Mpal Ransomware

Cybersecurity researchers have spotted a new file-encrypting Trojan dubbed the Mpal Ransomware. Upon studying this threat, they found that the Mpal Ransomware belongs to the STOP Ransomware family – the most active ransomware family of 2019.

Propagation and Encryption

Ransomware threats are often propagated via bogus emails. The fake emails in question would contain a corrupted attachment or would redirect the user to a corrupted file hosted on a third-party page. Often, the emails also would contain a fraudulent message designed to trick the user into launching the attachment or clicking on the corrupted link. This is sometimes achieved by applying various social engineering tricks and techniques. Other commonly used infection vectors include:

• Torrent trackers.
• Malvertising campaigns.
• Fake application updates and downloads.
• Bogus copies of popular software.

After the Mpal Ransomware has infected your computer, it will perform a swift scan of your system. The scan is intended to locate the files present on your PC. Just like most ransomware threats, the Mpal Ransomware is designed to target countless filetypes to cause more damage to the infiltrated host. This means that all your documents, images, audio files, presentations, spreadsheets, archives, databases, and other files would be encrypted by the Mpal Ransomware securely. When the Mpal Ransomware locks a file, it will alter its filename by adding a new extension to it – ‘.mpal’ automatically. This means that a file you named ‘silver-gloves.png’ will be renamed to ‘silver-gloves.png.mpal’ when the encryption process is through.

Researchers are well aware of the threat presented by Mpal and DJVU. Security experts continuously monitor the viruses to stay on top of the latest campaign. There was once a time when experts could decrypt DJVU viruses through STOPDecrypter, but the tool no longer works. Malware coders changed how the ransomware generates encryption and decryption codes, making it more difficult to decrypt without their help.

It may be possible to get the virus decrypted through the DJVU decryption tool, but only if you have an old version of the virus that generates offline keys. Most versions of the DJVU use online keys, however, and they are impossible to decrypt. The malware generates an online key needed for decryption, and that key is stored on a C2 server. Victims have to contact the malware developers to get their decryption key as well as the actual decryption tool. Experts recommend against contacting threat actors, however, as there is no guarantee they will deliver on their promise.

The Ransom Note

In the next phase of the attack, the threat drops a ransom note on the user’s computer. The name of the note is ‘_readme.txt,’ which is typical for variants of the STOP Ransomware like the Mpal Ransomware. In the note, the authors of the Mpal Ransomware state that:

• The user’s files have been encrypted securely, and they cannot be recovered without a decryption key.
• One file can be unlocked free of charge, which is meant to serve as proof that the threat admins have a working decryption key.
• The decryption key costs $980.
• Users who get in touch with the attackers within 72 hours of the attack taking place would receive a 50% discount and would have to pay $490 instead.
• The preferred means of communication is via email – ‘helpmanager@mail.ch’ and ‘helpdatarestore@firemail.cc.’

The ransom note reads like the following:

ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-sBwlEg46JX
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
helpdatarestore@firemail.cc
Reserve e-mail address to contact us:
helpmanager@mail.ch
Your personal ID

What Else Does Mpal Do?

Like any other kind of ransomware, this virus focuses on encrypting files and data on a computer. People are more likely to meet the demands of the attacker if they can’t access their documents, images, videos, archives, and other essential files. As you can see from the note, the attackers say all a user has to do is send the money, and they get their data back. The problem is that there is no guarantee that the threat actors won’t mess with the computer again after that. It’s possible they would re-infect the machine as soon as the decryption is over.

The ransom note is the sign that the ransomware has finished encrypting everything. The encryption process is often so fast that users won’t even notice something is happening on their computer. DJVU ransomware often displays a fake notice about a Windows Update or another process to cover for the potential slowdown caused by the virus. Users don’t suspect anything suspicious is happening if they believe their computer is updating.

The main payload can be dropped well in advance before a user can even suspect something could be happening. The changes occur in the background without affecting anything. The virus also removes system restore points and prevents other methods of restoring files, so users feel they have no choice but to pay up. The ransom note is the last stage of the attack as all the changes have been made by that point – all that is left is for the victim to pay the ransom and get their data back.

You should respond to the attack as soon as possible. Clear the ransomware off of your machine with an antivirus program and then get to work saving your files. The sooner you remove the ransomware from your computer, the better. Ransomware sometimes deletes the primary payload after encrypting data. Still, it would help if you were sure to remove any files associated with the attack before attempting to restore old files or create new ones.

Also, watch out for the potential of other viruses being added to the computer. Mpal acts as a Trojan virus as well as ransomware, loading other viruses on to the computer during infection. Criminals like to steal information such as credentials from computers and have programmed ransomware and malware to do it for them. The attackers steal sensitive information from victims in order to blackmail them into paying. This tactic is most common with industrial espionage and attacks on major targets, but it can happen to individual targets as well.

How did Mpal infect my computer?

Ransomware and other malware are mainly spread via trojans, spam campaigns, illegal activation ("cracking") tools, illegitimate updates and untrustworthy download channels. Trojans are malicious programs, some types of which can cause chain infections (i.e. download/install additional malware). Spam campaigns are used to distribute scam emails on a large scale. These deceptive letters are typically disguised as "official", "urgent", "important" and so on. The emails have infectious files attached to or linked inside them. Malicious files come in a variety of formats (Microsoft Office and PDF documents, archive and executable files, JavaScript, etc.); when they are opened - the infection process is jumpstarted. Rather than activate licensed product, "cracking" tools can download/install malware. Fake updaters cause infections by abusing flaws of outdated products and/or by installing malicious software instead of the updates. Malware can be inadvertently downloaded from untrustworthy download sources, such as: unofficial and free file-hosting sites, Peer-to-Peer sharing networks and other third party downloaders.

It is not good to cooperate with cyber crooks. Not only will your money fund their criminal activity, but they may never even provide you with the decryption key needed to restore your data. This is why it is safer to remove the Mpal Ransomware from your computer with the help of a genuine anti-virus application.