Ever since the .oops virus, dubbed Marlboro came out, it has been causing nothing but trouble. This ransomware type of malware aims to append AES-128 cipher in combination with RSA-2048 algorithm to render important documents, music, databases and other important files no longer openable. The user is demanded in a ransom note to pay a hefty sum of 0.2 BTC for a decryptor which cyber-criminals kindly offer. Fortunately, now, thanks to Emsisoft researchers, like Fabian Wosar, a decryptor is publicly available and we have created instructions to help you remove this virus and decrypt .oops files for free.
Marlboro Ransomware – Quick Background
When the .oops virus was initialy discovered, infections were conducted via a .bin type of file which may be spread on social media, via e-mail or via potentially unwanted applications (PUA).
The Marlboro .oops virus immediately begins to encrypt the files on the compromised computer after modifying the registry entries. The types of files the virus scans for to encrypt are multiple:
→ .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar, .bz2, .tbk, .bak, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .aspx, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, ., .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .uot, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, .dat
After encryption, Marlboro virus appends the .oops file extension to them and they can no longer be opened, looking like the following:
In addition to this, the .oops variant of Marlboro adds a rather long .html ransom note, called “_HELP_Recover_Files_.html”. This ransom note aims to scare users into paying the sum of 0.2 BTC to the cyber-criminals to get their files back.
Fortunately, now that a decryptor has been released, all you have to do is follow the instructions below to remove the Marlboro virus and hopefully decode your files.
Remove Marlboro .oops Virus
Before the actual decryption takes place, you need to make sure your PC is secure. This is why we suggest you to follow the instructions below to eradicate any malware that may be residing on your computer and this includes the Marlboro .oops virus as well.
Manually delete Marlboro .oops from your computer
Note! Substantial notification about the Marlboro .oops threat: Manual removal of Marlboro .oops requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
Automatically remove Marlboro .oops by downloading an advanced anti-malware program
Decrypt .Oops Encrypted Files
If you have successfully secured your computer, it is time to get your files back to normal. To do this, we have successfully designed instructions that can simplify the usage of Emsisoft’s decrypter. Please follow these steps:
Step 1: Download Marlboro Decryptor from this web page and save it on your computer.
Step 2: Copy the following files into a new folder:
- One encrypted picture.
- The decrypted variant of the encrypted picture.
In case you do not have any original variants of encrypted pictures, please, make sure to use the default Windows pictures from another Windows machine not affected by this virus. They are usually located in:
N.B.: If you do not have the original version of your encrypted file, you can try getting the default image files in the %Sample Images% folder of Windows. They are usually the same for every Windows PC and you can get the encrypted image from your computer after which get the decrypted image from the infected computer. The default location of the images is the same as above.
Another alternative is to restore one or two original files using data recovery software.
Step 2: Drag an encrypted and original files on the Marlboro decrypter, just like the GIF below demonstrates:
Step 3: After the files are dropped, you should see a pop-up similar to the following:
Press OK to continue.
Step 4: After this, the primary interface of the decryptor will show:
From there choose the folders you wish to decrypt and click on the Decrypt button.
After decryption, the files should be saved in the same location where they were initially encrypted. You also have the option to choose whether to keep or discard the encrypted version of the files.
Marbolor .oops Ransomware – What to Do After Decryption
In case you have been infected by Marlboro and have decrypted your files using those instructions or need some questions answered, please let us know in the comment section below. Also, consider yourself lucky if you got your files back, because most of the ransomware victims of other viruses still cannot restore their files.
This is why we advise you to follow these security tips to strengthen your protection from ransomware viruses like Marlboro:
Advice 1: Make sure to read our general protection tips and try to make them your habit and educated others to do so as well.
Advice 2: Install an advanced anti-malware program that has an often updated real-time shield definitions and ransomware protection.
Advice 3: Seek out and download specific anti-ransomware software which is reliable.
Advice 4: Backup your files using one of the methods in this article.
Advice 5: : Make sure to use a secure web browser while surfing the world wide web.