How to remove Mpag ransomware

Mpag ransomware is one of the more recent ransomware versions to come from the Djvu/STOP ransomware family. It’s a pretty generic ransomware infection but that does not mean it’s not dangerous. Once it successfully infects a computer, it proceeds to encrypt all personal files, making them essentially useless unless users have a decryptor. But acquiring the decryptor is quite difficult and involves paying a lot of money. In many cases, file recovery may not be possible. Users who have copies of files in a backup should have no issue with file recovery. But for those without backup, file recovery will be much more difficult, if not impossible.

 

 

Ransomware distribution methods

In most cases, users pick up ransomware infections because of their bad browsing habits. Seemingly basic actions like opening unsolicited email attachments, clicking on ads while browsing questionable websites, using torrents to pirate copyrighted content, etc., can quickly bring about a serious malware infection. Thus, developing better browsing habits can help avoid a lot of malware infections.

Malicious email attachments are one of the most common ways malicious actors try to distribute malware. The emails themselves are not harmful as long as users don’t interact with them. But the moment the attachment is opened, the malware can be initiated. To carry out the spam campaign, malicious actors purchase email addresses from various hacker forums but put very little effort into writing the emails. This works in favor of users because the low effort is exactly why the emails are very easy to recognize. One of the most obvious signs of a malicious email is the sender claiming to be from a legitimate company but their email contains very obvious grammar/spelling mistakes. Legitimate emails from companies will very rarely have any mistakes in them because they make the email look unprofessional. But for whatever reason, most malicious emails contain many mistakes. A less obvious sign is how an email addresses users. If the sender claims that users use their services but uses generic words like “User”, “Customer”, “Member”, etc., to address them, it may be a sign of a malicious email. In most cases, legitimate senders address their customers using their names because it may look unprofessional otherwise. A reliable way to make sure a malicious email attachment is not opened is to scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Using torrents to access copyrighted content is also a speedy way to infect a computer with malware. Torrent sites are often quite poorly regulated, and this allows malicious actors to upload torrents with malware in them. It’s particularly common to find malware in torrents for popular movies, TV series, video games, software, etc. Whenever some kind of new, highly-anticipated content gets released, its torrents are full of malware. So not only is pirating illegal, it’s also dangerous for the computer/data.

What does ransomware do?

Mpag is a file-encrypting malware, which means its main objective is to encrypt victims’ personal files. It will target all personal files, including photos, videos, images, documents, etc. These are the files users are most willing to pay to get back, and ransomware operators are fully aware of that. When the ransomware is done encrypting the files, they will have a .mpag extension added to them. An encrypted text.txt file would become text.txt.mpag. Unfortunately, none of the files with that extension will be openable unless they are first decrypted using a special decryptor. But getting the decryptor will be no easy task.

When ransomware is done encrypting files, it will drop a _readme.txt ransom note in all folders that have encrypted files. The note is very generic and mostly identical to all other notes dropped by ransomware from this family. But the note does explain how users can acquire the decryptor. According to the note, victims can buy the decryptor for $980. The note also mentions that there is a 50% discount for victims who make contact with the ransomware operators within the first 72 hours. Whether that is actually the case or not is questionable but paying the ransomware is not a particularly good idea. Users should keep in mind that they are dealing with cybercriminals. The reason paying the cybercriminals is risky is because there are no guarantees a decryptor will actually be sent. There is nothing to force them to help victims, and the malware operators are unlikely to feel any obligation. Whether to pay or not is up to the victims but they need to be aware of the risks before making a decision.

For users who have copies of files in a backup, recovering files should not be an issue. However, it is essential that users first remove Mpag ransomware from their computers. If the ransomware was still present on the device when users connect to their backup, the backed-up files would become encrypted as well. Thus, it’s essential that users use anti-virus software to remove Mpag ransomware from their computers.

If users do not have a backup, recovering files will be problematic. The only option is to back up encrypted files and wait for a free decryptor to become available. But because ransomware from the Djvu/STOP ransomware family uses online keys to encrypt files, developing a free decryptor is difficult. The keys are unique to each victim, and unless those keys are released by the cybercriminals themselves, a free Mpag ransomware decryptor is unlikely. But it’s not impossible that it will be released eventually, which is why it’s a good idea to back up encrypted files and occasionally check safe sources like NoMoreRansom for free decryptors.

Mpag ransomware removal

Ransomware is a very complex malware infection, which means users should not try to remove Mpag ransomware manually. They could accidentally cause additional damage or not fully remove the ransomware. If some of its components remain, the ransomware may be able to recover. Thus, it’s recommended to use anti-malware software to delete Mpag ransomware from the computer. Once the ransomware has been deleted, users can access their backup to start file recovery.