Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Decrypt .Oops Files Encrypted by Marlboro Ransomware

This article aims to display how to remove Marlboro ransomware and decrypt .oops files encrypted by it.

Ever since the .oops virus, dubbed Marlboro came out, it has been causing nothing but trouble. This ransomware type of malware aims to append AES-128 cipher in combination with RSA-2048 algorithm to render important documents, music, databases and other important files no longer openable. The user is demanded in a ransom note to pay a hefty sum of 0.2 BTC for a decryptor which cyber-criminals kindly offer. Fortunately, now, thanks to Emsisoft researchers, like Fabian Wosar, a decryptor is publicly available and we have created instructions to help you remove this virus and decrypt .oops files for free.

Marlboro Ransomware – Quick Background

When the .oops virus was initialy discovered, infections were conducted via a .bin type of file which may be spread on social media, via e-mail or via potentially unwanted applications (PUA).

The Marlboro .oops virus immediately begins to encrypt the files on the compromised computer after modifying the registry entries. The types of files the virus scans for to encrypt are multiple:

→ .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar, .bz2, .tbk, .bak, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .aspx, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, ., .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .uot, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, .dat

After encryption, Marlboro virus appends the .oops file extension to them and they can no longer be opened, looking like the following:

In addition to this, the .oops variant of Marlboro adds a rather long .html ransom note, called “_HELP_Recover_Files_.html”. This ransom note aims to scare users into paying the sum of 0.2 BTC to the cyber-criminals to get their files back.

Fortunately, now that a decryptor has been released, all you have to do is follow the instructions below to remove the Marlboro virus and hopefully decode your files.

Remove Marlboro .oops Virus

Before the actual decryption takes place, you need to make sure your PC is secure. This is why we suggest you to follow the instructions below to eradicate any malware that may be residing on your computer and this includes the Marlboro .oops virus as well.

Manually delete Marlboro .oops from your computer

Note! Substantial notification about the Marlboro .oops threat: Manual removal of Marlboro .oops requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Marlboro .oops files and objects
2.Find malicious files created by Marlboro .oops on your PC

Automatically remove Marlboro .oops by downloading an advanced anti-malware program

1. Remove Marlboro .oops with SpyHunter Anti-Malware Tool and back up your data

Decrypt .Oops Encrypted Files

If you have successfully secured your computer, it is time to get your files back to normal. To do this, we have successfully designed instructions that can simplify the usage of Emsisoft’s decrypter. Please follow these steps:

Step 1: Download Marlboro Decryptor from this web page and save it on your computer.

Step 2: Copy the following files into a new folder:

  • decrypt_Marlboro.exe
  • One encrypted picture.
  • The decrypted variant of the encrypted picture.

In case you do not have any original variants of encrypted pictures, please, make sure to use the default Windows pictures from another Windows machine not affected by this virus. They are usually located in:

For newer Windows (8, 8.1, 10):
C:\Windows\Web\Wallpaper
C:\Windows\Web\Screen
C:\Windows\Web\4K\Wallpaper\Windows\
For Windows 7 and earlier:
C:\Users\Public\Pictures
C:\Users\{Username}\Pictures

N.B.: If you do not have the original version of your encrypted file, you can try getting the default image files in the %Sample Images% folder of Windows. They are usually the same for every Windows PC and you can get the encrypted image from your computer after which get the decrypted image from the infected computer. The default location of the images is the same as above.

Another alternative is to restore one or two original files using data recovery software.

Step 2: Drag an encrypted and original files on the Marlboro decrypter, just like the GIF below demonstrates:

fenixlocker-decrypt-gif-sensorstechforum-ransowmare-com

Step 3: After the files are dropped, you should see a pop-up similar to the following:

2-decryption-key-found-fenixcrypter-sensorstechforum

Press OK to continue.

Step 4: After this, the primary interface of the decryptor will show:

philadelphia-stampado-ransomware-decrypt-sensorstechforum

From there choose the folders you wish to decrypt and click on the Decrypt button.

After decryption, the files should be saved in the same location where they were initially encrypted. You also have the option to choose whether to keep or discard the encrypted version of the files.

Marbolor .oops Ransomware – What to Do After Decryption

In case you have been infected by Marlboro and have decrypted your files using those instructions or need some questions answered, please let us know in the comment section below. Also, consider yourself lucky if you got your files back, because most of the ransomware victims of other viruses still cannot restore their files.
This is why we advise you to follow these security tips to strengthen your protection from ransomware viruses like Marlboro:

Advice 1: Make sure to read our general protection tips and try to make them your habit and educated others to do so as well.
Advice 2: Install an advanced anti-malware program that has an often updated real-time shield definitions and ransomware protection.

Advice 3: Seek out and download specific anti-ransomware software which is reliable.

Advice 4: Backup your files using one of the methods in this article.

Advice 5: : Make sure to use a secure web browser while surfing the world wide web.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.