MRDC virus Removal Guide
What is MRDC ransomware?
MRDC ransomware will prevent you from opening your files
MRDC infection makes it impossible to open or use your personal files
Ransomware can be one of the most damaging computer infections if you do not have your files backed up on external devices. MRDC locks victims' personal files like photos, videos, and documents. It usually leaves the system files untouched because hackers do not want the users to be unable to pay the ransom in order to receive the decryption key.
The malicious program uses AES-256 and RSA-2048 cryptographic algorithms to lock the files and appends the .MRDC extension. It also adds the attackers' email address and a random string of alphanumeric characters, so if a file was named picture.jpg, after encryption, it would look like “picture.jpg.[email@example.com].randomstring.MRDC.” The files' icons also turn into blank ones.
MRDC belongs to the Matrix ransomware family that has been encrypting users' files since late 2016. Soon after people realize that something strange is happening, a ransom note is generated under the name of MRDC_README.rtf, where threat actors inform them about what is happening and what they want victims to do.
It is unclear how much money hackers want for file decryption service because they do not disclose it in the ransom note. Either way, it is not recommended to communicate with them and pay the ransom – they simply cannot be trusted. There have been times when ransomware victims sent the requested amount of Bitcoins to cybercriminals, and they never heard back from them. If you want to pay the money, you risk losing them, along with your files.
|TYPE||Ransomware, cryptovirus, data locking malware|
|MALWARE FAMILY||Matrix ransomware|
|ENCRYPTION METHOD||AES-256 + RSA-2048|
|DISTRIBUTION||Infected email attachments, peer-to-peer file sharing platforms, torrents, malicious ads|
|FILE RECOVERY||It is next to impossible to recover the files if you do not have backups or the decryption keys were not leaked; in some cases, recovery is successful with third-party software|
|ELIMINATION||Scan your machine with anti-malware software to eliminate the virus safely; this will not recover the locked files|
|SYSTEM FIX||You can avoid windows reinstallation with ReimageIntego maintenance tool, which can fix damaged files and system errors|
Ways you could have been infected
MRDC virus developers say that they infiltrated the server because of sесurity issuеs. It is unknown what vulnerabilities these hackers used exactly, but the most common way people get infected is through email. Users download malicious attachments or open links. This is especially relevant to corporate environments. Workers can be tricked into opening dangerous Microsoft Office or PDF documents, executable files, RAR, ZIP, and other archive files.
Never download attachments from senders you do not know, although sometimes malicious programs can infiltrate emails and send them from your friend's list. So no matter who sent the email, always check if it is safe to download. Double-check with the sender through a different platform.
If you do not have backups, it is possible you will never get your files back
Downloading “cracked” software from third-party pages also poses a huge risk. As cracking is illegal, the sites that distribute them are not regulated. Free tools are often infected themselves, or the malicious program is attached as a package. This is more relevant to private individuals as companies pay for software.
To limit your computers' vulnerability to a minimum, always keep the system, as well as all the apps updated. Software developers often release patches to fix newly found security flaws. Having professional security software installed can also prevent such attacks by warning you about a suspicious download.
The ransom note
The ransom note does not specify what payment hackers want
Victims receive a file containing two pages. The message is quite long:
Аll yоur vаluаblе dаtа hаs bееn еnсryptеd!
Sоrry, but wе hаvе tо infоrm yоu thаt duе tо sесurity issuеs, yоur sеrvеr wаs hасkеd. Plеаsе bе surе thаt yоur dаtа is nоt brоkеn. All yоur vаluаblе filеs wеrе еnсryptеd with strоng сryptо аlgоrithms AES-256+RSA-2048 аnd rеnаmеd. Yоu саn rеаd аbоut thеsе аlgоrithms in Gооglе. Yоur uniquе dесryptiоn kеy is sесurеly stоrеd оn оur sеrvеr аnd yоur dаtа саn bе dесryptеd fаst аnd sаfеly.
Wе саn prоvе thаt wе саn dесrypt аll yоur dаtа. Plеаsе just sеnd us 3-5 smаll еnсryptеd filеs whiсh аrе rаndоmly stоrеd оn yоur sеrvеr. Wе will dесrypt thеsе filеs аnd sеnd thеm tо yоu аs prооf. Plеаsе nоtе thаt filеs fоr frее tеst dесryptiоn shоuld nоt соntаin vаluаblе infоrmаtiоn.
As yоu knоw infоrmаtiоn is thе mоst vаluаblе rеsоurсе in thе wоrld. Thаt's why аll yоur соnfidеntiаl dаtа wаs uplоаdеd tо оur sеrvеrs. If yоu nееd prооf, just writе us аnd wе will shоw yоu thаt wе hаvе yоur filеs. If yоu will nоt stаrt а diаlоguе with us in 72 hоurs wе will bе fоrсеd tо publish yоur filеs in thе Dаrknеt. Yоur сustоmеrs аnd pаrtnеrs will bе infоrmеd аbоut thе dаtа lеаk by еmаil оr phоnе. This wаy, yоur rеputаtiоn will bе ruinеd. If yоu will nоt rеасt, wе will bе fоrсеd tо sеll thе mоst impоrtаnt infоrmаtiоn suсh аs dаtаbаsеs tо intеrеstеd pаrtiеs tо gеnеrаtе sоmе prоfit.
Plеаsе undеrstаnd thаt wе аrе just dоing оur jоb. Wе dоn't wаnt tо hаrm yоur соmpаny. Think оf this inсidеnt аs аn оppоrtunity tо imprоvе yоur sесurity. Wе аrе оpеnеd fоr diаlоguе аnd rеаdy tо hеlp yоu. Wе аrе prоfеssiоnаls, plеаsе dоn't try tо fооl us.
If yоu wаnt tо rеsоlvе this situаtiоn, plеаsе writе tо ALL оf thеsе 3 еmаil аdrеssеs:
It seems that the virus targets businesses because they talk about not wanting to harm the victims' companies. The targets can send up to 5 small files that do not have sensitive information to be decrypted to prove that they can do it. But this does not prove that all of your files will be brought back after you pay. Victims have 72 hours to contact the attackers via email because otherwise, they threaten to release all the data on the internet.
In subjеct linе please writе уоur ID: –
Impоrtаnt! Аlsо уоu cаn usе sеcurеd LIVE TОX CHАT for fast nеgоtiаtiоn with us:
1. Cоpу tо thе сlipbоаrd оur Tоx Chаt ID:
2. Оpеn yоur brоwsеr аnd fоllоw thе link: hxxps://tox.chat/download.html
3. Dоwnlоаd uTоx Chаt Cliеnt bу clicking the buttоn:
4. Еxесutе uTоx Chаt Cliеnt еxесutаblе filе:
5. Pаstе оur Tоx Chаt ID in thе fiеld and prеss enter:
6. Write us what you think necessary!
* Wе аsking tо sеnd уоur mеssаgе tо АLL оf оur 3 еmаil аdrеssеs bесаusе fоr vаriоus rеаsоns, уоur еmаil mау nоt bе dеlivеrеd.
* Оur mеssаgе mау bе rесоgnizеd аs spаm, sо bе surе tо сhесk thе spаm fоldеr.
* If wе dо nоt rеspоnd tо уоu within 24 hоurs, writе tо us frоm аnоthеr еmаil аddrеss. Usе Gmаil, уаhоо, Hоtmаil, оr аnу оthеr wеll-knоwn еmаil sеrviсе.
* Plеаsе dоn't wаstе thе timе, it will rеsult оnlу аdditinаl dаmаgе tо уоur соmpаnу!
* Plеаsе dо nоt try tо dеcrypt thе filеs yоursеlf. Wе will nоt bе аble tо hеlp yоu if filеs will bе mоdifiеd.
On the second page, victims are presented with a second contact option – live Tox chat that has end-to-end encryption. The threat actors use scare tactics to rush people into paying the ransom without thinking and trying to decrypt the files themselves.
Isolate the infected machine to prevent the virus from spreading
Some ransomware strains aim to hijack the entire network. As soon as one of the machines is infected, malware can move through WiFi networks to infect computers and encrypt files everywhere else.
The easiest way to disconnect a PC from everything is to plug out the ethernet cable. However, in the corporate environment, this might be extremely difficult to do. The method below will disconnect from all the networks, including local and the internet, isolating each machine involved.
- Type in Control Panel in Windows search and press Enter
- Go to Network and Internet
- Click Network and Sharing Center
- On the left, pick Change adapter settings
- Right-click on your connection (for example, Ethernet), and select Disable
- Confirm with Yes.
If you are using some type of cloud storage you are connected to, you should disconnect from it immediately. It is also advisable to disconnect all the external devices, such as USB flash sticks, external HDDs, etc. Once the malware elimination process is finished, you can connect your computers to the network and internet, as explained above, but by pressing Enable instead.
If you try to recover your data first, it can result in permanent loss. It can also encrypt your files the second time. It will not stop until you remove the malicious files causing it first. It would be best if you did not attempt removing the malicious program yourself. Use anti-malware tools like SpyHunter 5Combo Cleaner or Malwarebytes to scan your system. This security software should find all the related files and entries and remove them automatically for you. Automatic removal is the best option because there is less risk of leaving some of the traces behind.
Malware could prevent you from using antivirus software by turning it off. In that case, you should proceed with accessing Safe Mode first:
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Click Restart.
- Press 5 or click 5) Enable Safe Mode with Networking.
Recover files with third-party software
Only hackers hold the decryption key, which can unlock your files, so if you did not back them up previously, you possibly lost your files forever. You can try using data recovery software, but third-party programs cannot always decrypt the files. We suggest at least trying this method. Before proceeding, you have to copy the corrupted files and place them in a USB flash drive or another storage. And remember – only do this if you have already removed Wearefriends ransomware.
- Download Data Recovery Pro.
- Double-click the installer to launch it.
- Follow on-screen instructions to install the software.
- As soon as you press Finish, you can use the app.
- Select Everything or pick individual folders where you want the files to be recovered from.
- Press Next.
- At the bottom, enable Deep scan and pick which Disks you want to be scanned.
- Press Scan and wait till it is complete.
- You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
- Press Recover to retrieve your files.
Fix your OS
Performance, stability, and usability issues, to the point where a full Windows reinstall is required, are expected after malware infection. These types of infections can alter the Windows registry database, damage vital bootup and other sections, delete or corrupt DLL files, etc. Once a system file is damaged by malware, antivirus software is not able to repair it.
This is why ReimageIntego was developed. It can fix a lot of the damage caused by an infection like this. Blue Screen errors, freezes, registry errors, damaged DLLs, etc., can make your computer completely unusable. By using this maintenance tool, you could avoid Windows reinstallation.
- Download the application by clicking on the link above
- Click on the ReimageRepair.exe
- If User Account Control (UAC) shows up, select Yes
- Press Install and wait till the program finishes the installation process
- The analysis of your machine will begin immediately
- Once complete, check the results – they will be listed in the Summary
- You can now click on each of the issues and fix them manually
- If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.
Getting rid of MRDC virus. Follow these steps
Report the incident to your local authorities
Ransomware is a huge business that is highly illegal, and authorities are very involved in catching malware operators. To have increased chances of identifying the culprits, the agencies need information. Therefore, by reporting the crime, you could help with stopping the cybercriminal activities and catching the threat actors. Make sure you include all the possible details, including how did you notice the attack, when it happened, etc. Additionally, providing documents such as ransom notes, examples of encrypted files, or malware executables would also be beneficial.
Law enforcement agencies typically deal with online fraud and cybercrime, although it depends on where you live. Here is the list of local authority groups that handle incidents like ransomware attacks, sorted by country:
- USA – Internet Crime Complaint Center IC3
- United Kingdom – ActionFraud
- Canada – Canadian Anti-Fraud Centre
- Australia – ScamWatch
- New Zealand – ConsumerProtection
- Germany – Polizei
- France – Ministère de l'Intérieur
If your country is not listed above, you should contact the local police department or communications center.
How to prevent from getting ransomware
Stream videos without limitations, no matter where you are
There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.
Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.
Data backups are important – recover your lost files
Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.
While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.