Mogranos Ransomware - How to remove

Now, when more and more documents and our most important projects are stored digitally, the popularity and strength of file-encrypting viruses is increasingly dangerous and harmful. After infecting a computer, the Mogranos ransomware virus quickly goes through all your files and corrupts most of them, hoping to get money from you and the other victims by promising to return your data.

Not all ransomware viruses encrypt files, for example, some only lock your screen, but those are relatively easy to get around. File-locking ransomware is the most dangerous and common type right now, targeting individual users as well as hospitals, large businesses, and even city services. Mogranos is the former type, collecting small ransom payments from individual victims, but it’s still devastating when a person loses their only copies of photos, movies, and projects precious to them.

The dangers of Mogranos ransomware

Encrypting files is bad enough, but on top of that, a credential stealer is bundled with Mogranos and other STOP variants (like Rumba, Redmat, or Kroput). The trojan is very dangerous because if it can find your passwords and send them to criminals, they might use them to hack your online accounts. Some of those accounts probably have a credit card saved there, allowing the criminals to profit even more.

After the encryption, Mogranos creates a ransom note where the extortionists inform the victims to contact them on [email protected], [email protected], or @datarestore (in Telegram) to learn more details about how to pay their ransom (and then probably have their cryptocurrency wallet credentials stolen). The note is called “_Readme.txt” and it starts like this:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
…

As you can see, the criminals promise that they’re able to decrypt the files which their virus has corrupted. They also promise to send you the required tools and data if you just pay $490. That’s against the recommendations of most cybersecurity experts for a few reasons:

• Paying is financing and encouraging the harmful and illegal activity.
• The chances of you being able to decrypt the files after you paid the ransom are not high enough.
• Performing financial activities is dangerous because ransomware often installs spyware.
• You might be labeled as someone vulnerable and targeted in later ransomware attacks.

A free decrypter for STOP ransomware is being developed by a security researcher known as Demonslay335 on his free time. It’s appropriately called STOPDecrypter and it relies on the fact that not all the encryption by Mogranos is completely secure. The various STOP cryptoviruses use a secret key to lock the files. However, sometimes they use a different key that’s hardcoded into the virus and is possible to read. In the best-case scenario, this program might be able to save all of your files — if it is updated to support Mogranos.

How to remove Mogranos

The virus can be removed with the help of safe mode and a professional antivirus tool like Spyhunter. Whether you remove the malware manually or automatically, it’s useful to perform a scan to make sure that the viruses are really gone.

Additionally, Mogranos probably changed your settings to stop you from accessing certain cybersecurity websites like this one. It edits the hosts file — a file that can be used to block websites manually. The edits that Mogranos made to it can be reversed by following this guide.

Automatic Malware removal tools

How to avoid ransomware

To learn how to avoid Mogranos and other ransomware in the future, it’s important to know how it’s disseminated. While one of the most well-known ways that ransomware viruses spread is through Remote Desktop, most of the people who get infected with STOP ransomware downloaded and ran it on their own. Not intentionally, of course — they thought that they were opening a program that they wanted.

Actually, STOP ransomware did use to use RDP hacking as a way to get on people’s computers, but that’s not done anymore. Instead, the developers of Mogranos create and upload an infected bundle with known and wanted free software which carries the hidden the virus inside. Microsoft Office activators and activated Office programs are an especially common successful vector of attack.

Different ransomware viruses use different tactics, and you can take various measures to avoid them, but the absolute most important thing to do is to set up secure backups. Mogranos wouldn’t be able to encrypt an offline disk (one that’s powered down and not connected to anything) or files stored in the cloud. And you don’t need to worry a lot if you can just restore the files from a backup. If the files are especially important, you should have a few redundant backups.

Update your browser, antivirus program, and other software. Some new ransomware use exploit kits to download themselves of people’s computers and security vulnerabilities in outdated software have been responsible for more than one ransomware attack.

How to recover Mogranos Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Mogranos Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Mogranos Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Mogranos Ransomware. You can check other tools here.  

Step 3. Restore Mogranos Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Mogranos Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Mogranos Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.