MAPO Outsider Ransomware (.mapo files restore + decrypt)

by Brendan Smith
February 17, 2021
Outsider Ransomware
Outsider Ransomware
Written by Brendan Smith

About Outsider Ransomware

Outsider ransomware encrypts server and customer computers using AES1 encryption, and then requires a ransom of $900 in BitCoins2 to restore the files. It was first disclosed by the viral researcher GrujaRS3.

Outsider virus creates a file “MAPO-README.txt” with a buyback message in each folder where there are encrypted files.

It can be spread by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injects, fake updates, repackaged and infected installers.

GridinSoft Anti-Malware Review
It is better to prevent, than repair and repent!
When we talk about the intrusion of unfamiliar programs into your computer’s work, the proverb “Forewarned is forearmed” describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.
DOWNLOAD NOW
Gridinsoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | 10% Off Coupon
Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.
List of file extensions the most vulnerable for encryption:
  • MS Office documents
  • OpenOffice
  • PDF
  • Text files
  • Databases
  • Images
  • Music
  • Videos
  • ISO-files
  • Archives
Example ransom note (MAPO-README.txt)
--------------------------------------------------------------------------------------------
  ! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST ! 
--------------------------------------------------------------------------------------------
Due vulnerability in your system all of the files have been protected with RSA Private Key to safe them from unathorized 3rd party access.
To RESTORE all of your files back, please follow this few steps:
1. MAPO service charges a payment for file decryption;
2. After payment being processed, contact us and provide your PC id-key;
3. Receive your unique decryption tool;
4. Run the decryption tool and successfully restore all your files back to normal state.
We guarantee:
100% Successful restoring of all files
100% Satisfaction guarantee
100% Safe and secure service
As a proof of our trusted decryption service, you can send us 1 file and get it decrypted for free.
--------------------------------------------------------------------------------------------
  ! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST !
  ! ONLY MAPO DECRYPTION TOOL CAN RESTORE YOUR FILES !
--------------------------------------------------------------------------------------------
Our email: support-mapo@pm.me
Payment type: Bitcoin
Your PC ID-KEY:
XXXXXXXXXXXXXXXXXX
--------------------------------------------------------------------------------------------
support-mapo@pm.me / MAPO (c) 2019
Example ransom note (GUARDED-README.txt)
--------------------------------------------------------------------------------------------
! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST !
--------------------------------------------------------------------------------------------
Your server have been attacked by an Unathorized user.
All your files have been encrypted with RSA Private Key to safe them from unathorized 3rd party access.
To RESTORE all your files back, please follow this few steps:
1. PP-EUS service charges a payment for file decryption;
2. After payment being processed, provide us your server id-key
3. Receive your unique decryption tool;
4. Run the decryption tool and successfully restore all your files back to normal state.
We guarantee:
100% Successful restoring of all files
100% Satisfaction guarantee
100% Safe and secure service
As a proof of our trusted decryption service, you can send us 1 file and get it decrypted for free.
--------------------------------------------------------------------------------------------
  ! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST !
  ! ONLY OUR  DECRYPTION TOOL CAN RESTORE YOUR FILES !
--------------------------------------------------------------------------------------------
Contact us: support-eus@pm.me
Payment type: Bitcoin
Our wallet: 19k8MNYRjVvkcozePZLnBhftrvGPfeugmN
Your server ID-KEY:
XXXXXXXXXXXXXXXXXXXXXX
For any questions: support-eus@pm.me
ProtonProject EUS © 2019
Associated Names:

Stages of Outsider ransomware infection

  1. Once launched, the cryptoware executable connects to the Command and Control server (С&C). Consequently, it obtains the encryption key and the infection identifier for the victim’s PC. The data is transferred under the HTTP protocol in the form of JSON.
  2. If С&C is unavailable (in times when the PC is not connected to the Internet of the server does not respond), the cryptoware applies the directly specified encryption key concealed in its code and performs the autonomous encryption. In this case, it is possible to decrypt the files without paying the ransom.
  3. The cryptoware uses rdpclip.exe to replace the legitimate Windows file and for implementing the attack on the computer network.
  4. Upon successful file encryption, the cipherer is autonomously removed by means of the delself.bat command file.

Remove MAPO Virus (Outsider Ransomware)

Reasons why I would recommend GridinSoft4

The is an excellent way to deal with recognizing and removing threats – using Gridinsoft Anti-Malware. This program will scan your PC, find and neutralize all suspicious processes5.

Download GridinSoft Anti-Malware.

You can download GridinSoft Anti-Malware by clicking the button below:

Download GridinSoft Anti-Malware

Run the setup file.

When setup file has finished downloading, double-click on the install-antimalware-fix.exe file to install GridinSoft Anti-Malware on your PC.

Run Setup.exe

An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click “Yes” to continue with the installation.

GridinSoft Anti-Malware Setup

Press “Install” button.

GridinSoft Anti-Malware Install

Once installed, Anti-Malware will automatically run.

GridinSoft Anti-Malware Splash-Screen

Wait for the Anti-Malware scan to complete.

GridinSoft Anti-Malware will automatically start scanning your system for MAPO infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.

GridinSoft Anti-Malware Scanning

Click on “Clean Now”.

When the scan has completed, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the “Clean Now” button in right corner.

GridinSoft Anti-Malware Scan Result

How to decrypt .MAPO files?

Mapo ransomware decryption instruction

Make sure that MAPO virus removed

Make sure that the ransomware is no longer running, it can encrypt your files again, please scan your computer with GridinSoft Anti-Malware.

Note!
GridinSoft Antimalware

You need to delete the viruses from your computer first of all
Otherwise, it will lock your PC or damage your files. In case your current anti-virus does not remove such malicious items, it can be deleted with GridinSoft Anti-Malware.

Download MAPO decryptor

You can download and use this decrypter that cert.pl released if you were hit by MAPO extension.

Obtain the key

Obtain the key from mapo.cert.pl:

mapo key tool

mapo key tool

  1. Upload the ransom note file (the MAPO-Readme.txt file) by clicking on the white field on the website.
  2. After choosing the file, the selected filename should be displayed.
  3. Verify the captcha by clicking on it, then click on “Get key” button to retrieve the key.

If the ransom note is correct and supported by mapo decryptor, the key will be returned. Don’t close the website just yet.

Run MAPO Decryptor

  • Run mapo_decryptor.exe (that you downloaded in step 4.2) on the infected computer.
  • Click Yes in the UAC Window.
  • Wait until the decryptor asks for the key with the following message Input the recovered key.
  • Decryptor will ask you to provide the key obtained from the service in step 4.3, copy the key from website and paste it into the terminal as shown below (right click the title bar first).
  • Entering the key and pressing enter will start the decryption process. After the “Press “Enter” to exit…” message, all of your files should be decrypted.

After decryption and making sure that the files have been decrypted correctly you can safely delete encrypted files.

What the next?

If the guide doesn’t help you to remove MAPO virus, please download the GridinSoft Anti-Malware that I recommended. Also, you can always ask me in the comments for getting help. Good luck!

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

References

  1. About AES algorithm: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
  2. Bitсoins wiki: https://en.wikipedia.org/wiki/Bitcoin
  3. Twitter: https://twitter.com/GrujaRS
  4. GridinSoft Anti-Malware Review from HowToFix site: https://howtofix.guide/gridinsoft-anti-malware/
  5. More information about GridinSoft products: https://gridinsoft.com/comparison

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

View all posts

Leave a Reply

Sending