Mado is a STOP/DJVU family of ransomware-type infections1. This ransomware encrypts your private files (video, photos, documents). The infected files can be tracked by specific “.mado” extension. So, you can’t open them at all.
It is better to prevent, than repair and repent!
Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.
In this article I will try to help you remove Mado virus without any payment. As a bonus I will assist you in decoding your encrypted files.
What is “Mado”?
Mado can be correctly identify as a ransomware infection.
Mado is similar to other ransomware like: Jope,Opqz, Npsk, Remk. It crypted all popular file types. Hence, users can’t open files. Mado adds its particular “.mado” extension into all files after encryption. For instance, the file “video.avi”, will be amended into “video.avi.mado”. As soon as the encryption is accomplished, Mado drops a special text file “_readme.txt” and adds it into all folders that contain the modified files.
Here is a short info for the Mado :
|Ransomware family3||DJVU/STOP4 ransomware|
|Ransom||From $490 to $980 (in Bitcoins)|
|Detection5||BScope.TrojanSpy.Zbot, Trojan-Dropper.Win32.Dropback.ln, Trojan:Win32/Glupteba.RDL!MTB|
|Symptoms||Your files (photos, videos, documents) have a .mado extension and you can’t open it|
|Fix Tool||See If Your System Has Been Affected by .mado file virus|
This text asking payment is for restore files via decryption key:
The cryptography algorithm used by Mado is AES-256. So, if your files got encrypted with a specific decryption key, which is totally unique and there are no other copies. The sad reality is that it is impossible to recover the information without the unique key available.
In case if Mado worked in online mode, it is impossible for you to gain access to the AES-256 key. It is stored on a remote server owned by the criminals who promote the Mado ransomware.
There are also some reports that saying about Mado ransomware add it’s readme.txt file in autoload registry bush, so every time user logging in his system, he will get annoying reminder. This causes are not widespread, but, as we can see, Mado has a lot of subversions that have a lot of distinction in it’s performance.
But adding his entities to Run key is not the only Mado ransomware action with registry. The common practice is that it adds it’s .exe file in the RunOnce key. So, every time user starts Windows – ransomware will start, too, so you can’t stop ransomware with simple system restart. But, it could be prevented with system launch in special mode – safe mode or mode with command line support.
In spite of registry, Mado ransomware can also change hosts file to disable Windows updates. Thus, Windows can’t perform “self-cleaning”, changing all it’s internal settings, registry keys and directories on the C:/ to default. So, if you used to have Windows updates regulary, and notice that your PC haven’t got them for a long time – it can be a sign of slow Mado ransomware activity on your PC.
One of the most knavish trick of Mado ransomware is hosts file editing. It can add all popular sites of anti-malware softare, forums, where ransomwares are disscussed, to hosts file. So, you wouldn’t able to open this pages. It’s quite easy to fix, but not being in panic and having the only wish to get your files back.
Jope ransomware distributors understand, that a huge part of their victims can be get cured using advices given on such sites. So, they are usually blocking all sites you can see below:
This list is updating.
For receiving decryption key the payment should be $980. To obtain the payment details the victims are encouraged by the message to contact the frauds by email (email@example.com).
N.B. Some users, generally from Western Europe, reporting about modified readme.txt files, that contains much bigger sum asked for decryption key. In majority of cases it vary from 1300$ up to 1500$ for key, but their pricing in 72 hrs term is unchanged – 490$. It looks like crooks forcing their victims to pay now, or pay much more.
UPD 17.04.2020. One more group of Mado ransomware victims reported that their readme.txt contained another information about the sum they need to pay. Ransomware distributors are asking them to send 0.3 BTC (about 2100$) to decrypt their files. They have even changed a sum for 72-hrs payment. Now, that is 0.1 BTC. It can also be an instrument to force users to pay faster. Bitcoin price is unstable, so scared victims will probably hurry up to pay less.
Do not pay for Mado!
Please, try to use the available backups, or Decryptor tool
_readme.txt file also indicates that the computer owners must get in touch with the Mado representatives during 72 hours starting from the moment of files where encrypted. On the condition of getting in touch within 72 hours, users will be granted a 50% rebate, thus the ransom amount will be minimized down to $490). However, stay away from paying the ransom!
I definitely recommend that you do not contact these crooks and do not pay. The one of the most real working solution to recover the lost data – just using the available backups, or use Decrypter tool.
There are quite clear reasons not to contach ransomware distributors. You likely wouldn’t get any decryption key while talking to them. But fraudsters will get a profit from you even without your participation. Even if they lost trying to force you to pay them, they will then sold your e-mail to another knaves, who will spam your e-mail.
Fraudsters may try to show you, that they are honest and will decrypt your files after payment. We have a lot of comments of victims who contacted fraudsters and got 1-2 files decrypted. Croocks are calling it “decryption test”, hoping that you will pay them a full price, seeing that thet are not lying. But everyone need to understand that to entrust fraudsters is like to let them to fool you again
The peculiarity of all such viruses apply a similar set of actions for generating the unique decryption key to recover the ciphered data.
The mechanism of Mado ransomware supposes that it’s .exe file contains offline keys, that can help user to decrypt his files. However, this ransomware final action is self-destruction. So, if you want your files to be decrypted faster, and you want to help antimalware developers – start full scan as soon as you detected a ransomware activity on your PC. It will help developers to add their offline keys database, and improve Decryptor tool functionality.
Some users we contacted with said that their “edition” of Mado ransomware had an offline key, that was been hidden inside of one of the readme.txt files, that was been generated by ransomware. So, if you have installed some dubious software long ago, and guess that ransomware could be asleep for a long time – check your luck, maybe you will be able to decrypt your files without any payments.
You can find a link to decryption manual inside of readme.txt file. Fraudsters are offering to download their decryptor, which demands any type (online or offline) of decryption key. But there is no guarantee that they wouldn’t inject any malware with this “decryptor”. So, if you are really lucky and removed Mado ransomware with it’s own offline key and decryptor, that is offered by ransomware distributors – check your PC with an anti-malware program.
There is an interesting information about Mado ransomware encryption mechanics. The STOP ransomware family (Mado ransomware belongs to this family) only encrypts the first 150 kilobytes of files. Since MP3 or MP4 files are rather large, some media players ( Winamp, for example ) may be able to play the files, but the first 3-5 seconds (the encrypted portion) will be missing. That could be a solution if you need to listen to the someone’s voice recording or watch a video but got attacked by Mado ransomware.
Another way you can get to know if you have an offline key is checking the PersonalID.txt file. You can find it in SystemID folder, which is located on C:/ disk. If any of present entries ends with “t1” – you can recover your data using the decryptor we are offering to use below.
That’s also quite dangerous to use and share the decryptor that is offered by ransomware distributors. No one can be sure if this software contains another malware. It could be with adware or browser hijacker inside, may also contain trojans or backdoors, or even be clear. But I think that such risk is not nesessary, especially if you PC is already encrypted.
Thus, unless the ransomware is still under the stage of development or possesses some hard-to-track flaws, manually recovering the ciphered data is a thing you can’t really perform. The only solution to prevent the loss of your valuable data is to regularly make backups of your crucial files.
Note that even if you do maintain such backups regularly, they ought to be put into a specific location without loitering, not being connected to your main workstation.
For instance, the backup may be kept on the USB flash drive or some alternative external hard drive storage. Optionally, you may refer to the help of online (cloud) information storage.
Another problem can be ransomware injection in your backups. It can contaminate backups that are already done as well as new backups you are making already with ransomware onboard. So, you can get a malicious joke – yes, you are making a backup, but using it as a system restore base have literally no effect.
Even more – Mado ransomware can delete the darkness duplicate files from your PC in order to disable Windows Recovery. So, if you use proprietary Windows backup methods and mechanisms – be ready your backup to be blocked by sly ransomware.
The feature of all ransomware, including Mado ransomware, is that their performance is not instantaneous. No one can surely say how long encryption takes, and do this term specified in the command that launches ransomware. All these timings are specified by ransomware. But one is clear – you can notice encrypted files with .mado extension even before readme.txt file appearing.
Also, Mado ransomware performance cannot be surely defined with timeframes of some sort. After formal starting of encryption process, it can randomly encrypt your videos or music, or can choose the files you are opening and files, that are in the same folder with first file. Anyway, the way it will perform the encrypring process is defined only by ransomware distributors.
Another noteworthy issue is Mado ransomware influence on weak systems performance. After the encryption process started, old and weak systems with low RAM capacity could suffer of a lagspikes, slow application opening and general system inhibition.
N.B. Majority of ransomware have troubles with large files encrypting, like films, videos or archives. And Mado ransomware is not an exclusion. When some troubles occure till the big file encryption, it can just add .mado extension, then switch to another file. So, you can try to delete .mado extension and run the file as usual. But that’s not a panacea – there is still a chance that this big file will be encrypted.
UPD. 15.04.2020. We got a significant number of reports about odd behaviour of some versions of Mado ransomware. This modifications have other encryption performance and one interesting feature. It starts encryption with choosing randomly a file that would be encrypted first, then ransomware encrypts all files from the same folder with first one. The mentioned interesting feature is that this versions of Mado ransomware cannod encrypt files that are on another disk.
We compared a lot of users’ reports about different ransomware and draw a conclusion that this “random” disk encryption is a common feature of all STOP/Djvu ransomware family, to which belongs Mado ransomware. But, nonetheless, there are a lot of causes when Mado ransomware, like all other ransomware of his family, encrypted both disks.
Needless to mention, when you maintain your backup data on your common device, it may be similarly ciphered as well as other data.
For this reason, locating the backup on your main PC is surely not a good idea.
How I was infected?
Mado has a various methods to built into your system. But it doesn’t really matter what concrete method had place in your case.
Mado attack following a successful phishing attempt.
Nevertheless, these are the common leaks through which it may be injected into your PC:
- hidden installation along with other apps, especially the utilities that work as freeware or shareware;
- dubious link in spam emails leading to the Mado installer
- online free hosting resources;
- using illegal peer-to-peer (P2P) resources for downloading pirated software.
There were cases when the Mado virus was disguised as some legitimate tool, for example, in the messages demanding to initiate some unwanted software or browser updates. This is typically the way how some online frauds aim to force you into installing the Mado ransomware manually, by actually making you directly participate in this process.
Surely, the bogus update alert will not indicate that you are going to actually inject the Mado ransomware. This installation will be concealed under some alert mentioning that allegedly you should update Adobe Flash Player or some other dubious program whatsoever.
Of course, the cracked apps represent the damage too. Using P2P is both illegal and may result in the injection of serious malware, including the Mado ransomware.
To sum up, what can you do to avoid the injection of the Mado ransomware into your device? Even though there is no 100% guarantee to prevent your PC from getting damaged, there are certain tips I want to give you to prevent the Mado penetration. You must be cautious while installing free software today.
Make sure you always read what the installers offer in addition to the main free program. Stay away from opening dubious email attachments. Do not open files from the unknown addressees. Of course, your current security program must be always updated.
The malware does not speak openly about itself. It will not be mentioned in the list of your available programs. However, it will be masked under some malicious process running regularly in the background, starting from the moment when you launch your computer.
The message by the Mado ransomware states the following frustrating information:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-WJa63R98Ku Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: firstname.lastname@example.org Reserve e-mail address to contact us: email@example.com Your personal ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The image below gives a clear vision of how the files with “.mado” extension look like:
How to remove Mado virus?
In addition to encode a victim’s files, the Mado virus has also started to install the Azorult Spyware on PC to steal account credentials, cryptocurrency wallets, desktop files, and more.
Reasons why I would recommend GridinSoft6
The is an excellent way to deal with recognizing and removing threats – using Gridinsoft Anti-Malware. This program will scan your PC, find and neutralize all suspicious processes7.
Download Removal Tool.
You can download GridinSoft Anti-Malware by clicking the button below:
Run the setup file.
When setup file has finished downloading, double-click on the setup-antimalware-fix.exe file to install GridinSoft Anti-Malware on your PC.
An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click “Yes” to continue with the installation.
Press “Install” button.
Once installed, Anti-Malware will automatically run.
Wait for the Anti-Malware scan to complete.
GridinSoft Anti-Malware will automatically start scanning your system for Mado infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.
Click on “Clean Now”.
When the scan has finished, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the “Clean Now” button in right corner.
How to decrypt .mado files?
Restore solution for big “.mado files“
Try removing .mado extension on a few BIG files and opening them. Either the Mado virus read and did not encrypt the file, or it bugged and did not add the filemarker. If your files are very large (2GB+), the latter is most likely. Please, let me know in comments if that will work for you.
As a result of the changes made by the criminals, STOPDecrypter is no longer supported. Tt has been removed and replaced with the Emsisoft Decryptor for STOP Djvu Ransomware developed by Emsisoft and Michael Gillespie.
You can download free decryption tool here: Decryptor for STOP Djvu.
Download and run decryption tool.
Start downloading the decryption tool.
Make sure to launch the decryption utility as an administrator. You need to agree with the license terms that will come up. For this purpose, click on the “Yes” button:
As soon as you accept the license terms, the main decryptor user interface comes up:
Select folders for decryption.
Based on the default settings, the decryptor will automatically populate the available locations in order to decrypt the currently available drives (the connected ones), including the network drives. Extra (optional) locations can be selected with the help of the “Add” button.
Decryptors normally suggest several options considering the specific malware family. The currently possible options are presented in the Options tab and can be activated or deactivated there. You may locate a detailed list of the currently active Options below.
Click on the “Decrypt” button.
As soon as yo add all the desired locations for decryption into the list, click on the “Decrypt” button in order to initiate the decryption procedure.
Note that the main screen may turn you to a status view, letting you know of the active process and the decryption statistics of your data:
The decryptor will notify you as soon as the decryption procedure is completed. If you need the report for your personal papers, you can save it by choosing the “Save log” button. Note that it is also possible to copy it directly to your clipboard and to paste it into emails or forum messages if you need to do so.
Frequently Asked Questions
How can I open “.mado” files?
Why is the MADO decrypter stuck on “Starting”?
mado files contain important information. How can I decrypt them urgently?
If not, then you can try to restore them through the system function – Restore Point.
All other methods will require patience.
You have advised using GridinSoft Anti-Malware to remove Mado. Does this mean that the program will delete my encrypted files?
You need GridinSoft Anti-Malware to remove active system infections. The virus that encrypted your files is most likely still active and periodically,
runs a test for the ability to encrypt even more files. In addition, these viruses install keyloggers and backdoors for further malicious actions
(for example theft of passwords, credit cards) often.
Decrytor did not decrypt all my files, or not all of them were decrypted. What should I do?
We will keep you posted on when new Mado keys or new decryption programs appear.
What can I do right now?
- In the United States: On Guard Online;
- In Canada: Canadian Anti-Fraud Centre;
- In the United Kingdom: Action Fraud;
- In Australia: SCAMwatch;
- In New Zealand: Consumer Affairs Scams;
- In France: Agence nationale de la sécurité des systèmes d’information;
- In Germany: Bundesamt für Sicherheit in der Informationstechnik;
- In Ireland: An Garda Síochána;
It’s my favorite video tutorial: How to use GridinSoft Anti-Malware and Emsisoft Decryptor for fix ransomware infections.
If the guide doesn’t help you to remove Mado infection, please download the GridinSoft Anti-Malware that I recommended. Also, you can always ask me in the comments for getting help.
User Review( votes)
- Ransomware-type infection: https://en.wikipedia.org/wiki/Ransomware
- Twitter: https://twitter.com/demonslay335
- My files are encrypted by ransomware, what should I do now?
- About DJVU (STOP) Ransomware.
- Encyclopedia of threats.
- GridinSoft Anti-Malware Review from HowToFix site: https://howtofix.guide/gridinsoft-anti-malware/
- More information about GridinSoft products: https://gridinsoft.com/products/