Marlboro Ransomware Description
A new ransomware family known as Marlboro Ransomware was reported recently. Fortunately, in less than 24 hours, malware researchers tracked down the Marlboro Ransomware infection, analyzed it, and released a decryption program. The Marlboro Ransomware was first observed on January 12, being spread through spam email messages. These messages include a corrupted Microsoft Word attachment that downloads and installs the Marlboro Ransomware on the victim's computer. If your machine has been exposed to the Marlboro Ransomware, malware researchers recommend using the available decryption utility to restore the affected files after removing the Marlboro Ransomware completely with the help of a reliable security application.
The Marlboro Ransomware is Related to a Highly Sophisticated Spam Campaign
The Marlboro Ransomware exists in two versions currently, targeting 32-bit and 64-bit versions of the Windows operating system. During the infection, the Marlboro Ransomware will drop two different installers on the victim's computer. This technique is observed in ransomware threats frequently, although it may be used by other threats, such as banking Trojans and Point of Sale (PoS) threats. The Marlboro Ransomware is downloaded from free online hosting providers, which have already suspended the Marlboro Ransomware's accounts (although it is likely that new ones will appear to take their places.) Although the Marlboro Ransomware was decryptable and its hosting was publicly available, the spam campaign associated with the Marlboro Ransomware is quite sophisticated.
There is a Small Mal-Function in the Marlboro Ransomware's Decryptor
The encryption method used by the Marlboro Ransomware is not particularly strong. The Marlboro Ransomware uses the XOR encryption, which was cracked by malware analysts almost as soon as the Marlboro Ransomware infection was detected for the first time. The files encrypted by the Marlboro Ransomware will be identified by the addition of the file extension '.oops' to the end of each file name. The Marlboro Ransomware drops its ransom note in the form of an HTML file named '_HELP_Recover_Files_.html' on the victim's computer. The Marlboro Ransomware's ransom note claims that a typical, stronger method of encryption (a combination of RSA and AES encryption) was used during the attack. Below is the full text of the Marlboro Ransomware ransom note:
'!!! IMPORTANT INFORMATION !!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.More information about RSA and AES can be found here:
Decrypting of your files is only possible with private key and decrypt program, which is on our secret server.
To receive your private key you need to make payment to us.
After you make payment run program called ‘DecryptFiles' that is located on your Desktop and your Documents.
Program will automatically decrypt all of your files!
If you try to decrypt files with another software your files can be forever lost.
How to buy decrypter?
1. You can make a payment with BitCoins, there are many methods to get them.
2. You should register BitCoin Wallet
3. Purchase Bitcoins – Althought it is not very easy to buy bitcoins, it is getting simpler every day.
Here are our recommendations:
Localbitcoins.com (WU) – Buy Bitcoins with Western Union
Coincafe.com – Recommended for fast, simple service.
Localbitcoins.com Service allows you to search for people in your community willing to sell bitcoins to you directly.
CEX.IO – Buy Bitcoins with VISA/MASTERCARD or Wire Transfer
btcdirect.eu – THE BEST FOR EUROPE
4. Send 0.2 BTC to Bitcoin address:
5. After you make payment, run program called ‘DecryptFiles'that is located on your Desktop and your Documents.
Program will automatically decrypt all of your files!'
During its attack, the Marlboro Ransomware also drops a decryptor named 'de Marlboro,' which connects to the Command and Control server to check for the ransom payment and then decrypts the victim's files. Fortunately, PC security researchers were able to take advantage of the presence of this decryptor to develop a decryption utility that is now available to computer users affected by this threat. One small problem with the decryptor is that the Marlboro Ransomware infection will truncate a tiny portion of each file it encrypts, which cannot be reconstructed by the decryption utility. However, for most files, this will not be a significant problem.
The file types targeted by the Marlboro Ransomware include the following:
Do You Suspect Your PC May Be Infected with Marlboro Ransomware & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Marlboro Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
File System Details
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your PC. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.