Severity scale:  
  (98/100)

Meduza ransomware. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware

Meduza ransomware – a cryptovirus which is urging victims to pay 0.08 bitcoin for acquiring the decryption key needed to unlock encrypted data

Meduza virus
Meduza ransomware - a file-encrypting virus which blocks any access to user's data by using .[btc2018@tutanota.de].meduza extension.

Meduza ransomware is a cryptovirus which typically denies access to important data and requires the specific amount of bitcoin to recover the connection to it. This ransomware-type virus has the same operating principle as hundreds of other ransomware, so it encrypts files and adds .[btc2018@tutanota.de].meduza or similar extension to mark data which can't be opened or used. Additionally, it drops the copy of a ransom note called as How-To-Recover-Your-Files.html which announces that user's files are infected and requires sending a special payment to decrypt this data. Users are urged to contact the cybercriminals via greystars@protonmail.com. However, the email address, just like the amount of the ransom, might vary.

Name Meduza
Type Ransomware
Sub-type Cryptovirus
Danger level High. This virus affects files by encrypting them, it can also disable the access to various system's components and deactivate security tools
Extension .[btc2018@tutanota.de].meduza
Ransom note How-To-Recover-Your-Files.html
Usually spreads with the help of Spam emails
The main purpose Gaining revenue by forcing the victim to buy a decryption key
Elimination process Use Reimage to eliminate the cyber threat from your computer system and avoid further damage

To encrypt target files, the virus is using an AES algorithm[1]. Due to its unique functionality, it is almost impossible to decrypt damaged data, even if you are a true tech expert. Typically, the decryption key is stored on a remote server and can only be reached by its owners.

No matter how hard it seems to lose your images, business documents, and similar data, we do not recommend paying the ransom as it usually turns out to be a trick to swindle the money from naive victims. Beware that cybercriminals often leave users scammed as soon as they receive their money.[2] As an alternative, you should remove Meduza ransomware from your computer system and then use one of the data recovery methods provided at the end of this post. For virus removal, we advise using Reimage.

The ransom note of the virus:

All your files have been encrypted!

How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC. You have to pay for decryption of Bitcoins.

If you want to restore them. You must send 0.08 bitcoin to my bitcoins address [Link]
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email [email address].
Your decrypt code is [ransom numbers]
Please write the decrypt code in the title of your email message. And don’t forgot to write the transfer accounts info.
[…]
Attention!
1.Do not rename encrypted files.
2.Do not try to decrypt your data using third party software.It may cause permanent data loss.

It is unknown which hackers' group is hiding behind Meduza ransomware. However, the ransom note and other facts related to this ransomware have been reminding us WannaCry, Petya, and many other ransomware viruses. If you happen to run into this malware, note that time is very important while dealing with it. The more you wait, the more files can be encrypted. Besides, according to the latest tendencies, your computer system might be forced to start mining cryptocurrency.[3] 

To prevent the money loss, do not pay the money, especially when the virus is still on your computer. To prevent the loss of personal data, you should initiate Meduza ransomware removal as soon as you find a suspicious extension added to your data. For that, use a professional anti-malware tool, such as Reimage. After the elimination is done, you can try using trustworthy decryption tools in order to recover infected data. At the moment, there is no official decrypter.

Distribution of the ransomware spreading and avoiding techniques

According to IT professionals[4], the most common way for this ransomware-type virus to enter the system is related to spam. These kinds of messages come with a harmful attachment which is already included in the email message as an important document, such as invoice, an image, etc. However, once opened, the virus is activated and starts its damaging activity. 

To avoid serious ransomware infections, follow these guidelines:

  • If you receive any suspicious email, you need to double check it before opening. If you have any doubts, you should better eliminate the email for your safeness. Do not get tricked by shady and dubious senders.
  • Try to avoid visiting suspicious-looking sites and links. Once entered, they might try to initiate infiltration of a ransomware-type virus behind your back.
  • Consider installing a professional security tool. An antivirus will protect your system, scan it, and alert if some harmful components are trying to infect your PC.

Eliminate Meduza ransomware with the special guide

To remove Meduza ransomware virus from the system and prevent its leftover files and other components, you need professional help. We advise using an anti-malware software, such as Reimage, Malwarebytes, or Plumbytes Anti-MalwareNorton Internet Security. The process might take a while due to the infected security system. However, if you follow all elimination steps given down below, you should get a chance to disable your malware and let the anti-malware program do its job.

After the elimination process is finished, we recommend taking care of system backups to prevent the negative effect of ransomware in the future. You can easily save your data on external hard drives, USB keys, and similar storage solutions. However, before you proceeded with this task, take care of the Meduza removal.

Offer
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternate Software
Malwarebytes
Alternate Software
Malwarebytes

To remove Meduza virus, follow these steps:

Remove Meduza using Safe Mode with Networking

Access the Safe Mode with Networking in order to deactivate the virus:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Meduza

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Meduza removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Meduza using System Restore

Use the System Restore function to delete Meduza ransomware from the system:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Meduza. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Meduza removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Meduza from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

As you have already noticed, malware can lock the most important information. To recover files, here are some data recovery methods that should be helpful.

If your files are encrypted by Meduza, you can use several methods to restore them:

Use Data Recovery Pro to get important files

This program might help you recover encrypted data. For that, use the following steps:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Meduza ransomware;
  • Restore them.

Use Windows Previous Version feature to recover valuable information

You can also use Windows Previous Versions feature to recover your encrypted data. However, notice that this method will work only if you had the System Restore function enabled before the cyber attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Shadow Explorer might help you recover some of the encrypted files

Check if the virus did not manage to eliminate the Shadow Volume Copies of locked files. If not – you have a big chance of decrypting them by using this program.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No original Meduza ransomware decryptor has been discovered recently.

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References