May ransomware - How to remove

May (or Maysomware) ransomware virus has every intention of proceeding as an awe-inspiring crypto infection, setting AES-256 and RSA-4096 algorithms for encryption against your digital data. It makes demands for a very hefty ransom: 1.5 BTC which translates into 3255.61 US dollars. The primary version which was detected did not take long to receive an renewal which commands victims to hand over a bigger sum of money. Nevertheless, their malicious activity is similar and should be discussed side by side. The payloads of these infections are May_ransomware.exe and May.exe. Based on the analysis, provided by multiple security tools, both of these samples are based on Hidden Tear open-source project. Either .maysomware or .locked extension are appended to the encoded executables.

Further analysis of this ransomware infection

Investigation of payloads has definitely provided some valuable information about these variants. One of the first points to discuss is the potential guilty parties. We have reason to believe that hackers from Russian Federation are involved as the payload sends DNS requests to a domain of Mayofware.solution which is registered in this country. It contacts the host at 87.236.16.184 IP address. Also, it monitors specific registry key for possible changes which will mostly include launching the payloads automatically.

This crypto-virus also runs a file which has privileges to delete executables. This means that it is capable of destroying your digital data. Both variants put a countdown and after 5 days of no response from the victims, the payload can presumably start a rampage. Encrypted executables could be permanently deleted. Moreover, samples also point to the same bitcoin wallet which is the one to receive ransoms: 3Gw6b57A3E34nAph3mzGbKAj8sTSgD8GP9. Following a transaction of the required ransom, victims are instructed to send a letter to [email protected] email address with their special ID number as the subject.

Likewise, variants have a function of decrypting two files free-of-charge. Victims should select the biggest encrypted files and insist that hackers would decrypt them. After crooks send the recovered sample back, you should immediately supply both versions (encrypted and decrypted) to security researchers. It is possible that this will assist in the generation of free file-recovery tool. Instructions are available in two possible Restore_maysomware_files.html and Restore_your_files.txt files. Their content is similar, but the newer version demands 1.5 BTC while at first, only 1 BTC was indicated as the necessary ransom.

File-recovery options

Before trying to restore your digital data, it is crucial to save them in an alternative location. Place them in a flash drive for instance. Since this ransomware appends a file which is to delete files, it is possible that file-recovery methods might trigger its activity. Then, after data is secured, you are advised to remove the infection itself. This procedure is recommended to be implemented with the help from respectable anti-malware tools like Spyhunteror Hitman. Only then shall you begin to explore the possible ways of data-decryption. Main points for this task are explained at the very end and you should try each of them.

For future reference, we are reminding our visitors that it is important to store your files in backup storages. This is the number one method to protect yourself from ransomware infections. Since they are becoming more active and successful, you should not hesitate to safeguard digital data from encryption.

How does a ransomware ends up in operating systems?

A crypto-virus can potentially arrive from several sources. One of them: infectious email messages. If you find letters from unknown senders and these emails contain attachments, these files might actually be payloads of ransomware. Do not download them without checking that the message is legitimate and safe. Additionally, links in email messages often lead to websites, capable of infecting users with malware. Trojans could also be promoted in file-sharing domains: be careful not to download a program that only poses as reliable.

How to recover May ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Maysomware virus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of May ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Maysomware virus. You can check other tools here.  

Step 3. Restore May ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Maysomware virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover May ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.