Mpaj ransomware (Removal Instructions) - Recovery Instructions Included

Mpaj virus Removal Guide

What is Mpaj ransomware?

Mpaj ransomware – file locking malware that belongs to the notorious Djvu virus family

Mpaj ransomwareMpaj ransomware is a data locking malware that is mainly spread via software cracks

Mpaj ransomware is a data locker that was first spotted attacking users worldwide in early April of 2020 and is a part of a large malware family Djvu. The virus encrypts documents, databases, pictures, videos, and other data on a compromised computer using asymmetric RSA cipher,[1] appending .mpaj extension in the process. Suchlike modified files can no longer be opened, and victims require a specific decryption software available only from Mpaj ransomware authors.

After the data locking process, the Mpaj virus delivers a ransom note on the desktop and most of the folders – _readme.txt. According to threat actors, only they can provide the required decryption software in order to recover locked files, and they are not giving it away for free. Victims are asked to pay $490 in Bitcoin for the decryptor, but first, they have to email criminals via helpdatarestore@firemail.cc or helpmanager@mail.ch emails for negotiation purposes. In case the demands are not met within 72 hours after the infection, the cost of the tool doubles to $980. Nonetheless, users are encouraged not to contact criminals or pay for the ransom, as they should first focus on Mpaj ransomware removal and alternative data recovery methods.

Name Mpaj ransomware
Type File locking virus, cryptomalware
Family Malware is a variant of the STOP/Djvu virus family
Infiltration 99% of the time, this malware strain is delivered via pirated software installers and software cracks, keygens, loaders, and similar tools which are downloaded from insecure third-party sites (such as P2P)
Encryption method RSA is applied to lock all non-system files on the machine
File extension Personal files like pictures, videos, MS Office documents and similar data is appended with .mpaj marker
Ransom note _readme.txt is delivered to users' desktops, as well as each of the folders where locked files are located
Contact Crooks ask to email them via helpdatarestore@firemail.cc or helpmanager@mail.ch
Ransom size If the ransom is paid within 72 hours of infection, it will cost victims $490, although this sum doubles to $980 later
File recovery

The safest way to recover data is to use backups. If none are available, these are the alternative options:

  • Paying cybercriminals for the decryption tool (not recommended)
  • Using Emsisoft's decryptor (works for offline IDs only)
  • Utilizing third-party recovery software (low chance of success)
Malware removal Use reputable anti-malware software like SpyHunter 5Combo Cleaner or Malwarebytes and perform a full system scan
System fix To fix Windows after a malware attack, you should employ repair tools like FortectIntego

Mpaj ransomware is one of the versions of a well-known family – Djvu, which was first discovered back in 2017. Since then, more than 200 variants were released, previous ones being Foop, Mado, Mool, and many others. Prior to August 2019, the malware was using a less secure encryption method, which allowed security researchers to deliver tools like STOPDecrypter – it returned access to users' files for free, in some cases.

However, cybercriminals are sophisticated individuals (especially those that operate such an extensive malware strain like Djvu), and they soon realized that they need to do something to stop victims from recovering their data for free. Therefore, since August 2019, threat actors began using the asymmetric encryption algorithm RSA, fixing encryption bugs in previous versions.

Nonetheless, Emsisoft managed to release a new decryptor that works for all versions that use AES encryption, and also for later variants that use an offline ID to encrypt data, and Mpaj ransomware is one of them. Thus, experts advise users not to pay the ransom and hope that the Mpaj virus failed to contact its Command and Control server[2] during an encryption period.

If you have backups, you can simply remove Mpaj ransomware without giving too much thought to it. If you do not have a working copy of your files, you should first backup the encrypted ones before you get rid of malware from your machine. You can perform a complete Mpaj ransomware removal with the help of comprehensive anti-malware software. Note that security tools can also protect you from a malware attack; for example, these vendors detect the malicious executable under the following names:[3]

  • FileRepMalware
  • Win32.Trojan-Ransom.STOP.09RWCU
  • ML.Attribute.HighConfidence
  • Ransom:Win32/STOP.BS!MTB
  • UDS:DangerousObject.Multi.Generic
  • Trojan.DownLoader33.29260, etc.

Developers of Mpaj file virus use a seemingly primitive, yet effective way to deliver malware to as many users as possible – software cracks and pirated software installers. These tools can usually be found on insecure torrent or similar sites that host them. As soon as the malicious file, that can be named as anything, is executed, the infection routine begins.

Mpaj ransomware virusMpaj ransomware is a cryptolocker that might prevent users from accessing security-related sites and harvest sensitive information

To ensure a successful encryption, Mpaj ransomware first performs a variety of changes to Windows operating systems, which include modifications to the registry, shadow volume copy deletion, disable of startup repair function, communication establishment, and much more.

Besides making these changes, Mpaj ransomware virus can also deliver additional functionality that is not beneficial to the user in any way. Previous Djvu versions were observed being delivered along with other malware, such as data stealer AZORult. Also, it inserts an additional module that can harvest information from users' web browsers and prevent them from visiting security themed sites (by modifying Windows “hosts” file).

Upon execution of these changes, Mpaj ransomware begins to look for files to encrypt, and targets the most popular extensions like .jpg, .doc, .pdf, .odt, .txt, .zip, .log, .xls, and many more. After the relevant data is found, the virus starts encryption process, during which it displays a fake Windows Update pop-up to prevent any disruptions. It is important to note that the data does not get damaged – it is simply locked with a unique identifier which is only accessible to the attackers. This is one of the main reasons why Mpaj ransomware along with other strains became the to-go malware for money extortion purposes.

To ensure that victims get the memo and know what to do next, Mpaj ransomware drops a ransom note _readme.txt, which reads:

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-9o703iSIHn
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
helpdatarestore@firemail.cc

Your personal ID:

The ransom note is virtually identical to all the previous notes that were used by this malware, and, typically, only the contact details differ from one version to another. Nevertheless, as previously mentioned, you should consider paying the ransom as an absolute last resort, as it only profits the attackers and funds their illegal business. Besides, there is also a chance that the Mpaj decryptor will not be delivered to you in the first place, as hackers can simply ignore you after you pay.

Thus, first try to use alternative decryption methods we provide below, as you might be one of the lucky few whose files were encrypted with an offline ID. After you get rid of malware, do not forget fix damage done to the system files with the help of such tools like FortectIntego.

Mpaj ransomware encrypted filesOnce Mpaj ransomware encrypts data, recovering it without backups is difficult

Avoid ransomware infections in the future

Most likely, everybody knows that pirating software and using cracks come with great cybersecurity risks, although many tend to ignore threats and simply continue what they were doing. If you are one of those people, you should stop using software cracks immediately, as it is not only illegal but can also result in a loss of access to personal files, possibly, permanently.

Software cracks are relatively unique executables since they are designed to break a code within other software and bypass the licensing process so that the app can be used for free. Due to this functionality, almost all security applications will flag a crack as malicious, regardless if it includes malware code inside of it. Therefore, there is no effective way to verify if the tool is actually malicious (at least not for regular computer users). The best piece of advice would be to stop downloading pirated software and cracks altogether.

Additionally, there are other essential measures that should be practiced when trying not to infect the computer with malware, and that involves equipping it with advanced security software, backing the most important files, never opening attachments of suspicious emails, browsing cautiously, etc.

Backup encrypted files before terminating Mpaj ransomware

As previously mentioned, in case Mpaj ransomware removal is performed too soon or third-party tools employed before its elimination, it might result in a complete data compromise, and not even a working decryptor would be able to help you after that. Therefore, if you have no backups, make sure you put the most important files to you into an external or virtual drive before doing anything else.

Once you copy all your data, you can remove Mpaj ransomware from your system using anti-malware, although keep in mind that advanced malware might tamper with security software. In such a case, you should bypass this functionality by accessing Safe Mode with Networking – we provide the instructions for that below. Only after you are sure that the Mpaj virus, along with any other malware, is gone, you should proceed with the recovery guide listed below.

Additionally, you should access the following location and delete Windows “hosts” file in order to access security-related sites without restrictions:

C:\Windows\System32\drivers\etc\

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Mpaj virus. Follow these steps

Manual removal using Safe Mode

To get rid of Mpaj file virus, access Safe Mode with Networking:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Mpaj using System Restore

System Restore might sometimes also be useful when trying to eliminate malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Mpaj. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Mpaj removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Mpaj from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Mpaj, you can use several methods to restore them:

Data Recovery Pro might be useful in some cases

The less you use your Windows machine after a ransomware infection, the more chances there are for you to recover at least some files using Data Recovery Pro.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Mpaj ransomware;
  • Restore them.

make use of Windows Previous Versions feature

This method can only allow you to recover files one-by-one, so large data redemption might not be possible.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExlplorer might sometimes help you to decrypt all your files for free

In case the Mpaj ransomware failed to delete Shadow Copies, ShadowExlplorer is your best bet to recover your files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Employ Emsisoft's decryptor

If the virus used an offline ID to encrypt files on your computer, you should be able to recover them with the help of Emsisoft's decryption tool that you can download from here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mpaj and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References