.Mercury Files Ransomware - How to Remove It
THREAT REMOVAL

.Mercury Files Ransomware – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

This blog post has been created with the main reason to explain what is the .Mercury ransomware and how you can remove it, plus how to restore files, encrypted with the .Mercury suffix.

Yet another ransomware has been detected by security researchers to spread in several countries in Asia. The ransomware uses the .Mercury file extension which it adds to the files, encrypted by it. The virus then drops a ransom note file, called !!!READ_IT!!!.txt which has the ransom instructions on how the victim can pay money in the form of cryptocurrencies to retrieve access to his/her files. If your computer has been affected by the .Mercury files virus, we recommend that you read this article thoroughly.

Threat Summary

Name.Mercury Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims at encrypting the important files of the victim PC and then the crooks behind it ask victims to pay ransom to get them back.
SymptomsFiles are encrypted and have the .Mercury file extension. A ransom note, called !!!READ_IT!!!.txt is dropped on the user PC.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .Mercury Files Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .Mercury Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Mercury Files Virus – How Did I Get It

E-mail is one of the most common methods used by viruses, like the .Mercury ransomware virus. Usually the way it goes is criminals tend to disguise the infection file as some sort of an important document, like an invoice, receipt or other important file that may be coming from banks or big companies, like PayPal, eBay, etc. The emails are often masked in a very clever way to resemble legitimate ones:

In addition to this, the .Mercury ransomware may also be spread as a result of being uploaded on compromised websites, torrent sites or websites with low security reputation. There, the file may pose as something you may be looking to download, like:

  • Your favorite program’s installer.
  • A crack for a program or a game.
  • Some type of license activator.
  • Key generator to obtain a license.
  • Portable version of a program you want to use.

.Mercury Files Virus – More Information

When it has infected your computer, the payload dropper of .Mercury files virus may situate the malicious files of this malware in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

The malicious files are accompanied by the ransom note of .Mercury files virus. It is named !!!READ_IT!!!.txt and it has the following information embedded within it:

ATTENTION, YOUR FILES HERE ENCRYPTED

Please follow few steps below:

1.Send us your ID.

2.He can decrypt 1 file what would you make sure that we have decription tool!
3.Then you’ll get payment instruction and after payment you will get your decryption tool!
00 not try to rename files!!! Only we can decrypt all your data!

Contact us:

getmydata@india.com
nydataback@aol.com

In addition to the ransom note of this ransomware, the other malicious files may be set to perform unwanted activities, like modifying the Run and RunOnce Windows registry sub-keys and adding entries in them. This is done in order to automatically run the encryption file of .Mercury ransomware on Windows boot. The targeted sub-keys are usually the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

And in addition to this, the .Mercury files virus may also run a .bat file that may execute a script as an administrator which runs Windows Commands that may stop Windows Recovery, Windows Defender and also delete the shadow volme copies of the infected machine:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

Besides these actions, the virus may also perform the following actions:

  • Self-delete some files after infection.
  • Create backup copies of the malicious files in case it’s original virus file is deleted.
  • Collect the keystrokes you type, like a Trojan.
  • Obtain data about your files.
  • Relay information about the encrypted files to it’s command server.

.Mercury Files Virus – Encryption

For the .Mercury files virus to encrypt the files on the computers compromised by it, the ransomware may execute various different types of programs that perform a scan of the files. The scan detects the files based on their file types but in the same time it is also a smart scan. This is because it does not encrypt files, that are located in the system folders of Windows. The only files encrypted outside of those are usable ones, like:

  • Documents.
  • Video file types.
  • Image formats.
  • Audio file types.
  • Database files.
  • Archives.
  • Photoshop files.
  • Other popular file types.

After this ransomware encrypts the files on the infected machines by it, they immediately assume the .Mercury file extension and begin to appear like the following:

Remove .Mercury Files Virus and Restore Your Data

If you want to remove the .Mercury files virus safely, we always advise our readers to backup their files first.

For the removal process, you can proceed with the manual removal instructions underneath and use the information in this article in combination with them. If you do not seem to be able to remove the virus files, it is strongly recommended to use a more automatic approach and download and run a scan with an advanced anti-malware software. This is because such software aims to remove all of the files and objects that are associated with the .Mercury files virus and then make sure that your PC is protected against such threats in the future too.

If you want to try and recover files, encrypted by this virus, we recommend that you try the alternative suggestions for file recover we have in the “Try to restore” step underneath. They may not be 100% guarantee to recover all your files, but with their aid you may be able to at least restore some of your encrypted data.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...