Severity scale:  
  (98/100)

Remove Mpaj ransomware (Removal Instructions) - Recovery Instructions Included

removal by Olivia Morelli - - | Type: Ransomware

Mpaj ransomware – file locking malware that belongs to the notorious Djvu virus family

Mpaj ransomware
Mpaj ransomware is a data locking malware that is mainly spread via software cracks

Mpaj ransomware is a data locker that was first spotted attacking users worldwide in early April of 2020 and is a part of a large malware family Djvu. The virus encrypts documents, databases, pictures, videos, and other data on a compromised computer using asymmetric RSA cipher,[1] appending .mpaj extension in the process. Suchlike modified files can no longer be opened, and victims require a specific decryption software available only from Mpaj ransomware authors.

Questions about Mpaj ransomware

After the data locking process, the Mpaj virus delivers a ransom note on the desktop and most of the folders – _readme.txt. According to threat actors, only they can provide the required decryption software in order to recover locked files, and they are not giving it away for free. Victims are asked to pay $490 in Bitcoin for the decryptor, but first, they have to email criminals via helpdatarestore@firemail.cc or helpmanager@mail.ch emails for negotiation purposes. In case the demands are not met within 72 hours after the infection, the cost of the tool doubles to $980. Nonetheless, users are encouraged not to contact criminals or pay for the ransom, as they should first focus on Mpaj ransomware removal and alternative data recovery methods.

Name Mpaj ransomware
Type File locking virus, cryptomalware
Family Malware is a variant of the STOP/Djvu virus family
Infiltration  99% of the time, this malware strain is delivered via pirated software installers and software cracks, keygens, loaders, and similar tools which are downloaded from insecure third-party sites (such as P2P)
Encryption method  RSA is applied to lock all non-system files on the machine 
File extension  Personal files like pictures, videos, MS Office documents and similar data is appended with .mpaj marker
Ransom note  _readme.txt is delivered to users' desktops, as well as each of the folders where locked files are located 
Contact  Crooks ask to email them via helpdatarestore@firemail.cc or helpmanager@mail.ch
Ransom size If the ransom is paid within 72 hours of infection, it will cost victims $490, although this sum doubles to $980 later
File recovery

The safest way to recover data is to use backups. If none are available, these are the alternative options:

  • Paying cybercriminals for the decryption tool (not recommended)
  • Using Emsisoft's decryptor (works for offline IDs only)
  • Utilizing third-party recovery software (low chance of success) 
Malware removal  Use reputable anti-malware software like SpyHunter 5Combo Cleaner or Malwarebytes and perform a full system scan 
System fix  To fix Windows after a malware attack, you should employ repair tools like Reimage Reimage Cleaner Intego 

Mpaj ransomware is one of the versions of a well-known family – Djvu, which was first discovered back in 2017. Since then, more than 200 variants were released, previous ones being Foop, Mado, Mool, and many others. Prior to August 2019, the malware was using a less secure encryption method, which allowed security researchers to deliver tools like STOPDecrypter – it returned access to users' files for free, in some cases.

However, cybercriminals are sophisticated individuals (especially those that operate such an extensive malware strain like Djvu), and they soon realized that they need to do something to stop victims from recovering their data for free. Therefore, since August 2019, threat actors began using the asymmetric encryption algorithm RSA, fixing encryption bugs in previous versions.

Nonetheless, Emsisoft managed to release a new decryptor that works for all versions that use AES encryption, and also for later variants that use an offline ID to encrypt data, and Mpaj ransomware is one of them. Thus, experts advise users not to pay the ransom and hope that the Mpaj virus failed to contact its Command and Control server[2] during an encryption period.

If you have backups, you can simply remove Mpaj ransomware without giving too much thought to it. If you do not have a working copy of your files, you should first backup the encrypted ones before you get rid of malware from your machine. You can perform a complete Mpaj ransomware removal with the help of comprehensive anti-malware software. Note that security tools can also protect you from a malware attack; for example, these vendors detect the malicious executable under the following names:[3]

  • FileRepMalware
  • Win32.Trojan-Ransom.STOP.09RWCU
  • ML.Attribute.HighConfidence
  • Ransom:Win32/STOP.BS!MTB
  • UDS:DangerousObject.Multi.Generic
  • Trojan.DownLoader33.29260, etc.

Developers of Mpaj file virus use a seemingly primitive, yet effective way to deliver malware to as many users as possible – software cracks and pirated software installers. These tools can usually be found on insecure torrent or similar sites that host them. As soon as the malicious file, that can be named as anything, is executed, the infection routine begins.

Mpaj ransomware virus
Mpaj ransomware is a cryptolocker that might prevent users from accessing security-related sites and harvest sensitive information

To ensure a successful encryption, Mpaj ransomware first performs a variety of changes to Windows operating systems, which include modifications to the registry, shadow volume copy deletion, disable of startup repair function, communication establishment, and much more.

Besides making these changes, Mpaj ransomware virus can also deliver additional functionality that is not beneficial to the user in any way. Previous Djvu versions were observed being delivered along with other malware, such as data stealer AZORult. Also, it inserts an additional module that can harvest information from users' web browsers and prevent them from visiting security themed sites (by modifying Windows “hosts” file).

Upon execution of these changes, Mpaj ransomware begins to look for files to encrypt, and targets the most popular extensions like .jpg, .doc, .pdf, .odt, .txt, .zip, .log, .xls, and many more. After the relevant data is found, the virus starts encryption process, during which it displays a fake Windows Update pop-up to prevent any disruptions. It is important to note that the data does not get damaged – it is simply locked with a unique identifier which is only accessible to the attackers. This is one of the main reasons why Mpaj ransomware along with other strains became the to-go malware for money extortion purposes.

To ensure that victims get the memo and know what to do next, Mpaj ransomware drops a ransom note _readme.txt, which reads:

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-9o703iSIHn
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
helpdatarestore@firemail.cc

Your personal ID:

The ransom note is virtually identical to all the previous notes that were used by this malware, and, typically, only the contact details differ from one version to another. Nevertheless, as previously mentioned, you should consider paying the ransom as an absolute last resort, as it only profits the attackers and funds their illegal business. Besides, there is also a chance that the Mpaj decryptor will not be delivered to you in the first place, as hackers can simply ignore you after you pay.

Thus, first try to use alternative decryption methods we provide below, as you might be one of the lucky few whose files were encrypted with an offline ID. After you get rid of malware, do not forget fix damage done to the system files with the help of such tools like Reimage Reimage Cleaner Intego.

Mpaj ransomware encrypted files
Once Mpaj ransomware encrypts data, recovering it without backups is difficult

Avoid ransomware infections in the future

Most likely, everybody knows that pirating software and using cracks come with great cybersecurity risks, although many tend to ignore threats and simply continue what they were doing. If you are one of those people, you should stop using software cracks immediately, as it is not only illegal but can also result in a loss of access to personal files, possibly, permanently.

Software cracks are relatively unique executables since they are designed to break a code within other software and bypass the licensing process so that the app can be used for free. Due to this functionality, almost all security applications will flag a crack as malicious, regardless if it includes malware code inside of it. Therefore, there is no effective way to verify if the tool is actually malicious (at least not for regular computer users). The best piece of advice would be to stop downloading pirated software and cracks altogether.

Additionally, there are other essential measures that should be practiced when trying not to infect the computer with malware, and that involves equipping it with advanced security software, backing the most important files, never opening attachments of suspicious emails, browsing cautiously, etc.

Backup encrypted files before terminating Mpaj ransomware

As previously mentioned, in case Mpaj ransomware removal is performed too soon or third-party tools employed before its elimination, it might result in a complete data compromise, and not even a working decryptor would be able to help you after that. Therefore, if you have no backups, make sure you put the most important files to you into an external or virtual drive before doing anything else.

Once you copy all your data, you can remove Mpaj ransomware from your system using anti-malware, although keep in mind that advanced malware might tamper with security software. In such a case, you should bypass this functionality by accessing Safe Mode with Networking – we provide the instructions for that below. Only after you are sure that the Mpaj virus, along with any other malware, is gone, you should proceed with the recovery guide listed below.

Additionally, you should access the following location and delete Windows “hosts” file in order to access security-related sites without restrictions:

C:\Windows\System32\drivers\etc\

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Mpaj virus, follow these steps:

Remove Mpaj using Safe Mode with Networking

To get rid of Mpaj file virus, access Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Mpaj

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Mpaj removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Mpaj using System Restore

System Restore might sometimes also be useful when trying to eliminate malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Mpaj. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Mpaj removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Mpaj from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Mpaj, you can use several methods to restore them:

Data Recovery Pro might be useful in some cases

The less you use your Windows machine after a ransomware infection, the more chances there are for you to recover at least some files using Data Recovery Pro.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Mpaj ransomware;
  • Restore them.

make use of Windows Previous Versions feature

This method can only allow you to recover files one-by-one, so large data redemption might not be possible.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExlplorer might sometimes help you to decrypt all your files for free

In case the Mpaj ransomware failed to delete Shadow Copies, ShadowExlplorer is your best bet to recover your files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Employ Emsisoft's decryptor

If the virus used an offline ID to encrypt files on your computer, you should be able to recover them with the help of Emsisoft's decryption tool that you can download from here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mpaj and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References


Your opinion regarding Mpaj ransomware