M@r1a Ransomware

The M@r1a Ransomware is an encryption ransomware Trojan, first observed in November of 2018. The M@r1a Ransomware is also known as the 'BlackHeart Ransomware' due to some text strings that have been linked to this attack. The M@r1a Ransomware, like most encryption ransomware Trojans, is delivered using corrupted spam email attachments and is designed to take the victim's files hostage to then extract a ransom payment.

What is the Objective of the M@r1a Ransomware Trojan

The M@r1a Ransomware carries out a typical version of these attacks. Typically, the M@r1a Ransomware will first arrive on the victim's computer via spam email attachments with embedded macro scripts that download and install the M@r1a Ransomware. Once installed, the M@r1a Ransomware uses the AES and RSA encryptions to make the victim's files inaccessible. The M@r1a Ransomware targets the user-generated files, which may include files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The M@r1a Ransomware attack will modify the files since they will be marked with the file extension '.mariacbc,' added to the file's name. The M@r1a Ransomware also will deliver a ransom message. The M@r1a Ransomware's ransom note takes the form of a program window titled 'M@r1a,' which contains the following text:

'Personal key:
[random characters]
[Copy to clipboard|button]
Warning: please Don't Restart or Shutdown Your PC
If do it Your Personal Files Permanently Crypted.
For Decrypt! Your Personal Just Pay 50$ or 0.002 BTC. After Pay You Can send personal key to
Telegram @MAF420 or email ma98@gmail.com
BTC Transfer Address [random characters]'

Protecting Your Data from Threats Like the M@r1a Ransomware

The best protection against threats like the M@r1a Ransomware is to have backup copies of your data. It is advised that computer users should have copies of their files stored in a safe location, such as the cloud or an independent device. Unfortunately, the M@r1a Ransomware uses an encryption method that is quite strong, and the files encrypted by the M@r1a Ransomware may remain inaccessible permanently. Because of this, the best protection is to have the ability to restore any affected files from a backup. Apart from file backups, security experts strongly advise computer users to use a malware removal tool to protect their PCs. While the security software will generally not be capable of decrypting any compromised content or restoring the affected files, these programs can intercept the M@r1a Ransomware before it carries out its attack and prevents it from being installed in the first place. Since the M@r1a Ransomware is commonly delivered using spam email attachments, learning to recognize this content is also an essential part of preventing the M@r1a Ransomware attacks.