Mars Ransomware - How to remove

Mars ransomware is a computer virus. It’s encrypting ransomware — it infects a computer, locks the files, and demands money for fixing them. This ransomware is named after the extension that it appends to the names of the encrypted files: .mars.

You can remove the virus, and you can restore the files that you have previously backed up, but returning the locked .mars files to normal is tricky and might not even be possible. It is important to at least find the way that Mars infected your computer and fix the security holes to protect yourself against any future infections.

How to recognise the Mars virus

If your computer has been infected by Mars, your files are probably named something like [file name].[file type].[id].[crypto email].mars. For example:

[email protected]

The files cannot be fixed by just renaming them back to how they were named, the problem is more serious.

Mars creates a file (READ_ME.mars) in which the cybercriminals responsible for this virus demand bitcoins to be sent to either [email protected], [email protected], or [email protected]. This note says:

All your important files are encrypted.
To recover encrypted files, you need:
1. Buy bitcoins. The easiest way to buy bitcoins is the LocalBitcoins site. You must register, click “Buy Bitcoins” and select a seller by payment method and price. https://localbitcoins[.]com/buy_bitcoins
You can also find other places to buy bitcoins and a beginner’s guide here:
http://www[.]coindesk.com/information/how-can-i-buy-bitcoins/
write to google how to buy bitcoin in your country?
to guarantee the availability of our key
we can decrypt three files for free.
2. Send bitcoins to the address you receive in the mail. After payment, we will send a decryption program
Do not try to decrypt your files using third-party programs, decoders. You only damage your data and lose them forever.
Only we can decrypt your data!
Contact email address [email protected] or [email protected] or [email protected]

What is the damage?

If you see the ransom note, that means that the encryption process was completed. The virus went through your files and locked every file it could. This includes almost all the common file types, for example:

• Documents — text documents (doc), spreadsheets (xml), PDF files
• Multimedia — pictures and photos, songs, movies
• Archives — zip, rar, etc.

These files cannot be simply returned to normal. They are encoded using cryptography. Cryptography is a very important tool for security and privacy, and has been developed to be almost impossible to break. Cybercriminals have found a use for it and have been terrorising people since around 2013.

This business model of extortion must have been successful because crypto ransomware continues to be developed and distributed.

Is it possible to unlock .mars files?

In theory, the files can be returned to normal if you have the decryption key. Unfortunately, this key is usually only accessible to the developers of Mars.

The Mars developers offer to decrypt three files for free to prove that they can do it, but it would be best to avoid paying it (at least, save the encrypted files somewhere and then try the guide below get your files back before you try to contact the extortionists). A bit less than half of the people who pay the ransom do not get their files back.

 

Some ransomware viruses (like DJVU) have had free decryptors developed for them, but they do not always work. Sometimes the virus experiences technical difficulties (for example, if you disconnect the internet during the encryption) which makes it possible to find a decryption key for at least some of the files. Unfortunately, this ransomware is still new, so nobody has developed a free decryptor yet.

How to be prepared for ransomware attacks?

Store copies of your files separately from your computer. If you have a backup of your system or copies of your files on an external (disconnected) drive, or in the Cloud, you can be sure that Mars has not touched them. Then, after you have removed the ransomware from your system, just copy the files back to the machine.

Be careful when opening unknown emails, and secure access to your computer with a strong password. Two of the most common ways for crypto viruses to spread are infected email attachments and hacked Remote Desktop. The emails often say that the attached file is an important document that needs to be reviewed because you need to open or run the file for the virus to get in. Remote Desktop allows people to control a computer remotely, and if your RD password is leaked or found out, your PC can be accessed by cybercriminals.

Finally, make sure to keep your antivirus and operating system up-to-date. New malicious software is being developed and distributed every day, and antivirus programs need constant updates to remain effective.

How to remove Mars ransomware

First, it is important to scan the system with an antivirus program (Spyhunter, or another trusted application) and remove the threats that are detected.

After this, you can try to restore the files using Windows built-in functions. There is no guarantee that you will be successful, but it might be worth trying.

How to recover Mars Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Mars has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Mars Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Mars. You can check other tools here.  

Step 3. Restore Mars Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Mars tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Mars Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.