Mespinoza virus Removal Guide
What is Mespinoza ransomware?
Mespinoza ransomware – cryptomalware that encrypts data of local governments
Mespinoza ransomware is a data locker that mainly targets high-profile organisations and businesses worldwide
Mespinoza ransomware, otherwise known as Pysa ransomware, is a data locking virus that was first seen attacking organizations and local authorities in October 2019. Just as any other malware of this type, its main goal is to make money by locking all personal files on local and networked drives, and then ask for a ransom for decryption software. Mespinoza virus performs the encryption with the help of AES cipher and appends all files with .locked marker, preventing owners from accessing them. In later versions, the malware also uses .pysa and .newversion markers.
After file encryption, Mespinoza ransomware delivers Readme.README file, which is placed on users' desktop, as well as various other locations of Windows. In the brief note, the attackers explain what happened to victims' machines and that they need to send an email to a particular email address (multiple different ones are used, including firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, and others) to contact the Mespinoza virus authors.
|Type||File locking virus, cryptomalware|
|Also known as||Pysa ransomware|
|Malware family||Vurten malware family|
|Encryption method||The malware uses AES encryption algorithm to lock pictures, documents, databases, videos, and other personal or company files|
|Extension||Extension depends on the version of the virus – these are: .locked, .pysa, and .newversion|
|Ransom note||Readme.README is dropped into various folders on the system, as well as the desktop|
|Contactfirstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org|
|Termination||To get rid of the infection, users should scan their computers with anti-malware software. If the virus terminates the security tool, accessing Safe Mode with Networking would bypass this functionality|
There is no secure and 100% effective way of recovering data without backups. The other options as follow:
|System fix||In case termination of malware did not fix Windows and it started crashing, lagging, or suffer from stability issues, users should employ ReimageIntego or a similar tool to fix virus damage|
Mespinoza ransomware has its roots in Vurten ransomware, which was first released in April 2018 by unknown cybercriminals who demanded as much as $10,000 for the decryption software. Currently, it is unknown what the demands of this strain are, although it is likely to be high as well. The attackers ask to pay in Bitcoin, although other cryptocurrencies are sometimes accepted as well. In mid-March 2020, Mespinoza ransomware was spotted attacking local governess in France.
While there is no working Mespinoza ransomware decryptor currently available, paying cybercriminals is not advisable, as they might simply scam victims. The best way to recover data is by using backups, although there are also third-party tools that users could rely on. Nonetheless, before proceeding with the data recovery process, Mespinoza ransomware removal should be performed by using anti-malware software.
Mespinoza virus uses plenty of tricks to avoid detection
Security researchers from CERT-FR who recently dealt with Mespinoza ransomware attack on French governments claimed that it is yet unclear how the threat is propagated, although some indicators pointed that brute-forcing and Remote Desktop connection is most likely used. Nevertheless, because malware mainly focuses on companies instead of regular users, another common tactic – spear phishing – might also be employed by malicious actors.
Mespinoza virus is the latest ransomware family that joined the “big game hunting” – a tactic used to attack high-profile organizations in the hopes of extorting larger sums of ransoms. Other known strains that infect companies in targeted attacks include:
Once Mespinoza ransomware breaks into a machine, it also infects all the attached networks. Essentially, if backups are stored on these networks, they will get encrypted as well, rendering them useless, so it is vital to ensure that backups are held on a separate network or even offline. Before encrypting data, the Mespinoza file virus will deploy the PowerShell Empire penetration testing program that allows the attackers to stop anti-malware protection tools.
Mespinoza ransomware is a file locking virus that uses AES encryption algorithm to lock all data on local and networked drives
Following typical modifications to the Windows registry, deletion of Shadow Volume Copies and other changes, and creation of malicious files as well as processes, Mespinoza ransomware will also inject additional modules to Google Chrome web browser, which allows all the sensitive information to be transferred to the attackers. This is another reason to remove Mespinoza ransomware from the system as soon as possible.
After the necessary changes are made and networks infected, the malware begins a scan that targets the most commonly used files in an enterprise and home environment to cause maximum damage to victims. Since its release, Mespinoza virus used .locked, .pysa, and, most recently, .newversion file extension. Following the encryption, the malware drops a note which reads:
Every byte on any types of your devices was encrypted.
Don't try to use backups because it were encrypted too.
To get all your data back contact us:
Q: How can I make sure you don't fooling me?
A: You can send us 2 files(max 2mb).
Q: What to do to get all data back?
A: Don't restart the computer, don't move files and write us.
Q: What to tell my boss?
A: Protect Your System Amigo.
Besides encrypting data, Mespinoza ransomware also extracts certain information from the infected network, which includes a database of the company's account and password information, most likely to elevate permissions even further.
However, other malware strains that encrypted data on companies' computers started a new trend – they threaten to expose sensitive data online if the ransom is not paid, compromising operations of the organization. In some cases, such an unfortunate turn of events can lead to the company's closure and data exposure of innocent people.
To eliminate Mespinoza ransomware, a network-wide scan should be initiated and IT staff employed for the job. If the company had backups, ransom payment should never be paid (unless the attackers threaten to expose sensitive data, although it unclear whether the Mespinoza virus gathers such information). To fix the infection caused damage to the operating system, a repair software like ReimageIntego can be used.
Mespinoza ransomware is currently not decryptable, and backups is the only secure method to recover files without paying the attackers
Ransomware prevention tips
While it is currently not precisely known how Pysa ransomware is distributed, there are several precautionary measures that companies, businesses, local governments, and regular users. Ransomware strains like Djvu rely on random infection vectors such as software cracks – those who access compromised sites and download the malicious executable get infected.
Nevertheless, when it comes to companies, such a malware distribution method would not be appropriate, as it would not reach the desired targets. Due to this, the attackers employ methods that would work well for targeted attacks, such as weakly protected RDP connections, leaked credential databases, brute force attacks, and similar.
To prevent ransomware intrusions, you should be practicing the following security measures:
- Equip every computer on the network with a comprehensive anti-malware protection;
- Update each of the machines and the installed software as soon as patches are deployed;
- Do not open spam email attachments unless you are sure that they are legitimate;
- Don't allow a macro function to run on documents, PDF and other files that might be delivered via the email;
- Only allow relevant staff to use Remote Desktop connection and protect with a VPN;
- Never use a default TCP/UDP open ports;
- Employ alphanumeric passwords when connecting yo RDP or accessing the machine/network;
- Educate staff about cybersecurity and safe computer practices.
Most importantly, you should ensure that backups are constantly updated and not connected to the main network.
Mespinoza ransomware removal process
It is important to note that you should not remove Mespinoza ransomware immediately, although modules that can gather sensitive information and disable security software might point otherwise. However, if you start the virus termination before you backup encrypted files, they might be corrupted permanently. If you have a working copy of your most important files, however, you can proceed with Mespinoza ransomware removal without delays.
As previously mentioned, the termination process of the Mespinoza virus from an entire network should be performed with the help of IT professionals, as malware is known to disable the anti-virus protection upon infiltration – this can cause troubles when trying to eliminate the infection. Nevertheless, the process can be performed much easier in Safe Mode with Networking – you can find instructions on how to access it below.
If you had no backups, paying the attackers for the data recovery tool might be your only option if you desperately need your files back. However, you should first try to use third-party recovery tools or other methods listed below.
Getting rid of Mespinoza virus. Follow these steps
Manual removal using Safe Mode
To access Safe Mode with Networking, perform the following steps:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove Mespinoza using System Restore
System Restore might sometimes be functional when trying to eliminate the virus:
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Mespinoza. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove Mespinoza from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by Mespinoza, you can use several methods to restore them:
Data Recovery Pro method might help
Data recovery software might be capable of restoring files from the hard drive if the storage space was not overwritten by other information.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Mespinoza ransomware;
- Restore them.
Make use of Windows Previous Versions feature
In case Mespinoza ransomware failed to perform certain modifications on the infected system, Windows Previous Versions might help you restore files one-by-one.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer might be what you need
If the virus did not delete Shadow Volume Copies, this method should retrieve all your data.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No decryption tool is currently available
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mespinoza and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.