Severity scale:  
  (97/100)

Remove Maze ransomware (Removal Instructions) - Free Guide

removal by Linas Kiguolis - - | Type: Ransomware

Maze ransomware is a file locking virus that changes the ransom note depending on computer type

Maze ransomware

Maze ransomware is a file encrypting virus and also a successor to ChaCha ransomware. It uses a sophisticated RSA and ChaCha20 cipher to lock up data, and appends a string of random 4-7 characters at the end of each file, also using a marker within its structure – 0x66116166.

Maze ransomware is known to be distributed via the help of fake Abra site that hosts the Mobile Bitcoin Wallet app under the same name. Visitors who want to download the application will end up being redirected to a Fallout exploit kit,[1] which, under certain conditions, will implant malware's payload without users' interaction whatsoever.

After encrypting files, Maze virus will drop a ransom note DECRYPT-FILES.html asks victims to pay a ransom in BTC and contact bad actors via filedecryptor@nuke.africa. Additionally, the malware will also alter the background on the desktop, displaying another message from hackers. Interestingly, the latest variant of Maze ransomware shows a different wallpaper based on computer type (for example, home computer, backup server, server in corporate network, primary domain controller, etc.), which essentially changes the decryptor price.

While there is no free decryption tool that would be able to retrieve your data, you should not pay the ransom and instead focus on Maze ransomware removal and alternative file recovery methods, instructions for which we provide below.

Name Maze
Type Ransomware
A variant of ChaCha ransowmare
Distribution Mainly Fallout exploit kit, although spam emails, fake updates, brute-forcing and other tactics can be used
Encryption algorithm RSA and ChaCha20
File extension [random 4-7]
Related files zprxqb.exe, Maze_Ransomware.exe
Ransom note DECRYPT-FILES.htm
Contact filedecryptor@nuke.africa
Termination Use powerful anti-malware program like Reimage or SpyHunter 5Combo Cleaner
Decryption Only possible via backups. Third-party software might sometimes be helpful as well

While Maze ransomware was spotted being distributed with the help of Fallout Exploit kit, it does not mean that hackers do not employ other tactics, such as:

  • Spam emails;
  • Unprotected RDP;
  • Fake updates;
  • Pirated software and its cracks;[2]
  • Torrent sites;
  • Web injects, etc.

Therefore, even if your software and the Windows OS are patched with the latest updates to prevent Fallout EK, you might still be at risk if you do not use adequate security measures. To make sure you are protected from future Maze ransomware infections, check the second part of this article.

Once the payload of  Maze ransomware is populated, it will contact 2 domains and 15 hosts, alter Windows registry, delete Shadow volume snapshots to complicate the recovery process, and perform other malicious tasks required for its operation.

After establishing itself and locking the files, Maze ransomware will display the following note: 

0010 SYSTEM FAILURE 0010
*********************************************************************************************************************
Attention! Your documents, photos, databases, and other important files have been encrypted!
*********************************************************************************************************************

The only way to decrypt your files, is to buy the private key from us.
You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.
In order to receive the private key contact us via email:
filedecryptor@nuke.africa
Remember to hurry up, as your email address may not be avaliable for very long.
Buying the key immediatly will guarantee that 100% of your files will be restored.
Below you will see a big base64 blob, you will need to email us and copy this blob to us.
you can click on it, and it will be copied into the clipboard.
If you have troubles copying it, just send us the file you are currently reading, as an attachment.

At the bottom of the note, victims can locate a Base64 string that includes such information and user's login name, Windows version, other technical data, and a private key. All this information is allegedly required for cybercriminals in order to decrypt files locked by Maze ransomware.

Speaking of Maze ransomware removal, various AV vendors recognize the threat under such names as TR/Kryptik.ijmxi (Reimage) or Ransom.Maze (SpyHunter 5Combo Cleaner).[3] Thus, we suggest using these tools to terminate the malware entirely.

Once you delete Maze virus entirely, you can connect your backup device to retrieve your data. In case you have no backups prepared, there are very little chances of recovering files for free, although you should try third-party software. We provide all the instructions and download links of such tools below.

Maze ransomware virus
Maze ransomware is type of malware that enters the machine with the help of Fallout exploit kit and encrypts all data on the device by using RSA + ChaCha20 ciphers

Ransomware prevention tips

Hackers are sophisticated individuals who decided to put their knowledge for evil deeds. Therefore, they often employ a variety of advanced methods to distribute the payload of the malware, ensuring the high infection rates among victims.

Nevertheless, those who are careless are by far the most vulnerable and prone to infections. While such threats like adware or other PUPs might not be devastating, ransomware can result in permanent data loss. What is more, those who decide to pay for the decryptor might also end up losing money as well.

Therefore, follow these tips from industry experts to avoid malware infections in the future:

  • Install security patches for your operating system, as well as all the installed applications;
  • Use reputable anti-malware software with real-time protection feature;
  • Be aware that spam emails that carry attachments (such as .doc, .html, .pdf, etc.) or include hyperlinks might be infected with malware, including ransomware;
  • Ensure the safety of all your accounts by using password managing app and two-factor authentication;
  • Use ad-blocker on high-risk sites, although do not forget to add exclusions for sites you want to support;
  • Do now download pirated software or its cracks or keygens;
  • Scan every unknown executable with tools like Virus Total or Hybrid Analysis;
  • Use a VPN when using Remote Desktop Protocol and ensure a strong password.

Finally, to negate the damage done by a ransomware infection, prepare backups regularly.

Terminate Maze ransomware virus by using powerful malware removal tools

You should not attempt to remove Maze ransomware manually, as such a method should only be used by IT professionals. Besides, cryptoviruses modify Windows system files and embed themselves deep into the OS, so reverting these changes is almost impossible.

Instead, employ reputable anti-malware software for Maze ransomware removal. We suggest you use Reimage or SpyHunter 5Combo Cleaner, although other options are also available – choose the one that suits you the most. Be aware that the virus might prevent your security software from performing correctly. In such a case, you need to access Safe Mode, as it will temporarily stop malware's activities.

Once you delete Maze virus, you can attempt to recover your data. Please follow detailed instructions for this process below.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Maze virus, follow these steps:

Remove Maze using Safe Mode with Networking

To remove Maze ransomware without any interruptions, you should enter Safe Mode with Networking as explained below:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Maze

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Maze removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Maze using System Restore

You can also use System Restore to terminate the infection:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Maze. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Maze removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Maze from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Maze, you can use several methods to restore them:

Data Recovery Pro might be able to recover at least some of your files

This tool is sometimes useful for ransomware victims.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Maze ransomware;
  • Restore them.

Taking advantage of Windows Previous Versions feature

If you had System Restore enabled, this option might help you retrieve at least some individual files.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer application might recover all your data

If the virus failed to remove Shadow Volume Copies, this solution might be the best for you.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Maze and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References


Your opinion regarding Maze ransomware