Contents
MAQL ransomware is a file-encrypting virus that originates from STOP/DJVU ransomware family. After landing on the target computer running Windows operating system, it encrypts all personal files on it using Salsa20 algorithm and appends .maql extension to them. As a result, such files become impossible to open. For instance, file originally called 1.jpg would become 1.jpg.maql and so on. To inform confused computer user about the cyber attack and what needs to be done in order to recover files, the virus drops _readme.txt ransom note in each data folder and also desktop. The note holds a message from ransomware operators who suggest contacting them via provided emails as quickly as possible as it determines what the price of MAQL file decryption tool will be. According to the note, the victim is eligible for 50% discount if he/she writes to the attackers and pays within 72 hours. This means the decryption price will be $490 in Bitcoin. Later, the price rises to $980. The only way to contact the attackers is via email and the note contains two criminals’ addresses – supporthelp@airmail.cc and manager@mailtemp.ch.
As you probably understood, this computer virus is nothing but a virtual extortion tool. MAQL ransomware virus is designed to take your files hostage by applying military-grade encryption algorithm on them. The criminals use public encryption key to “secure” your files, however to decrypt them, a private key is required. Although cryptography itself isn’t a malicious procedure and it is used widely in securing network traffic, private information such as your login credentials, banking details and similar information, ransomware developers leverage it to block your access to your own files, offering to provide decryption tool under condition that you pay a ransom to them.
The ransomware algorithm is designed to encrypt the first 150 KB of information in each file. This method helps to ensure that data won’t be accessible, yet the whole computer is compromised quickly. In case the victim doesn’t have a data backup, the loss of important files such as work, study material or personal memories will be lost. Your chances to recover data also depends whether the ransomware uses online or offline encryption key, which we will discuss later. At this moment, you can only repair some audio and video files in certain circumstances as explained in this guide.
Speaking of the ransom note (_readme.txt), the attackers drop it in every data directory to ensure that the victim notices it. This note ensures that the computer user can still return all of his/hers files. According to the note, all data including pictures, videos, documents and archives have been locked with a secure encryption algorithm and unique key. The criminals encourage the victim to contact them via provided email addresses and send one encrypted file to them so that they can prove the decryption software works. However, they advise not to send file containing valuable data as they might refuse to decrypt it for you. The reason behind this is the criminals are afraid recovering important file would refrain the victim from paying the ransom altogether.
Later on, the note introduces the price of data decryption service. According to the note, it costs $490 if the victim contacts the criminals within 72 hours and it costs $980 if the victim contacts them after 3 days. The attackers have made the virus to record the infection timestamp once it hits your computer and provides the 50% discount for three days starting from that moment. It is believed that the attackers also want you to pay up within that given timeframe. It must be said that the cybercriminals won’t accept any other transaction method than one made in cryptocurrency. This helps to hide their identity so that they cannot be tracked down by FBI and other law enforcement agencies.
If you’re wondering whether it is worth paying the ransom, let us remind you what our team experts and cybersecurity professionals worldwide suggest regarding this matter. The same ideas are expressed by FBI and the general advice is to NOT PAY the ransom. We provide some arguments why you shouldn’t pay up:
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
MAQL ransomware virus mostly arrives at target computer system along an illegal software crack or keygen. Once launched, the virus does some preparation work by launching several build.exe and build2.exe processes, also collecting information about the computer and sending it to its Command&Control server. The virus gathers information about computer’s user name, operating system version, hardware details, list of software installed, then connects to “https[:]//api.2ip.ua/geo.json” domain to collect IP address, country code, city, longitude, latitude, zip code and time zone. The virus then checks whether computer’s country code is on the encryption exception list and terminates itself if a match is found. To explain this, the ransomware is designed to bypass attacking many Russian-speaking countries.
If the virus determines that the computer can be successfully attacked, it then tries to fetch a unique encryption key from its C&C server. If it doesn’t, it uses hardcoded encryption key instead. The key obtained from service is called “online key” and is unique per victim. If the virus uses hardcoded key, we refer to it as “offline key.” This key is identical per all STOP/DJVU variant victims affected with offline key. In such scenario, if one victim shares the decryption key with Emsisoft, it gets uploaded to the official decryption tool. However, due to protection of victim’s identity, the company doesn’t announce when the keys are obtained and uploaded.
The virus key used and victim’s ID string is then saved to files called bowsakkdestx.txt and PersonalID.txt as shown in the image below.
TIP: You can identify whether offline key was used by looking at the two last characters in your personal ID. If these characters are t1, offline key was used and you have slight chances of restoring your files in the future.
Once the encryption details are ready, the virus begins scanning entire system and encrypting files found in every folder, thus dropping _readme.txt file in them. Additionally, the ransomware launches winupdate.exe program to display a fake Windows update prompt for the user. We believe that the cybercriminals try to deceive computer users and make them believe a sudden system slowdown is caused by essential OS updates installation.
To ensure that the victim won’t be able to recover files easily, the virus also enters a task in Command Prompt to delete Volume Shadow Copies from the computer:
vssadmin.exe Delete Shadows /All /Quiet
This prevents the victim from using System Restore point as last resort. Next, the virus adds a list of website names to Windows HOSTS file and maps them to localhost IP, thus causing DNS resolution problem. These websites (one example is microsoft.com) are known to publish cybersecurity news, virus removal guides or have user forums where people can discuss topics such as ransomware removal or data recovery. As a result, whenever the user attempts to access one of these websites directly or via web search, DNS_PROBE_FINISHED_NXDOMAIN error will appear in the browser. In other words, sneaky criminals do not want victims to find help online.
The last malicious thing this ransomware does is dropping AZORULT Trojan on the system. This malware belongs to Remote Access Trojan category, which means that the attacker can remotely run commands on your computer and accomplish successful private data extraction. Some of its functionalities are listed below.
You have to take into account all the damage such malware can do to your privacy. Moreover, keeping such threats on your computer exposes you to further infections. Therefore, we strongly recommend you to remove MAQL ransomware virus along AZORULT and other potential threats installed as quickly as possible. For this matter, we recommend using a robust antivirus with real-time protection and excellent malware detection rate – INTEGO Antivirus. Afterwards, consider downloading RESTORO to repair virus damage on Windows operating system and fixing performance problems.
Name | MAQL Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | STOP/DJVU |
Encryption type | RSA Salsa20 |
Previous versions | VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here) |
Version | 339th |
Extension | .maql |
Cybercriminal emails | manager@mailtemp.ch, supporthelp@airmail.cc |
Dropper | SmokeLoader (see VirusTotal details) |
Damage | The ransomware uses Salsa20 algorithm to encrypt all files on the computer and mark them with .maql extensions. The _readme.txt note is saved into every affected folder to inform the victim about the cyberattack. The malware deletes Volume Shadow Copies from the computer and modifies Windows HOSTS file to block access to a list of domains. The virus might also compromise computer further by dropping AZORULT Trojan. |
Ransom note | _readme.txt |
Ransom demand | $490-$980 in Bitcoin |
Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, key generators or tools like KMSPico. |
Known software cracks to contain this malware | Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, League of Legends. |
Detection names | Trojan:Win32/Crypter!MTB (Microsoft), HEUR:Trojan-Ransom.Win32.Stop.gen (Kaspersky), Trojan.GenericKD.37842368 (BitDefender), ML.Attribute.HighConfidence (Symantec), FileRepMalware (Avast) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO. |
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
Computer viruses falling under ransomware category are mostly distributed with the help of exploits, malicious email attachments, illegal downloads or fake advertisements on deceptive websites. When it comes to STOP/DJVU variants such as MAQL virus, computer users report getting infected after downloading pirated software copies via peer-to-peer file sharing agents. In other words, if you tend to look for illegal software copies on various torrent listings online, you risk exposing your computer to similar malware. Some examples of pirated copies of popular software that might contain this malware are:
Internet criminals prey on unsuspecting victims who try to install paid premium software for free. Therefore, they upload fake torrents of popular software or games to various torrent libraries online. What is even worse is that many victims tend to ignore their security software warnings after downloading such files. Often times, people assume that antivirus program falsely marks every download containing crack or key generator as malicious and proceed to open the file. Although this is true sometimes, in the majority of cases AV alerts are truthful. Remember – illegal downloads can infect you with all sorts of malware, including Trojans, cryptocurrency miners, information stealers and backdoors. It is simply not worth the risk to try and hunt for pirated software versions as this can result in much higher expenses. Legitimate software licenses cost way less than decryption software offered by ransomware operators. Besides, there is simply no way to evaluate price of your private information that cybercriminals can steal in a minute.
Our suggestion is to always look for legitimate sources to download programs from. You can go directly to software developer’s website or a trusted partner. It is better to support people who work hard to provide useful software rather than greedy criminals who try to rip you off financially after locking your own files.
Computer users should also be aware that ransomware operators often choose another attack vector based on malicious email attachments. Nowadays, they compose malicious documents in DOCX or PDF format (and many others) by injecting a script that downloads and launches the ransomware executable. Often times, this happens after victim disables Safe Mode in document preview. These email attachments often come named as “Invoice,” “Payment Information,” “Waybill,” “Order Summary,” “Parcel Tracking Details” and so on. For your security, it is best to avoid opening attachments from senders that you weren’t expecting to contact you. Never interact with email attachments or links included if the email comes as a surprise to you. Trust your common sense and be cautious even if the sender appears to be legitimate, because scammers can spoof sender’s email address nowadays. Moreover, look out for other red flags such as urgent message tone, repetitious invites to view the attachments and reply as soon as possible, grammar mistakes, suspicious-looking and weirdly placed company logos, or unfamiliar greeting line. Remember that scammers can pretend to be whatever they like, be it your colleague, boss or a well-known company representative.
Finally, do not let the frustration of becoming a ransomware victim get you in more trouble. Searching for decryption tool desperately on suspicious online websites can result in even more infections. What we want to say is that cybercriminals also target people who are already infected – so they tend to promote fake STOP/DJVU decryption tools hiding another ransomware in them. One of ransomware strains known to use this deceptive distribution technique is ZORAB. Please understand that in certain cases there is no way to recover files unless you have a backup. In case a decryptor emerges, it will be discussed and available on reputable websites and not the ones hiding on the nth page of Google search.
If you have unfortunately fallen victim to a ransomware attack, we strongly advise you to clean your computer from malware and secure it with real-time protection. You can find a free guide on how to remove MAQL ransomware virus below. We advise you to use antivirus you have (make sure you install its updates first) or if you do not have any protection, choose a security software that meets your expectations. Our team recommends and uses INTEGO Antivirus which is an excellent tool to remove existing threats and keep the system and network traffic protected 24/7. Another product you may want to download for repairing damage to Windows OS files is RESTORO.
Now, please read the given MAQL virus removal guidelines below. Additionally, take into considerations these post-malware removal recommendations:
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
MAQL Ransomware Virus Removal Guidelines
Before you try to remove MAQL Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
Now, you can search for and remove MAQL Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU ransomware versions are grouped into old and new variants. MAQL Ransomware Virus is considered the new STOP/DJVU variant, just like VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt MAQL files, follow the given tutorial.
The MAQL decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your MAQL extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Victims of MAQL Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
You can only open MAQL files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official MAQL decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake MAQL decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
This website uses cookies.