Geek's Advice

MAQL ransomware encrypts all files on victim’s computer system, then demands a ransom

MAQL ransomware is a file-encrypting virus that originates from STOP/DJVU ransomware family. After landing on the target computer running Windows operating system, it encrypts all personal files on it using Salsa20 algorithm and appends .maql extension to them. As a result, such files become impossible to open. For instance, file originally called 1.jpg would become 1.jpg.maql and so on. To inform confused computer user about the cyber attack and what needs to be done in order to recover files, the virus drops _readme.txt ransom note in each data folder and also desktop. The note holds a message from ransomware operators who suggest contacting them via provided emails as quickly as possible as it determines what the price of MAQL file decryption tool will be. According to the note, the victim is eligible for 50% discount if he/she writes to the attackers and pays within 72 hours. This means the decryption price will be $490 in Bitcoin. Later, the price rises to $980. The only way to contact the attackers is via email and the note contains two criminals’ addresses – supporthelp@airmail.cc and manager@mailtemp.ch.

As you probably understood, this computer virus is nothing but a virtual extortion tool. MAQL ransomware virus is designed to take your files hostage by applying military-grade encryption algorithm on them. The criminals use public encryption key to “secure” your files, however to decrypt them, a private key is required. Although cryptography itself isn’t a malicious procedure and it is used widely in securing network traffic, private information such as your login credentials, banking details and similar information, ransomware developers leverage it to block your access to your own files, offering to provide decryption tool under condition that you pay a ransom to them.

The ransomware algorithm is designed to encrypt the first 150 KB of information in each file. This method helps to ensure that data won’t be accessible, yet the whole computer is compromised quickly. In case the victim doesn’t have a data backup, the loss of important files such as work, study material or personal memories will be lost. Your chances to recover data also depends whether the ransomware uses online or offline encryption key, which we will discuss later. At this moment, you can only repair some audio and video files in certain circumstances as explained in this guide.

Speaking of the ransom note (_readme.txt), the attackers drop it in every data directory to ensure that the victim notices it. This note ensures that the computer user can still return all of his/hers files. According to the note, all data including pictures, videos, documents and archives have been locked with a secure encryption algorithm and unique key. The criminals encourage the victim to contact them via provided email addresses and send one encrypted file to them so that they can prove the decryption software works. However, they advise not to send file containing valuable data as they might refuse to decrypt it for you. The reason behind this is the criminals are afraid recovering important file would refrain the victim from paying the ransom altogether.

Later on, the note introduces the price of data decryption service. According to the note, it costs $490 if the victim contacts the criminals within 72 hours and it costs $980 if the victim contacts them after 3 days. The attackers have made the virus to record the infection timestamp once it hits your computer and provides the 50% discount for three days starting from that moment. It is believed that the attackers also want you to pay up within that given timeframe. It must be said that the cybercriminals won’t accept any other transaction method than one made in cryptocurrency. This helps to hide their identity so that they cannot be tracked down by FBI and other law enforcement agencies.

If you’re wondering whether it is worth paying the ransom, let us remind you what our team experts and cybersecurity professionals worldwide suggest regarding this matter. The same ideas are expressed by FBI and the general advice is to NOT PAY the ransom. We provide some arguments why you shouldn’t pay up:

• First of all, paying the ransom doesn’t guarantee data recovery in all cases. The attackers might disappear the minute you send them your money. Other than that, you might fail to recover your files if you tried to modify them somehow.
• Ransomware attack cycle will be active as long as computer users continue to pay ransoms to extortionists. Therefore, we ask you not to support these criminals as it only helps them to recruit more skilled programmers, develop even more complex computer viruses and infect more computers worldwide.
• Ransomware operators rake up millions of US dollars annually, which lures other people to join RaaS scheme and therefore accelerate these illegal operations even more.
• STOP/DJVU ransomware variants such as MAQL virus are known to drop information-stealing Trojan called AZORULT malware on compromised hosts. Although this isn’t mentioned in the ransom note, this threat is extremely dangerous as it can allow attackers to remotely run commands to steal login credentials, browser-saved passwords and other sensitive details from your computer. This can lead to further blackmail and financial losses.

REMOVE MALWARE & REPAIR VIRUS DAMAGE

Ransomware attack in detail: what has been done to your PC

MAQL ransomware virus mostly arrives at target computer system along an illegal software crack or keygen. Once launched, the virus does some preparation work by launching several build.exe and build2.exe processes, also collecting information about the computer and sending it to its Command&Control server. The virus gathers information about computer’s user name, operating system version, hardware details, list of software installed, then connects to “https[:]//api.2ip.ua/geo.json” domain to collect IP address, country code, city, longitude, latitude, zip code and time zone. The virus then checks whether computer’s country code is on the encryption exception list and terminates itself if a match is found. To explain this, the ransomware is designed to bypass attacking many Russian-speaking countries.

If the virus determines that the computer can be successfully attacked, it then tries to fetch a unique encryption key from its C&C server. If it doesn’t, it uses hardcoded encryption key instead. The key obtained from service is called “online key” and is unique per victim. If the virus uses hardcoded key, we refer to it as “offline key.” This key is identical per all STOP/DJVU variant victims affected with offline key. In such scenario, if one victim shares the decryption key with Emsisoft, it gets uploaded to the official decryption tool. However, due to protection of victim’s identity, the company doesn’t announce when the keys are obtained and uploaded.

The virus key used and victim’s ID string is then saved to files called bowsakkdestx.txt and PersonalID.txt as shown in the image below.

TIP: You can identify whether offline key was used by looking at the two last characters in your personal ID. If these characters are t1, offline key was used and you have slight chances of restoring your files in the future.

Once the encryption details are ready, the virus begins scanning entire system and encrypting files found in every folder, thus dropping _readme.txt file in them. Additionally, the ransomware launches winupdate.exe program to display a fake Windows update prompt for the user. We believe that the cybercriminals try to deceive computer users and make them believe a sudden system slowdown is caused by essential OS updates installation.

To ensure that the victim won’t be able to recover files easily, the virus also enters a task in Command Prompt to delete Volume Shadow Copies from the computer:

^{vssadmin.exe Delete Shadows /All /Quiet}

This prevents the victim from using System Restore point as last resort. Next, the virus adds a list of website names to Windows HOSTS file and maps them to localhost IP, thus causing DNS resolution problem. These websites (one example is microsoft.com) are known to publish cybersecurity news, virus removal guides or have user forums where people can discuss topics such as ransomware removal or data recovery. As a result, whenever the user attempts to access one of these websites directly or via web search, DNS_PROBE_FINISHED_NXDOMAIN error will appear in the browser. In other words, sneaky criminals do not want victims to find help online.

The last malicious thing this ransomware does is dropping AZORULT Trojan on the system. This malware belongs to Remote Access Trojan category, which means that the attacker can remotely run commands on your computer and accomplish successful private data extraction. Some of its functionalities are listed below.

• Stealing email credentials;
• Stealing cryptocurrency wallets including Monero, uCoin;
• Stealing Skype chat history;
• Stealing Steam, Telegram credentials, also user names, passwords for different accounts saved in web browsers;
• Downloading, running or deleting files.

You have to take into account all the damage such malware can do to your privacy. Moreover, keeping such threats on your computer exposes you to further infections. Therefore, we strongly recommend you to remove MAQL ransomware virus along AZORULT and other potential threats installed as quickly as possible. For this matter, we recommend using a robust antivirus with real-time protection and excellent malware detection rate – INTEGO Antivirus. Afterwards, consider downloading RESTORO to repair virus damage on Windows operating system and fixing performance problems.

Ransomware Summary

REMOVE MALWARE & REPAIR VIRUS DAMAGE

File-encrypting malware distribution methods to be aware of

Computer viruses falling under ransomware category are mostly distributed with the help of exploits, malicious email attachments, illegal downloads or fake advertisements on deceptive websites. When it comes to STOP/DJVU variants such as MAQL virus, computer users report getting infected after downloading pirated software copies via peer-to-peer file sharing agents. In other words, if you tend to look for illegal software copies on various torrent listings online, you risk exposing your computer to similar malware. Some examples of pirated copies of popular software that might contain this malware are:

• Adobe Photoshop;
• Corel Draw;
• Fifa 20;
• Tenorshare 4ukey;
• Cubase;
• Adobe Illustrator;
• League of Legends;
• KMSPico (illegal Windows activation tool).

Internet criminals prey on unsuspecting victims who try to install paid premium software for free. Therefore, they upload fake torrents of popular software or games to various torrent libraries online. What is even worse is that many victims tend to ignore their security software warnings after downloading such files. Often times, people assume that antivirus program falsely marks every download containing crack or key generator as malicious and proceed to open the file. Although this is true sometimes, in the majority of cases AV alerts are truthful. Remember – illegal downloads can infect you with all sorts of malware, including Trojans, cryptocurrency miners, information stealers and backdoors. It is simply not worth the risk to try and hunt for pirated software versions as this can result in much higher expenses. Legitimate software licenses cost way less than decryption software offered by ransomware operators. Besides, there is simply no way to evaluate price of your private information that cybercriminals can steal in a minute.

Our suggestion is to always look for legitimate sources to download programs from. You can go directly to software developer’s website or a trusted partner. It is better to support people who work hard to provide useful software rather than greedy criminals who try to rip you off financially after locking your own files.

Computer users should also be aware that ransomware operators often choose another attack vector based on malicious email attachments. Nowadays, they compose malicious documents in DOCX or PDF format (and many others) by injecting a script that downloads and launches the ransomware executable. Often times, this happens after victim disables Safe Mode in document preview. These email attachments often come named as “Invoice,” “Payment Information,” “Waybill,” “Order Summary,” “Parcel Tracking Details” and so on. For your security, it is best to avoid opening attachments from senders that you weren’t expecting to contact you. Never interact with email attachments or links included if the email comes as a surprise to you. Trust your common sense and be cautious even if the sender appears to be legitimate, because scammers can spoof sender’s email address nowadays. Moreover, look out for other red flags such as urgent message tone, repetitious invites to view the attachments and reply as soon as possible, grammar mistakes, suspicious-looking and weirdly placed company logos, or unfamiliar greeting line. Remember that scammers can pretend to be whatever they like, be it your colleague, boss or a well-known company representative.

Finally, do not let the frustration of becoming a ransomware victim get you in more trouble. Searching for decryption tool desperately on suspicious online websites can result in even more infections. What we want to say is that cybercriminals also target people who are already infected – so they tend to promote fake STOP/DJVU decryption tools hiding another ransomware in them. One of ransomware strains known to use this deceptive distribution technique is ZORAB. Please understand that in certain cases there is no way to recover files unless you have a backup. In case a decryptor emerges, it will be discussed and available on reputable websites and not the ones hiding on the nth page of Google search.

Remove MAQL Ransomware Virus and Recover Your Files

If you have unfortunately fallen victim to a ransomware attack, we strongly advise you to clean your computer from malware and secure it with real-time protection. You can find a free guide on how to remove MAQL ransomware virus below. We advise you to use antivirus you have (make sure you install its updates first) or if you do not have any protection, choose a security software that meets your expectations. Our team recommends and uses INTEGO Antivirus which is an excellent tool to remove existing threats and keep the system and network traffic protected 24/7. Another product you may want to download for repairing damage to Windows OS files is RESTORO.

Now, please read the given MAQL virus removal guidelines below. Additionally, take into considerations these post-malware removal recommendations:

• Inform local law enforcement agencies about the ransomware attack. You can simply contact police department and discuss what happened and you will get further guidance.
• If you have data backups to restore files from, double-check that your computer is entirely free of ransomware remains first. Otherwise, the data backup might get encrypted as well.
• Get to know how you can decrypt or repair files affected by STOP/DJVU versions.
• Changing your passwords for accounts saved in browsers, as well as Steam, Telegram and Skype is highly recommended.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS

REMOVE & PROTECT WITH INTEGO

Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7.. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.

Use INTEGO Antivirus to remove detected threats from your computer.

Read full review here.

STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.