Marlboro Ransomware - Remove It and Restore .oops Files

Marlboro Ransomware – Remove It and Restore .oops Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will aid you to remove Marlboro ransomware completely. Follow the ransomware removal instructions given at the bottom of the article.

Marlboro ransomware is a cryptovirus which has been discovered recently. Your files will become encrypted and receive the .oops extension when the encryption process is finished. Then, the Marlboro ransomware displays a ransom message with demands for payment. Read below to see with what ways you could try to restore some of your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer allegedly with RSA-2048 combined with AES-128 bit encryption.
SymptomsThe ransomware will encrypt your files and put the .oops extension on each of those files when encryption is done.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Marlboro


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Marlboro.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Marlboro Ransomware – Update

Update! There is now a decryptor tool for the Marlboro ransomware! The tool is released by EMSIsoft and can be found at this page Emsisoft Decrypter for Marlboro. “To use the decrypter, you will require an encrypted file of at least 640 bytes in size as well as its unencrypted version”. Note, that it is preferred that you download the anti-malware tool mentioned above, to make sure the ransomware does not encrypt your files again after decryption.

Marlboro Ransomware – Distribution

The Marlboro ransomware can be distributed by using different tactics. The file which drops the payload file of the ransomware containing the malicious script of the cryptovirus is spread as a binary. That dropper uses the name “u00000.EXE.bin” and is analyzed on the VirusTotal website and can be viewed from the screenshot down here:

Marlboro ransomware might also be distributing that payload dropper on social media networks and file-sharing services. Freeware programs found on the Web might be promoted as useful but also could be hiding the downloader of the payload. Refrain from opening files right after you have downloaded them, especially if they come from dubious sources, such as emails from unknown senders. Instead, you should first scan the files with a security tool and check the size and signatures for each of those files for anything out of the ordinary. You should read the ransomware preventing tips thread in the forum section.

Marlboro Ransomware – Description

Marlboro ransomware is also a cryptovirus. Countries that it is currently targeting are Serbia, Malaysia, Costa Rica and the Czech Republic. The ransomware will encrypt files on your computer machine while appending the same extension to all of them after the encryption process is complete.

Marlboro ransomware could make entries in the Windows Registry to achieve persistence. Those registry entries are usually designed in a way that will start the virus automatically with each launch of the Windows Operating System.

The ransom note will appear after the completion of the encryption process. The note states what the demands of the cybercriminals are for the ransom price, along with all other instructions and demands for decrypting your data. The note is contained in a file called _HELP_Recover_Files_.html. You can check out the ransom note in the snapshot provided below:

The ransom note reads the following:


All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about RSA and AES can be found here:

Decrypting of your files is only possible with private key and decrypt program, which is on our secret server.
To receive your private key you need to make payment to us.
After you make payment run program called ‘DecryptFiles’ that is located on your Desktop and your Documents.
Program will automatically decrypt all of your files!

If you try to decrypt files with another software your files can be forever lost.

How to buy decrypter?

1. You can make a payment with BitCoins, there are many methods to get them.

2. You should register BitCoin Wallet

3. Purchase Bitcoins – Although it is not very easy to buy bitcoins, it is getting simpler every day.

Here are our recommendations: (WU) – Buy Bitcoins with Western Union – Recommended for fast, simple service. Service allows you to search for people in your community willing to sell bitcoins to you directly.
CEX.IO – Buy Bitcoins with VISA/MASTERCARD or Wire Transfer – THE BEST FOR EUROPE

4. Send 0.2 BTC to Bitcoin address:

5. After you make payment, run program called ‘DecryptFiles’that is located on your Desktop and your Documents.
Program will automatically decrypt all of your files!

The criminals that stand behind the cyber threat that is the Marlboro ransomware virus want 0.2 BitCoin for decryption. The virus also puts a custom decryptor on your Desktop, as you can see from the screenshot down here:

However, the ransomware is decryptable even without paying, according to malware researchers. You should NOT under any circumstances pay those crooks. Nobody could give you a guarantee if your files will get recovered in actuality. Moreover, you should not ever give money to criminals, as this will most likely just support them financially and give them enough motivation to create more ransomware viruses or get involved in other criminal activities.

Below you can see the full list with file extensions that the Marlboro ransomware searches to encrypt.

→.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar, .bz2, .tbk, .bak, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .aspx, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, ., .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .uot, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, .dat

Extensions List Source: MalwareHunterTeam

Every file that gets encrypted will receive the same extension appended to each of them, which is .oops. The encryption algorithm is a mixture of the 2048-bit RSA and 128-bit AES algorithms or at least, that is what is stated in the ransom note.

The Marlboro cryptovirus is reported by malware researches to erase the Shadow Volume Copies from the Windows operating system by utilizing the following command in the Command Prompt:

→vssadmin.exe delete shadows /all /Quiet

Read on through and find out what kind of ways you can try out to restore some of your files.

Remove Marlboro Ransomware and Restore .oops Files

If your computer got infected with the Marlboro ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share