Mtogas Ransomware - How to remove

Mtogas is a new version of the Djvu/STOP file-lockers — a group of viruses which use cryptography to deny access to their files to the owners of the infected computer. This ransomware is competent, dangerous enough to be considered a serious infection which really can lose people their files irreversibly.

Mtogas does a few dangerous things, more than just locking the files:

• Delete the updates of the installed antivirus,
• Block cybersecurity websites (how to unblock them),
• Encrypt files,
• Rename the encrypted files,
• Ask for money to decrypt files,
• Install a credential-stealer (AZORult).

Mtogas is not a very high-profile ransomware virus which targets people and asks for a very small (compared to other cryptoviruses) ransom, which means it doesn’t get a lot of attention. However, it’s no less dangerous — it locks photos, movies, documents, text files — most files that are likely to be important and valuable.

How Mtogas spreads

Earlier iterations of Mtogas have been tormenting people for months and the situation hasn’t improved: the ransomware is even more destructive than before, for example, it deletes system restore files. The only real way to stay safe against file-lockers is to have backups set up before the infection even happened. The backups should be disconnected from the computers, otherwise, Mtogas might encrypt them, too. They should also be updated regularly so that as little work as possible is lost to an infection.

Another behavior that helps avoid Mtogas and the other Djvu/STOP viruses is abstaining from pirating software. Malware in pirated files is a real and common problem. Mtogas and its siblings often infect computers by being downloaded by the victim manually, sometimes even despite the warnings of their antivirus program, because people think that the program they’re downloading will help them activate a commercial program, or unlock the features of one. Filesharing is a medium used by other ransomware strains, too.

The other important avenues that ransomware uses for infections include hacking Remote Desktop connection (like some GandCrab variants), sending out fake emails with infected files attached (for example, Tunca), or automatically downloading the malware to vulnerable computers which visit an infected website (such as Eris). Outdated software, weak credentials, weak security settings, carelessness can all be exploited by malware distributors.

Can the Mtogas files be fixed?

Mtogas uses cryptography to lock the files and it marks them by adding a new extension, “.mtogas”. If you don’t have backups and hope to decrypt the Mtogas-locked ones, the first thing you should do is create an image of the infected computer, or at least copy all the files that you want to keep onto a backup. Any modifications and experiments with the encrypted files should be performed on copies so that you don’t risk breaking or corrupting the data irreparably.

Mtogas creates a ransom note called _readme.txt — a message from the developers of the virus. This message instructs the victims to contact the developers of this virus on [email protected] or [email protected] to learn how to send them the money in exchange for the (not always deserved) hope that they’ll restore your files. Paying the ransom to cryptoextortionists is always a gamble and even with just Djvu/STOP, different people have different experiences: some got a decrypter, others did not.

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-o7ClqIH7RS
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
…

Each victim has a unique decryption key for their files. Since Mtogas uses quite strong cryptography, there is no way that those keys can be found — they have to be known.

However, a volunteer Demonslay335 is developing a program that abuses a weakness that Mtogas has — it uses a hardcoded encryption key in the situations when it’s forced to run without the internet connection. Read this post where he explains things in more detail. He has also hinted that a few file types might be decryptable for anyone, possibly due to the fact that Mtogas, in an effort to make it as fast as possible, only encrypts a limited amount of data of each file. If that’s the case, some data in large files could possibly be restored.

How to remove Mtogas ransomware

A few ways exist to remove Mtogas which don’t require you to wipe everything — although, if you have complete backups to restore from, you can do that.

You can learn the locations of the malicious files and delete them after killing the malicious processes which might be trying to keep you from making edits. You can also make use of automatic tools, like Spyhunter. Remember that AZORult also needs to be removed, and you might want to change your passwords afterward.

Automatic Malware removal tools

How to recover Mtogas Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Mtogas Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Mtogas Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Mtogas Ransomware. You can check other tools here.  

Step 3. Restore Mtogas Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Mtogas Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Mtogas Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.