.MERRY File Virus (Remove and Restore Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.MERRY File Virus (Remove and Restore Files)

Article, created to show how to remove Merry Christmas ransomware and restore .MERRY files encrypted by the malware.

A ransomware virus, detected in mid-January, named Merry Christmas has been reported by malware researchers to use a very sophisticated techniques to operate, infect and encrypt files of compromised computers. This ransomware threat may use a advanced encryption ciphers to encode the data on the computers it attacks, making the files no longer able to be opened. To give the victim access back to the files, .MERRY Virus demands a payment from a well-designed ransom note page. If you have become infected by the Merry Christmas virus, we suggest reading the following material.

UPDATE! Decryption is now available for the .MERRY file extension ransomware.Please try decrypting your files using the following instructions from the related article below:

Threat Summary

NameMerry X-Mas
TypeRansomware Virus
Short DescriptionThis variant of Merry X-Mas virus encrypts files with strong encryption and asks a hefty ransom of .MERRY to be paid to the crooks to get the files back.
SymptomsEncrypted files will have the ..MERRY extension appended to them. Also adds a ransom note, named MERRY_I_LOVE_YOU_BRUCE.HTA and changes the wallpaper with a Robot-santa.
Distribution MethodSpammed e-mail attachments, URLs, JavaScript or Exploit Kit files posted all over the web.
Detection Tool See If Your System Has Been Affected by Merry X-Mas


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Merry X-Mas.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.MERRY Virus – Further Information

This virus has been deemed to be from the file encryption type. It aims to infect the user in multiple ways and then modify Windows to allow the encoding process to take place.

Infection Methods of Merry Christmas .MERRY Ransomware

In order to cause an infection that is successful, good deception Is required, because most users already have had experience with ransomware and other malware and how it infects. This is why the ones behind .MERRY use different methods and techniques to cause an infection. One of those is to make up different phishing e-mails on which the crooks pretend to be a legitimate organization have worked on a request and this is the reworked file. Ofcourse, this is just one example of the spam, distributed by .MERRY ransomware. These e-mails may contain an .hta file in a .zip archive which is the one that is causing the actual infection.

This file appears to be heavily obfuscated, due to the fact that average antivirus programs tend to skip rendering it as an actual malicious file. This means that the virus uses an expensive obfuscation software which conceals it’s actual identification of being malicious.

One of those tools is a similar exploit kit that is very expensive and not sold to just any random hacker. This replication malware is usually a more sophisticated version than the average ones sold on the deep web.

.MERRY X-Mas Ransomware- Infection Activity

As soon as the malicious file has been opened, it immediately introduces itself by adding it’s distinctive ransom note, which is not only a note, but a whole system, containing different aspects of “customer support” to the victims as shown below:

But this is not where the terror caused by the .MERRY file virus ends. The ransomware also appends a unique file extension to the encrypted files. The files which have been encrypted by this ransomware virus appear like the following:

This is primarily because .MERRY ransomware appends a sophisticated encryption algorithm which actually replaces bytes of information of those files. These bytes are enough to make the files unable to be opened again.

The types of files which this iteration of .MERRY ransomware hunts for are of various character, but one thing is in common – they are often used. These files include:

  • Documents.
  • Photos.
  • Music and other audio.
  • Videos.
  • Other files associated with often used Software.

.MERRY file ransomware is very careful not to encrypt the system Windows folders crucial to the working process of the OS, since this might damage it.

The .MERRY file virus also drops a ransom note, named MERRY_I_LOVE_YOU_BRUCE.HTA which has the following content:

TELEGRAM @comodosecunty
EMAIL comodosec@yandex.com
Any attempts to return your files with the third-party tools can be fatal for your encrypted files! The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files! There are several plain steps to restore your files but if you do not follow them we will not be able to help you!

The primary goal of this ransom note is to scare off the user and give him or her instructions on how to pay the .MERRY file virus’s ransom which is in BTC.

In addition to this, the .MERRY ransomware virus does not fool around when it comes to “not getting your files back”. The virus may actually delete the shadow volume copies of the infected computer, by using the privileged vssadmin command in Windows command prompt.

After this has been completed, the virus may either have modified the Windows Registry Editor to add custom keys in the Run or RunOnce registry sub-keys or may have dropped files in the %Startup% folder of Windows. These files may run on System Startup every time.

Remove .MERRY File Virus and Get Your Files Back

In case your computer has become infected by the MERRY ransomware virus, there is one thing that you should not do and that is to pay the ransom. The primary reasons for that is paying the ransom may not result in getting the files back and supporting cyber-crooks to spread .MERRY ransomware further is not a good idea in general. This is why the removal of this virus is strongly suggestible.

An effective method to remove the .MERRY file virus from your computer is to follow the specific removal instructions we have designed for you below. They will make sure that you will be able to safely locate and remove the files from your computer. If you do not have experience in how to manually locate all the registry entries and modified as well as touched objects in key Windows directories of the virus, security experts always advise using an advanced anti-malware tool for the removal process. The usage of such tools not only ensures full removal of all objects but also protects your computer in the future.

After already having remove the .MERRY file ransomware from your computer, we urge you to focus on getting the files back the hard way and that is to use other alternative tools. We have suggested several of those in step “2. Restore files encrypted by .MERRY Virus” below. Bear in mind, however that the tools are not 100% effective and if you try other decryptors for other viruses they may further scramble your encrypted files. So doing a backup of the encrypted files is also a necessity.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share