Ransomware is a problem that’s currently running wild and affects more and more computers with each passing day. There’re so many variants of it, and almost all of them are so dangerous, that it’s very easy to forget about the other side of the coin – security researchers finding ways to deal with it. Emsisoft, for example, was successful in developing the decrypters for both Merry X-Mas and Marlboro – malicious programs that were only recently released – in December of 2016 and on January 11, 2017, respectively.
Marlboro uses C++ as its foundation and encrypts files with XOR-based algorithm. They get the “.oops” extension appended to them and the ransom note is called “_HELP_Recover_Files_.html”. Unfortunately, it doesn’t provide any information on how to make a payment, so this ransomware can’t bring any money to its developers. Its code also has a certain bug that corrupts up to 7 bytes of each file that’s affected. There’s no way to recover those bytes, and it means that your data also can’t be fully recovered.
Before you start using the decrypter, you need an encrypted file which has a size of at least 640 bytes, and also an unaffected copy of this file. You also have to delete ransomware from the system before the decryption can be carried out – otherwise, your files will be encrypted again. Decryption process begins when both files are put onto the executable. An unaffected copy is required to create the encryption keys – they will be used in the process of decrypting all the other files. We should also point out that it’s very important to not alter those two files in any way – you can’t even rename them. This information is needed to compare names and help discover the file extension that was appended during the encryption process.
It’s possible to create a logfile if you need one, and you can also keep encrypted files, because, as we’ve mentioned above, several bytes are lost during the decryption process. If you’re unsatisfied with the results, you can wait for better decrypters to be released.
As far as Merry-Xmas goes, it uses Delphi and has a custom encryption algorithm. Affected data gets either “.PEGS1”, “.MRCR1”, “.RARE1”, “.MERRY”, or “.RMCM1” extension appended to it. The ransom note is called “YOUR_FILES_ARE_DEAD.HTA” or “MERRY_I_LOVE_YOU_BRUCE.HTA” and instructs you to write an email to [email protected] or contact comodosecurity on Telegram. If you want to decrypt the files affected by this ransomware, you need an encrypted one and an original one – just as with Marlboro – but the files have to be between 64 KB and 100 MB in size. The decryption process itself is absolutely identical.
It’s certainly a very good sign that strides are being made in a battle against ransomware. Still, it’s advised to avoid it altogether, as there’s a lot of it on the Internet and not all the variants have the decryption tool developed for them – and ones that do can always have new versions that will, in turn, require new solutions. You don’t have to tremble in fear each time you get on the Internet, but you need to pay some attention and be careful with the clicking – especially when it comes to file-sharing services and pages that host adult content – those are notorious for infecting computers with different types of viruses, ransomware being among them. And, of course, don’t forget to always delete spam emails at first sight, as it remains the primary method to distribute programs that’re created with a purpose of making you part with your money. And you certainly don’t want to give it away to some cybercriminal that likes to have it easy.