Severity scale:  
  (99/100)

MerryChristmas ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - -   Also known as Merry X-Mas! ransomware virus | Type: Ransomware
12

MerryChristmas ransomware is weak: you can decrypt your files for free!

MerryChristmas virus (also known as Merry X-Mas! ransomware) was first spotted on December 2016. Since then, it has been updated a few times and became a nasty widespread virus over time. This festive-themed virtual infection [1] encrypts files with a sophisticated cipher[2] and makes victim’s data useless. Encrypted files are distorted in a way that no one can restore them without having a special decryption key. To the damaged files, the virus also appends complementary file extensions such as .PEGS1, .RARE1, .MRCR1, RMCM1 or .MERRY. Due to the .MRCR1 extension, malware is also known as MRCR1 ransomware virus. Following data encryption, ransomware leaves a ransom note called “YOUR_FILES_ARE_DEAD.HTA”. The message opens in the web browser and includes information that users have to purchase a specific decryption key to recover their files. Paying the ransom for cyber criminals is always not recommended and risky method to recover encrypted data. But when dealing with this ransomware, transferring bitcoins is unnecessary. Security specialists have already cracked malware’s code and created a decryption tool. The MerryChristmas decrypter is safe and free to use. However, before data recovery, you must eliminate malware from the system. At the end of the article, you will find detailed instructions how to remove MerryChristmas virus from the computer using Reimage or other reputable malware removal programs.

ALL SERVER DATA ENCRYPTED! [or] ALL COMPUTER DATA ENCRYPTED
03 days 22:55:29 0149
TIME AFTER ALL FILES WILL BE DELETED
YOUR ID [removed]
Merry X-Mas!
NOW YOU NEED TO PAY TO RECOVER YOUR DATA
AFTER MONEY TRANSFER YOU WILL RECIEVE THE DECRYPTOR
CONTACTS
TELEGRAM @comodosecurity
EMAIL comodosec@yandex.com

In the ransom note below, you can see that the virus does not provide the exact price of the decryption software. It makes us think that virus’ authors ask for a different sums of money from individual victims. What is more, it is very likely that MRCR1 virus is a software developed by Globe[3] virus’ authors, because it provides the same Telegram messenger contact for victims who want to get in touch with the virus’ authors – @comodosecurity. It’s interesting that cyber criminals use a name of cyber security company, which is not related to this ransomware virus at all.

Image of MerryChristmas virus displaying the ransom note

How does Merry X-Mas! virus spread?

Although at first it seemed that this particular ransomware would be active until the festive season ends and its authors will simply switch its name to a different one afterward, it didn’t happen. It appears that malicious attacks continue, and the culprits use new tricks to convince victims to open the malicious email attachment. This time, they are sending out tons of emails that look like court attendance notices. The virus arrives in a malicious document that contains scrambled text and asks the victim to enable Macros in order to view contents. Sadly, the scrambled text simply obfuscates a script that downloads and installs the ransomware as soon as the victim enables Macros function. However, the latest attacks distinguish themselves from earlier ones because now this ransomware arrives in a bundle with DiamondFox malware, which turns compromised devices into DDoS bots, also steals private information, such as credit card information or passwords, also allows remote connections to the compromised computer and even more. The virus also uses a new picture for the ransom note, which can be seen below the article.

If your computer has been infected…

If MerryChristmas virus has attacked you, you probably want to know two things: how to remove MerryChristmas ransomware and how to decrypt files that this nasty piece of software has distorted. First of all, you should know that ransomware viruses should be deleted using professional malware removal tools such as Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus because they modify a lot of settings on the computer, including Windows Registry, also drop and hide malicious files in many computer locations and it is simply very hard to detect and delete them manually. Therefore, we suggest you run an anti-malware program to complete MerryChristmas removal easily. After removing the virus, you can try to restore your files using data recovery methods explained below or simply import file copies from a backup. Unfortunately, in the case of MerryChristmas attack, you will not be able to recover lost files from Volume Shadow Copies[4] because the virus runs a function that deletes all of them at once.

Finally, you need to learn how ransomware viruses spread. In this case, MerryChristmas virus spreads via email in the form of a deceptive file, which is named COMPLAINT.pdf.exe. Please pay attention that .pdf is not the real file extension – it is part of the filename, and .exe is the real file extension. Therefore, as soon as the victim opens this file, the virus gets activated and roots into the target computer system. We suggest you avoid suspicious emails that come from unknown people or companies, especially if you weren’t expecting to receive a letter from them. Cyber criminals use many different techniques[5] that help them to deceive naive victims, so try to keep up with the latest cybersecurity news if you do not want to become a victim of a ransomware attack.

Instructions on how to remove MerryChristmas virus safely

When MerryChristmas virus appeared it was quite a hazardous cyber threat – there was no way to decrypt damaged files without a specific decryption key. The only effective option was to use data backups; however, computer users rarely back up their files regularly. Fortunately, specialists from Emsisoft released a decryption tool, so you can easily recover your data. But first, you have to remove MerryChristmas ransomware from the computer. Simply take care of the virus with anti-malware tool. What is also possible is that the virus might attempt to block your anti-malware tool. If this happens to you, follow these MerryChristmas removal instructions:

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove MerryChristmas ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall MerryChristmas ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.
MerryChristmas ransomware virus snapshot
New version of MerryChristmas ransomware

Manual MerryChristmas virus Removal Guide:

Remove MerryChristmas using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

In some cases, ransomware authors make the viruses strong enough to avoid detection of the most known antivirus and anti-malware programs. If the security program that you use is blocked by the virus, follow these steps to start the PC in a Safe Mode with Networking. This mode helps to deactivate the virus but doesn’t get rid of it, so it simply creates an environment that allows your security software function without interruptions. 

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove MerryChristmas

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete MerryChristmas removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove MerryChristmas using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of MerryChristmas. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that MerryChristmas removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove MerryChristmas from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by MerryChristmas, you can use several methods to restore them:

Recover some files with Data Recovery Pro

If your files have been corrupted, run Data Recovery Pro and see if it can restore them. This tool can help to restore various corrupted, damaged, or encrypted files, so in our opinion, it can be really useful.

Windows Previous Versions: find out if you can use them

System Restore function allows you to restore lost files with a help of Windows Previous Versions. Although this method allows to restore individual files only, we find it very useful:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

MerryChristmas decryption tool

It’s the official decrytion tool that has been created to help victims of the MerryChristmas ransomware. Download this tool from here. To use this tool, you will need to use an encrypted file and the non-encrypted version of the same file. Then, drop those two files(between 64KB and 100MB in size) onto the decrypter executable and start decryption process. NOTE. This decryptor can help victims who have been attacked by ransomware versions that add .PEGS1, .RAR1, .MERRY, .MRCR1, or .RMCCM1. 

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from MerryChristmas and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References


  • Jukebox

    Malware developers feeling festive, huh.

  • Hreinegrd

    Thanks for holiday wishes, now I want my files back!!!

  • Shaynz

    Thanks God I had backup. I dont know what would I do If I lost all my files at once!