Ever since the .oops virus, dubbed Marlboro came out, it has been causing nothing but trouble. This ransomware type of malware aims to append AES-128 cipher in combination with RSA-2048 algorithm to render important documents, music, databases and other important files no longer openable. The user is demanded in a ransom note to pay a hefty sum of 0.2 BTC for a decryptor which cyber-criminals kindly offer. Fortunately, now, thanks to Emsisoft researchers, like Fabian Wosar, a decryptor is publicly available and we have created instructions to help you remove this virus and decrypt .oops files for free.
Marlboro Ransomware – Quick Background
When the .oops virus was initialy discovered, infections were conducted via a .bin type of file which may be spread on social media, via e-mail or via potentially unwanted applications (PUA).
The Marlboro .oops virus immediately begins to encrypt the files on the compromised computer after modifying the registry entries. The types of files the virus scans for to encrypt are multiple:
→ .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar, .bz2, .tbk, .bak, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .aspx, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, ., .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .uot, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, .dat
After encryption, Marlboro virus appends the .oops file extension to them and they can no longer be opened, looking like the following:
In addition to this, the .oops variant of Marlboro adds a rather long .html ransom note, called “_HELP_Recover_Files_.html”. This ransom note aims to scare users into paying the sum of 0.2 BTC to the cyber-criminals to get their files back.
Fortunately, now that a decryptor has been released, all you have to do is follow the instructions below to remove the Marlboro virus and hopefully decode your files.
Remove Marlboro .oops Virus
Before the actual decryption takes place, you need to make sure your PC is secure. This is why we suggest you to follow the instructions below to eradicate any malware that may be residing on your computer and this includes the Marlboro .oops virus as well.