We guess that people that created Merry Christmas crypto-ransomware really despises the joyful holiday: they are like Grinches that attempt to ruin the special event. Nevertheless, the national day of over-eating is in the past now, but Merry Christmas or a.k.a Merry X-mas virus stays behind. Instead of continuing to spread positive energy, the hackers really wanted security researchers to talk about a ransomware that congratulates people with the holiday, and then demands money in exchange for the decryption of ruined files. We know that Christmas has already passed, but getting infected Merry Christmas virus is not a possibility that we are willing to disregard. This sample might still be lurking around the corner, threatening to encrypt users’ files.
Not so Merry Christmas: explanation about the ransomware
Merry Christmas virus can and will begin its dirty affairs if you will allow it into your device. Ransomware viruses have no decency and truthful approach is not the tactic they decided to proceed with. If an email letter with a link to other website appears in your inbox, please be cautious before following it. The URL may actually lead you to a different location than it is indicated in the email letter. More information about this step will be available in the section below. For now, let look into processes that are initiated by Merry Christmas virus after it has successfully occupied a place in your device. COMPLAINT.pdf file will be spotted in the device in case of an infection. This can be identified as the payload of the ransomware which will initiate all of the following procedures, ending with the encryption and official demands for money.
Firstly, it will contact the server of its creators to announce about a new victim. Specific details about the compromised device are going to be sent to the hackers of Merry Christmas virus. Then, when these twisted programmers are aware of a new victim, the payload will go on a hunt for potential files to encrypt. It is evident that the majority of ransomware viruses append new extension to the data that happens to be corrupted. The fact that Merry Christmas virus can add three different extensions is quite unusual. If a great number of files are appended with .MRCR1, .RARE1 or .PEGS1 extensions, then there is no doubt that Merry Christmas virus has affected your system.
Let’s take a look at the ransom note that is left behind by Merry Christmas virus. It is called YOUR_FILES_ARE_DEAD.hta and it contains some important details. One of the first things to be noticed is the timer, counting down minutes until all of the encrypted files are going to be permanently destroyed. The note also provide victims with their ID number. Funny detail about this infection is that it provides a contact to send a telegram to (@comodosecurity). Additionally, an email address is also indicated: email@example.com. Merry Christmas also states that trying to decrypt files with decryptors that were not created by the hackers might lead to permanent loss of files.
Decryption of files: is Merry Christmas ransomware an easily treatable infection?
Information about the fee for the files and possible methods for sending this money will be provided via a conversation with the hackers. You can do this by contacting them through one of the indicated addresses. Nevertheless, we do not recommend you to voluntarily begin a conversation with people that were vicious enough to infect you with malware. NEVER be naive enough to believe in hackers’ promises. After they receive the demanded money, they might send you a useless decryptor or won’t provide you with it at all. If you really wish to restore your files the right way, make copies of the encrypted data and remove the Merry Christmas virus. If you are reading this article because of your mere interest in the subject, we should advise you to back up your files (in online storages or USB flash drives).
Ho ho ho: how does Merry Christmas virus slide down your chimney?
IT specialists identify one specific source for the Merry Christmas virus: via a malicious spam campaign. Victims indicated to have received letters from Federal Trade Commission. Users are informed that their business has received a complaint because of a violation of CCPA. Of course, this is not a genuine letter and the link in the message is meant to cause trouble. To be more exact, if you click on the URL, you will download the payload of a Merry Christmas ransomware and this action can influence your device more than you can imagine.
Reimage, Spyhunter or Hitman have a strategy for dealing with threats like Merry Christmas virus. We have no doubt that these anti-malware tools won’t show any mercy to malware. Details about a manual removal and possible decryption of files can be found below.
Update of the 10 of January, 2017. A new variant of Merry Christmas ransomware has been discovered and its payload is spread as an attachment to a letter about being demanded to show up at court. It displays a different ransom note (appended in the article above) and additionally install DiamondFox malware.
Update of the 18th of January, 2017. Ho ho ho, Merry Christmas ransomware is no longer a threat. Fabian Wosar has produced a free decryptor that you can download from this site.
Update of the 30th of January, 2017. Even though a decrypter has been released for this Merry Christmas variant, it does not plan to stop its distribution. A malicious spam campaign has been noticed to spread this sample of ransomware. Be careful when opening email letters from unfamiliar sources.
- Not so Merry Christmas: explanation about the ransomware
- Decryption of files: is Merry Christmas ransomware an easily treatable infection?
- Ho ho ho: how does Merry Christmas virus slide down your chimney?
- Automatic Merry Christmas ransomware removal tools
- How to recover Merry Christmas ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- Step 2. Complete removal of Merry Christmas virus
- Step 3. Restore Merry X-mas virus affected files using Shadow Volume Copies
- Step 4. Use Data Recovery programs to recover Merry Christmas ransomware encrypted files
- Removal guides in other languages
Automatic Merry Christmas ransomware removal tools
How to recover Merry Christmas ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Merry Christmas ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Merry Christmas virus
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Merry X-mas ransomware. You can check other tools here.
Step 3. Restore Merry X-mas virus affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Merry Christmas ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.
Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.a) Native Windows Previous Versions
Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer
It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Merry Christmas ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download Data Recovery Pro (commercial)
- Install and scan for recently deleted files.
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.