Mpal ransomware (Virus Removal Instructions) - Decryption Methods Included

Mpal virus Removal Guide

What is Mpal ransomware?

Mpal ransomware is a highly dangerous virus encrypting your personal files for ransom

Mpal ransomwareMpal ransomware is the threat that manages to alter some of the system files, so functions of the PC are affected significantly. Mpal ransomware – the cryptovirus that adds .mpal extension to affected data and then displays the message with an offer to decrypt files after the cryptocurrency payment is made. Criminals that develop this virus and other versions of Djvu ransomware prefer Bitcoin cryptocurrency. Also, this family is known for releasing new versions constantly. This is achieved because not many things get changed in the coding, and other features like ransom note file _readme.txt or contact emails remain the same for a while.

Even though Mpal ransomware virus is the first one that came out in May 2020, it is the 223rd in this ransomware family in general. This is a threat that researchers know about and try to monitor as much as possible because of the current activity status of these campaigns and attacks. Unfortunately, the family was decryptable for a while before, but not anymore because previously useable STOPDecrypter is no longer supported. Malware creators changed the coding and methods of encryption, key generation, so experts cannot offer easy decryption procedures as before. However, some of the victims can get their files recovered with the help of the Emsisofts Djvu decrypted tool. One thing though, this tool only works for versions that use offline keys. You can determine if the key used in your case is offline or not by checking the ID in the ransom note. If it ends in t1 it is most likely offline-based.

Other versions of the DJVU and STOP ransomware now mostly use an online key generation method that allows forming a unique identification number for each affected device and victim. However, it means that malware makes the connection to a remote server each time it generates this ID, and it is needed for decryption processes too, so victims need to contact criminals to get the tool and the particular decryption key. Any communication is not safe because malware creators may have different purposes and damage your device further or ask for a bigger amount than the ransom note initially states. More on decryption alternatives below the article.

Name Mpal ransomware
Family Djvu/STOP ransomware
File extension .mpal is the particular appendix that comes at the end of the original name of the document or an image. This randomized extension is placed after the file-type determining appendix and indicates which files got encrypted. All the data becomes unopenable and useless after encoding
Ransom note _readme.txt is the file that delivers instructions for the malware victim. This file gets placed on the desktop the second data gets encoded
Contact information and
Distribution The family particularly is known for spreading malicious payloads via files that include scripts of the malware. Such data can be included on the email as an attachment or in the packages of pirated software, software cracks, game cheats
Additional features The malware can load secondary payloads of trojans or other malware. Also, this virus creates hosts to control sites that victims can visit, so anti-malware solutions cannot be accessed easily on the web. During some processes like file-locking malware also shows the fake Windows Update window to mask the background processes
Elimination To properly remove Mpal ransomware you should use anti-malware programs that can potentially detect[1] and clear cryptovirus for you
Repair Remember to repair virus damage and recover crucial parts of the system, so this threat can be deleted completely. Find affected or corrupted files with FortectIntego

Mpal ransomware is focusing on file encryption because when the access to images, documents, or archives is blocked, the user may be more eager to pay the demanded amount of cryptocurrency. Criminals promise to recover those files after the money transfer, but there is a possibility that actors can damage your machine after that.

Once the ransom note appears on the screen, you can be sure that Mpal ransomware is done with the encryption process. This happens pretty quick, and in most cases, the victim cannot notice anything suspicious. Djvu versions tend to display the Windows Update window or another fake process indication, so the slowness of the machine is not creating suspicions.

The main payload file of the virus can get dropped in advanced, way before you notice the encryption[2] or other symptoms of Mpal ransomware, so many changes that already get made in the background can affect the performance and cleaning or file recovery processes. The ransom note _readme.txt is placed on the machine as a final stage of the attack because once all the changes get made, the only thing left is to receive payments from victims:


Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID

You need to react to this attack and clear the machine from malware as soon as you receive the money-demanding message. You can remove Mpal ransomware with anti-malware tools, and the sooner you try to do so the better. Ransomware sometimes can delete the main payload after the encryption process is done, but you need to remove all the files related to the intruder before you even try to restore files or add anything new on the computer. Mpal ransomware virusMpal ransomware is the cryptovirus that can be possibly decrypted in some cases. Mpal ransomware in addition to file encryption can load trojans that steal malware or run separate scripts that focus on data extraction. There are many details that can be valuable and useful for criminals because there are new tactics of ransomware creators. They focus on getting some sensitive information from people or companies, so non-paying victims can be blackmailed after that.[3]

These facts about additional malware and changes that threat does besides encryption affect the Mpal ransomware removal significantly because it keeps AV tools, security features, and programs disabled, avoids detection. You may need to enter the Safe Mode before you can run the anti-malware tool properly, but such a method is the best way to get rid of the malware of this type.

Unfortunately, antivirus programs are not capable of recovering encoded files for you, so you need to rely on different methods for the recovery of your damaged data. Mpal ransomware is a powerful virus, so your options are narrow:

  • decryption tool that works for some versions;
  • data backups stored on the cloud or external device;
  • third-party tools designed to restore files;
  • the system features for data recovery.

Your machine should be double-checked before moving on with any of these methods, so the threat is completely terminated, and all you have to do is clear Mpal ransomware virus damage with something like FortectIntego and repair files corrupted ins system folders. Then you can rely on the more trustworthy method and replace files affected by the virus with safe copies or try to recover encoded ones. Mpal cryptovirusMpal ransomware - the virus that makes files useless and indicates affected data using .mpal appendix.

Malware spreading methods involving online services and legitimate names of companies

Ransomware typically is delivered via emails since attachments can be injected with malicious macros and scripts leading to direct payload download. Such emails trick people into opening the notification with names of shopping sites, or companies like DHL, FedEx, and so on. Those emails claim about financial information and orders or invoices, so people open documents and enable the content without notice.

Another, more common method that allows malware creators to attack victims – malicious files in particular packages and cheats or cracks. When torrent services offer such activities as getting cheatcodes for video games or cracks for legitimate software, licensed versions, there are many files that get installed. Many people cannot even notice that some executables or other types of data got added, but ransomware is loaded.

You need to pay attention to services, sources you rely on, and be more suspicious about the content you get exposed to and received emails, even though notifications seem legitimate and real.

The cleaning process starts with Mpal ransomware termination

You may need to gather some help for the best results of Mpal ransomware removal because this threat can affect much more than your personal files stored on the computer. When the threat interferes with parts of the system and disables or even damages functions, you need to take care of that damage before you proceed with data recovery.

Also, you need to remove Mpal ransomware completely from the system before you can restore those encrypted files or add copies of them from the backup. Ransomware can possibly run the second wave of encryption and damage those newly added documents or images causing permanent damage of files and even money if you paid for the possible decryption.

Mpal ransomware virus can be cleared once you deleted and terminated the malware using SpyHunter 5Combo Cleaner or Malwarebytes. These security tools or any anti-malware program that detects the intruder can perform the removal for you and clean all the repeated files or programs. Remember to restore parts of the machine using PC repair or optimization software like FortectIntego before you try to restore encoded files yourself.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Mpal virus. Follow these steps

Manual removal using Safe Mode

Remove Mpal ransomware from the system using the AV tool by rebooting the machine in Safe Mode with Networking first

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Mpal using System Restore

You may try the System Restore feature for the cleaning purpose because this method allows resetting the machine in a previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Mpal. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Mpal removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Mpal from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Mpal, you can use several methods to restore them:

You can try the Data Recovery Pro as an alternative for file backups or decryption tools

Data Recovery Pro can restore files that get deleted accidentally or affected by the threat like Mpal ransomware

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Mpal ransomware;
  • Restore them.

Windows Previous Versions is the technique that helps with file recovery after ransomware infections

When the System Restore feature gets enabled, you can rely on Windows Previous Versions and restore files affected by Mpal ransomware

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – the method for file restoring

When Shadow Volume Copies are left untouched, you can possibly rely on ShadowExplorer and restore Mpal ransomware encrypted data

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

There is a decryption tool that can possibly work for some of the Mpal ransomware victims

When Mpal ransomware uses older versions of codes and relies on simpler techniques, you can possibly decrypt data using this DJVU decryption tool

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mpal and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions