Muslat Ransomware - How to remove

Muslat is a new incarnation of STOP/DJVU — a virus that’s been plaguing people since the start of the year. Muslat gets on a computer and locks the files, making them unusable.

Muslat is named after the extension it gives the encrypted files, .muslat.

picture.jpg.muslat

A ransom note is created by the virus. It’s called _readme.txt and includes the ransom amount ($980 or $490), as well as the e-mail addresses of the criminals ([email protected], [email protected], @datarestore (this last one is for the social network Telegram)).

_readme.txt starts like this:

ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.

It’s the same as Redmat, Drume, and a few other viruses. Muslat is most likely part of the STOP/DJVU family of ransomware.

How ransomware works

Encryption is a valuable system that allows us to do things like online banking and secure communication without someone being able to simply watch and read everything. For this, encryption uses keys — data that tells us how a text is encrypted and decrypted. The key needs to be known in order to be able to decrypt the files. This is what the developers of Muslat are trying to sell — the decryption key. With this, Muslat’s developers hope to extort a lot of people of a lot of money (but not nearly everyone who pays the ransom gets their files back).

Hybrid encryption is the way that modern ransomware viruses lock files. This means that the files are encrypted quickly and securely, and the decryption keys — which are unique to each victim — are only known to the people who developed Muslat.

Why have the people behind this virus not been arrested? It is complicated. Muslat is a threat to people all over the world, and it’s not known which country Muslat’s developers are in. Not only is finding the criminals difficult, but getting them arrested would be legally complicated. Besides, Muslat targets individual people who do not have much power. Some ransomware distributors have been arrested. It’s possible that Muslat’s creators will be, too.

How Muslat spreads

The way that Muslat is distributed is with pirated software and software cracks. Cracks are supposed to activate software without having genuine product keys. They’re mostly illegal and are expected to be detected by antivirus programs as suspicious. Pirating has always been a risky endeavor, but now, with Muslat out there, it might be even worse than before.

Another way that ransomware is spread is by freeware bundles. These are free programs that have additional software included in the installation. They can be labeled in one of the installation screens, or they can be installed in the background while the front program is being run.

Muslat might also be distributed in spam e-mails. An infected file could arrive as an attachment or be linked to in a link. If the infected file is downloaded and run, it’ll start Muslat in the background. Muslat can display a fake Windows update window to make people unsuspicious of all the hardware resources being used — encryption takes a significant amount of computer power, after all.

The idea is that Muslat arrives on an infected file that it tricks the person into running. This could possibly be avoided by scanning every new file with an up-to-date antivirus program, keeping our browsers and operating system updated, and just being careful and suspicious online.

the ransom note from the Muslat virus

How to remove Muslat and restore the files

The best way to protect files from file-locking ransomware viruses is to have a backup or all our important data. This backup can’t be left connected to the computer that’s having its files backed, or else it will be encrypted or deleted. This is what usually happens when people create system images in Windows, and leave them on the same storage that was copied — Muslat just deletes them.

If your backups are okay, that’s great — but you need to remove the virus first. If you don’t have backups, there are still a couple of things you can do to get some of your files.

Get rid of the virus by scanning your device with a powerful antivirus program, like Spyhunter. If it doesn’t work, try connecting your infected disk to another computer as external media and scan it that way. You might also need to check this article to unblock some websites that Muslat blocked. Then check the guide below to see if anything works for you.

There is also a ransomware decryptor that a volunteer has been developing. It does not support Muslat, and even if it did, it could only decrypt the files that were encrypted with an offline key. For now, though, if you want to, you can keep the Muslat-encrypted files and wait for a possible solution in the future.


Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to recover Muslat Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Muslat Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Muslat Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Muslat Ransomware. You can check other tools here.  

Step 3. Restore Muslat Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Muslat Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Muslat Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *