MAPO Outsider Ransomware (.mapo files restore + decrypt)

Outsider Ransomware
Outsider Ransomware
Written by Brendan Smith

About Outsider Ransomware

Outsider ransomware encrypts server and customer computers using AES1 encryption, and then requires a ransom of $900 in BitCoins2 to restore the files. It was first disclosed by the viral researcher GrujaRS3.

Outsider virus creates a file “MAPO-README.txt” with a buyback message in each folder where there are encrypted files.

It can be spread by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injects, fake updates, repackaged and infected installers.

GridinSoft Anti-Malware Review

GridinSoft Anti-Malware

Removing ransomware manually may take hours and may damage your PC in the process. I recommend you to download GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day trial available for threats removal.
EULA | Privacy Policy | GridinSoft
List of file extensions the most vulnerable for encryption:
  • MS Office documents
  • OpenOffice
  • PDF
  • Text files
  • Databases
  • Images
  • Music
  • Videos
  • ISO-files
  • Archives
Example ransom note (MAPO-README.txt)
--------------------------------------------------------------------------------------------
  ! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST ! 
--------------------------------------------------------------------------------------------
Due vulnerability in your system all of the files have been protected with RSA Private Key to safe them from unathorized 3rd party access.
To RESTORE all of your files back, please follow this few steps:
1. MAPO service charges a payment for file decryption;
2. After payment being processed, contact us and provide your PC id-key;
3. Receive your unique decryption tool;
4. Run the decryption tool and successfully restore all your files back to normal state.
We guarantee:
100% Successful restoring of all files
100% Satisfaction guarantee
100% Safe and secure service
As a proof of our trusted decryption service, you can send us 1 file and get it decrypted for free.
--------------------------------------------------------------------------------------------
  ! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST !
  ! ONLY MAPO DECRYPTION TOOL CAN RESTORE YOUR FILES !
--------------------------------------------------------------------------------------------
Our email: support-mapo@pm.me
Payment type: Bitcoin
Your PC ID-KEY:
XXXXXXXXXXXXXXXXXX
--------------------------------------------------------------------------------------------
support-mapo@pm.me / MAPO (c) 2019
Example ransom note (GUARDED-README.txt)
--------------------------------------------------------------------------------------------
! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST !
--------------------------------------------------------------------------------------------
Your server have been attacked by an Unathorized user.
All your files have been encrypted with RSA Private Key to safe them from unathorized 3rd party access.
To RESTORE all your files back, please follow this few steps:
1. PP-EUS service charges a payment for file decryption;
2. After payment being processed, provide us your server id-key
3. Receive your unique decryption tool;
4. Run the decryption tool and successfully restore all your files back to normal state.
We guarantee:
100% Successful restoring of all files
100% Satisfaction guarantee
100% Safe and secure service
As a proof of our trusted decryption service, you can send us 1 file and get it decrypted for free.
--------------------------------------------------------------------------------------------
  ! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST !
  ! ONLY OUR  DECRYPTION TOOL CAN RESTORE YOUR FILES !
--------------------------------------------------------------------------------------------
Contact us: support-eus@pm.me
Payment type: Bitcoin
Our wallet: 19k8MNYRjVvkcozePZLnBhftrvGPfeugmN
Your server ID-KEY:
XXXXXXXXXXXXXXXXXXXXXX
For any questions: support-eus@pm.me
ProtonProject EUS © 2019
Associated Names:

Stages of Outsider ransomware infection

  1. Once launched, the cryptoware executable connects to the Command and Control server (С&C). Consequently, it obtains the encryption key and the infection identifier for the victim’s PC. The data is transferred under the HTTP protocol in the form of JSON.
  2. If С&C is unavailable (in times when the PC is not connected to the Internet of the server does not respond), the cryptoware applies the directly specified encryption key concealed in its code and performs the autonomous encryption. In this case, it is possible to decrypt the files without paying the ransom.
  3. The cryptoware uses rdpclip.exe to replace the legitimate Windows file and for implementing the attack on the computer network.
  4. Upon successful file encryption, the cipherer is autonomously removed by means of the delself.bat command file.

Remove MAPO Virus (Outsider Ransomware)

Reasons why I would recommend GridinSoft4

There is no better way to recognize, remove and prevent ransomware than to use an anti-malware software from GridinSoft5.

Download GridinSoft Anti-Malware.

You can download GridinSoft Anti-Malware by clicking the button below:

Run the setup file.

When setup file has finished downloading, double-click on the install-antimalware-fix.exe file to install GridinSoft Anti-Malware on your PC.

Run Setup.exe

An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click “Yes” to continue with the installation.

GridinSoft Anti-Malware Setup

Press “Install” button.

GridinSoft Anti-Malware Install

Once installed, Anti-Malware will automatically run.

GridinSoft Anti-Malware Splash-Screen

Wait for the Anti-Malware scan to complete.

GridinSoft Anti-Malware will automatically start scanning your system for MAPO infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.

GridinSoft Anti-Malware Scanning

Click on “Clean Now”.

When the scan has completed, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the “Clean Now” button in right corner.

GridinSoft Anti-Malware Scan Result

How to decrypt .MAPO files?

Mapo ransomware decryption instruction

Make sure that MAPO virus removed

Make sure that the ransomware is no longer running, it can encrypt your files again, please scan your computer with GridinSoft Anti-Malware.

Note!
GridinSoft Antimalware

You need to delete the viruses from your computer first of all
Otherwise, it will lock your PC or damage your files. In case your current anti-virus does not remove such malicious items, it can be deleted with GridinSoft Anti-Malware.

Download MAPO decryptor

You can download and use this decrypter that cert.pl released if you were hit by MAPO extension.

Obtain the key

Obtain the key from mapo.cert.pl:

mapo key tool

mapo key tool

  1. Upload the ransom note file (the MAPO-Readme.txt file) by clicking on the white field on the website.
  2. After choosing the file, the selected filename should be displayed.
  3. Verify the captcha by clicking on it, then click on “Get key” button to retrieve the key.

If the ransom note is correct and supported by mapo decryptor, the key will be returned. Don’t close the website just yet.

Run MAPO Decryptor

  • Run mapo_decryptor.exe (that you downloaded in step 4.2) on the infected computer.
  • Click Yes in the UAC Window.
  • Wait until the decryptor asks for the key with the following message Input the recovered key.
  • Decryptor will ask you to provide the key obtained from the service in step 4.3, copy the key from website and paste it into the terminal as shown below (right click the title bar first).
  • Entering the key and pressing enter will start the decryption process. After the “Press “Enter” to exit…” message, all of your files should be decrypted.

After decryption and making sure that the files have been decrypted correctly you can safely delete encrypted files.

What the next?

If the guide doesn’t help you to remove MAPO virus, please download the GridinSoft Anti-Malware that I recommended. Also, you can always ask me in the comments for getting help. Good luck!

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

References

  1. About AES algorithm: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
  2. Bitсoins wiki: https://en.wikipedia.org/wiki/Bitcoin
  3. Twitter: https://twitter.com/GrujaRS
  4. GridinSoft Anti-Malware Review from HowToFix site: https://howtofix.guide/gridinsoft-anti-malware/
  5. More information about GridinSoft products: http://gridinsoft.com/products/

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.