MERL virus infects computers to encrypt all files
Contents
MERL is a ransomware-type virus that silently encrypts all files on the victim’s computer system. It is the 192th version of STOP/DJVU malware. The aim of this file-encrypting threat is to restrict access to files stored on the computer and force the victim to pay a ransom for a decryption software. During the cyberattack, the virus marks all modified files with .merl file extension and drops _readme.txt ransom notes.
The ransom notes left behind explain the victim that the only way to recover .merl files is to pay a ransom. The cybercriminals suggest testing their decryption tools by sending one file to datarestorehelp@firemail.cc or datahelp@iran.ir. The note also informs the victim to make up one’s mind within 72 hours, because the ransom is smaller during this given time period – “only” $490. Otherwise, the price of the decryption key and tool goes up to $980. In other words, it increases twice.
This DJVU ransomware variant runs some commands that make system restore points vanish from the compromised PC, then also installs Azorult Trojan on the system. This way, the virus prevents any data recovery means and leaves a password-stealing threat behind.
Therefore, it is a must to take immediate actions to remove MERL ransomware virus as soon as possible. We suggest following instructions provided at the end of this article for guidance.
Threat Summary
| Name | MERL ransomware virus |
| Type | Ransomware (STOP/DJVU variant) |
| Encryption type | RSA |
| Ransom note | _readme.txt |
| Ransom amount | $490 within 72 hours or $980 later |
| File marker | .merl file extension |
| Decryption tools | STOP Decrypter (doesn’t support this extension at the moment; will only decrypt OFFLINE KEY data) |
| Distribution | Malicious downloads, including keygens, software cracks, other activation tools |
| Removal | Remove using free instructions given below the article |
Is it possible to decrypt .merl files?
MERL file virus uses incredibly strong encryption method (RSA) to modify files. However, there is an encryption routine vulnerability that allows security experts recover files for offline key victims.
When the ransomware starts its processes, it attempts to connect to its remote Command & Control server, and in case it fails to do so, it uses an offline key to encrypt all files. This file is the same for all MERL victims and it can be recovered, although not easily.
Therefore, you need to check whether your files were locked with offline or online key. To do so, go to C:/SystemID/PersonalID.txt and check there. You shouldn’t check in the ransom note as it provides only one key.
In PersonalID.txt file, look for ID ending with t1. If you can find one, it means all or at least part of your files were modified using offline key. In this case, wait for an update for STOP Decryptor.
Victims subject to online key encryption have no options to recover files for free now. However, if you’re considering whether to pay the ransom or not, we suggest not doing so. Please keep in mind that the attackers use these payments to fund and start new malicious projects that reach more victims worldwide.
The virus awaits in malicious downloads
MERL virus, just like its previous versions (GESD, RIGH, HETS, MSOP) lurks in malicious and illegal downloads available online. Therefore, we suggest you to refrain yourself from looking for illegal content online. By saying illegal, we mean various software cracks, keygens, and similar files.
The developers of STOP/DJVU ransomware tend to pack such downloads with ransomware executables and upload them to file sharing sites.
It is unknown whether these criminals use malicious spam to distribute the virus, but other ransomware-variants are often proliferated in this way.
Remove MERL ransomware virus right now
Remove MERL ransomware virus along with malware it brought to your computer. You can do this using free and simple instructions provided below. Please keep in mind that there are both free and paid antivirus solutions that can remove this virus. We suggest checking software reviews on our site to choose one.
After MERL virus removal, change all your passwords and find your backup to recover your files. Although you might lose some files you created after the date of the backup, it is still better than losing everything at once.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
MERL Ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove MERL Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Scott Bolton is a senior content strategist in our Geek’s Advice team. He is exceptionally passionate about covering the latest information technology themes and inspire other team members to follow new innovations. Despite the fact that Scott is an old-timer among the Geeks, he still enjoys writing comprehensive articles about exciting cybersecurity news or quick tutorials.
Leave a Reply