Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Marlboro Ransomware – Remove It and Restore .oops Files

This article will aid you to remove Marlboro ransomware completely. Follow the ransomware removal instructions given at the bottom of the article.

Marlboro ransomware is a cryptovirus which has been discovered recently. Your files will become encrypted and receive the .oops extension when the encryption process is finished. Then, the Marlboro ransomware displays a ransom message with demands for payment. Read below to see with what ways you could try to restore some of your files.

Update! There is now a decryptor tool for the Marlboro ransomware! The tool is released by EMSIsoft and can be found at this page Emsisoft Decrypter for Marlboro. “To use the decrypter, you will require an encrypted file of at least 640 bytes in size as well as its unencrypted version”.

Threat Summary

NameMarlboro
TypeRansomware
Short DescriptionThe ransomware encrypts files on your computer allegedly with RSA-2048 combined with AES-128 bit encryption.
SymptomsThe ransomware will encrypt your files and put the .oops extension on each of those files when encryption is done.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Marlboro

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Marlboro.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Marlboro Ransomware – Distribution

The Marlboro ransomware can be distributed by using different tactics. The file which drops the payload file of the ransomware containing the malicious script of the cryptovirus is spread as a binary. That dropper uses the name “u00000.EXE.bin” and is analyzed on the VirusTotal website and can be viewed from the screenshot down here:

Marlboro ransomware might also be distributing that payload dropper on social media networks and file-sharing services. Freeware programs found on the Web might be promoted as useful but also could be hiding the downloader of the payload. Refrain from opening files right after you have downloaded them, especially if they come from dubious sources, such as emails from unknown senders. Instead, you should first scan the files with a security tool and check the size and signatures for each of those files for anything out of the ordinary. You should read the ransomware preventing tips thread in the forum section.

Marlboro Ransomware – Description

Marlboro ransomware is also a cryptovirus. Countries that it is currently targeting are Serbia, Malaysia, Costa Rica and the Czech Republic. The ransomware will encrypt files on your computer machine while appending the same extension to all of them after the encryption process is complete.

Marlboro ransomware could make entries in the Windows Registry to achieve persistence. Those registry entries are usually designed in a way that will start the virus automatically with each launch of the Windows Operating System.

The ransom note will appear after the completion of the encryption process. The note states what the demands of the cybercriminals are for the ransom price, along with all other instructions and demands for decrypting your data. The note is contained in a file called _HELP_Recover_Files_.html. You can check out the ransom note in the snapshot provided below:

The ransom note reads the following:

!!! IMPORTANT INFORMATION !!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about RSA and AES can be found here:
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is only possible with private key and decrypt program, which is on our secret server.
To receive your private key you need to make payment to us.
After you make payment run program called ‘DecryptFiles’ that is located on your Desktop and your Documents.
Program will automatically decrypt all of your files!

If you try to decrypt files with another software your files can be forever lost.

How to buy decrypter?

1. You can make a payment with BitCoins, there are many methods to get them.

2. You should register BitCoin Wallet

3. Purchase Bitcoins – Although it is not very easy to buy bitcoins, it is getting simpler every day.

Here are our recommendations:

Localbitcoins.com (WU) – Buy Bitcoins with Western Union
Coincafe.com – Recommended for fast, simple service.
Localbitcoins.com Service allows you to search for people in your community willing to sell bitcoins to you directly.
CEX.IO – Buy Bitcoins with VISA/MASTERCARD or Wire Transfer
btcdirect.eu – THE BEST FOR EUROPE

4. Send 0.2 BTC to Bitcoin address:

5. After you make payment, run program called ‘DecryptFiles’that is located on your Desktop and your Documents.
Program will automatically decrypt all of your files!

The criminals that stand behind the cyber threat that is the Marlboro ransomware virus want 0.2 BitCoin for decryption. The virus also puts a custom decryptor on your Desktop, as you can see from the screenshot down here:

However, the ransomware is decryptable even without paying, according to malware researchers. You should NOT under any circumstances pay those crooks. Nobody could give you a guarantee if your files will get recovered in actuality. Moreover, you should not ever give money to criminals, as this will most likely just support them financially and give them enough motivation to create more ransomware viruses or get involved in other criminal activities.

Below you can see the full list with file extensions that the Marlboro ransomware searches to encrypt.

→.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar, .bz2, .tbk, .bak, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .aspx, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, ., .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .uot, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, .dat

Extensions List Source: MalwareHunterTeam

Every file that gets encrypted will receive the same extension appended to each of them, which is .oops. The encryption algorithm is a mixture of the 2048-bit RSA and 128-bit AES algorithms or at least, that is what is stated in the ransom note.

The Marlboro cryptovirus is reported by malware researches to erase the Shadow Volume Copies from the Windows operating system by utilizing the following command in the Command Prompt:

→vssadmin.exe delete shadows /all /Quiet

Read on through and find out what kind of ways you can try out to restore some of your files.

Remove Marlboro Ransomware and Restore .oops Files

If your computer got infected with the Marlboro ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete Marlboro from your computer

Note! Substantial notification about the Marlboro threat: Manual removal of Marlboro requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Marlboro files and objects
2.Find malicious files created by Marlboro on your PC

Automatically remove Marlboro by downloading an advanced anti-malware program

1. Remove Marlboro with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Marlboro
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.