MauriGo Virus Removal – Restore .encrypted Files

MauriGo Virus Removal – Restore .encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will aid you to remove MauriGo virus in full. Follow the ransomware removal instructions provided at the end of the article.

The MauriGo virus is a dangerous threat that is being operated by an unknown hacker or criminal collective. It follows the standard behavior tactics associated with most common ransomware by encrypting sensitive data with the .encrypted extension.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files with the .encrypted extension on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by MauriGo


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MauriGo.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

MauriGo Virus – Distribution Ways

The MauriGo virus is distributed mainly via spam email messages. The computer hackers behind it use various strategies in order to coerce the victims into interacting with the dangerous elements. One of the ways is to send hyperlinks that lead to the dangerous files. The other method is to directly attach them to the email messages. In combination with this the hackers can also use payloads, two of the most popular ones are the following:

  • Software Installers — MauriGo virus code can be embedded in various applications by the criminals. They are made by taking the legitimate installers from the official vendor site and modifying them with the malware code. Usually popular apps are chosen such as system utilities, creativity solutions and even computer games.
  • Documents — MauriGo virus samples can be inserted into files of different types such as rich text documents, spreadsheets or presentations. When they are opened by the victims a notification prompt appears which asks the victims to enable the built-in scripts (macros). If this is done the infection begins.

Browser hijackers are the other possible carriers. They represent malware web browser plugins made compatible with the most popular software: Mozilla Firefox, Google Chrome, Internet Explorer, Safari, Opera and Microsoft Edge. As soon as they are installed onto the victim device the default settings are changed in order to redirect the users to a malware page: default home page, new tabs page and search engine.

MauriGo Virus – In-Depth Analysis

At the moment there is no information about the criminals behind it. It is reported that the initial infection was detected on April 12 2017 with several follow-up campaigns.

The malware engines follows a set of hardcoded instructions that are set to make system recovery difficult. One of the first actions is to delete the found shadow volume copies of sensitive user data. In order to restore the affected files the users will need to use data recovery software, refer to our instructions for more information.

Other changes include the set up of a persistent state of execution which automatically starts the malware every time the computer is booted. Modifications can be made to the Windows Registry. If the changes are made to existing entries then the users will be unable to run certain applications or system services. Overall computer performance may also be impacted.

If changes are made to the main code then additional components can be loaded. An example addon is a data harvesting module that can be launched right after the infection is initiated. It can be programmed into harvesting strings that can be classified into two main categories:

  • Anonymous Metrics — They are primarily used to judge how effective the attack is. The data sets contain details about the hardware components and certain operating system metrics.
  • Personal Data — Private information is defined as data that can directly expose the users identity. Example strings can include a person’s name, address, phone number, interests, location, passwords and account credentials.

The harvested information can be pooled into a stealth protection module that can be used to stop any applications that might interfere with the MauriGo virus. Such examples are anti-virus products, debug environments and virtual machine hosts.

MauriGo Virus – Encryption Process

Once all components have executed correctly the ransomware engine is started. Like other similar threats it uses a powerful cipher in order to encrypt and rename sensitive user data. One of the captured malware samples reveal that the following extensions are being targeted:

.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, doc,
.epub, .docx, .fb2, .flv, .gif, .gz, .iso .ibooks, .jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv,
.mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf,
.sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c,
.cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb,
.dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

As a consequence all victim data is renamed with the .encrypted extension. A ransomware note is crafted in a file called READ_TO_DECRYPT.txt that reads the following:

‘The important files on your computer have been encrypted with military grade AES-256 bit encryption.
Your documents, videos, images and other forms of data are now inaccessible, and cannot be unlocked without the decryption key.
This key is currently being stored on a remote server.
To acquire this key, please follow the instructions below before the time runs out. ([RANDOM DATE] – you have 7 days)
Prices to recover yoor files from :
1 machine on your network : 0.7 BTC
Half machines on your network (randomly chosen): 2.6 BTC
All machines on your network : 5 BTC
The BTC must be sent to this address : 19CMTC6U9KMHAn34iKXvofkA2ulNMcd823
Your hostname : [YOUR DEVICE NAME] Your identification number (it is the same for all PC encrypted on your network): ***
After you’ve send payment to our address, please go to our website (via normal browser):
If it doesn’t work please download Tor Browser on their official page and use this link instead: xxxx://ldqu4hxg2gx6af7j[.]onion/id/***
Once on the website, leave a simple comment to warn us.
After that we will reply with your decryption key(s) as soon as possible.
To demonstrate our sincerity, you can upload 2 encrypted file on the website and we will decrypt it.
Also please understand that we don’t want to taint the reliability of your business. Make a reasonable choice.
Note that if you fail to take action within this time window (7 days), the decryption key will be destroyed and access to your files will be
permanently lost.
Where to buy bitcoins (BTC) ?
Bitcoin is a popular crypto-currency. We advise you to buy coins on because of its speed and anonymity.
You will can pay with Western Union. Wire Transfer…
Of course there are much other ways to get bitcoins (ex: Coinbase), simply type on google “how to buy bitcoins”.’

Remove MauriGo Virus and Restore .encrypted Files

If your computer system got infected with the MauriGo ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share