottom to find out alternative data recovery methods. Try them one-by-one, and we are sure that you'll manage to retrieve at least the most significant part of files encrypted by MauriGo ransomware.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.