MAPO Outsider Ransomware (.mapo files restore + decrypt)

by Brendan Smith
February 17, 2021

About Outsider Ransomware

Outsider ransomware encrypts server and customer computers using AES1 encryption, and then requires a ransom of $900 in BitCoins2 to restore the files. It was first disclosed by the viral researcher GrujaRS3.

Outsider virus creates a file “MAPO-README.txt” with a buyback message in each folder where there are encrypted files.

It can be spread by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injects, fake updates, repackaged and infected installers.

List of file extensions the most vulnerable for encryption:
  • MS Office documents
  • OpenOffice
  • PDF
  • Text files
  • Databases
  • Images
  • Music
  • Videos
  • ISO-files
  • Archives
Example ransom note (MAPO-README.txt)
--------------------------------------------------------------------------------------------
  ! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST ! 
--------------------------------------------------------------------------------------------
Due vulnerability in your system all of the files have been protected with RSA Private Key to safe them from unathorized 3rd party access.
To RESTORE all of your files back, please follow this few steps:
1. MAPO service charges a payment for file decryption;
2. After payment being processed, contact us and provide your PC id-key;
3. Receive your unique decryption tool;
4. Run the decryption tool and successfully restore all your files back to normal state.
We guarantee:
100% Successful restoring of all files
100% Satisfaction guarantee
100% Safe and secure service
As a proof of our trusted decryption service, you can send us 1 file and get it decrypted for free.
--------------------------------------------------------------------------------------------
  ! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST !
  ! ONLY MAPO DECRYPTION TOOL CAN RESTORE YOUR FILES !
--------------------------------------------------------------------------------------------
Our email: [email protected]
Payment type: Bitcoin
Your PC ID-KEY:
XXXXXXXXXXXXXXXXXX
--------------------------------------------------------------------------------------------
[email protected] / MAPO (c) 2019
Example ransom note (GUARDED-README.txt)
--------------------------------------------------------------------------------------------
! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST !
--------------------------------------------------------------------------------------------
Your server have been attacked by an Unathorized user.
All your files have been encrypted with RSA Private Key to safe them from unathorized 3rd party access.
To RESTORE all your files back, please follow this few steps:
1. PP-EUS service charges a payment for file decryption;
2. After payment being processed, provide us your server id-key
3. Receive your unique decryption tool;
4. Run the decryption tool and successfully restore all your files back to normal state.
We guarantee:
100% Successful restoring of all files
100% Satisfaction guarantee
100% Safe and secure service
As a proof of our trusted decryption service, you can send us 1 file and get it decrypted for free.
--------------------------------------------------------------------------------------------
  ! STRICTLY FORBIDDEN TO USE NON-ORIGIN DECRYPTION TOOLS OR MODIFYING ENCRYPTED FILES - DATA WILL BE LOST !
  ! ONLY OUR  DECRYPTION TOOL CAN RESTORE YOUR FILES !
--------------------------------------------------------------------------------------------
Contact us: [email protected]
Payment type: Bitcoin
Our wallet: 19k8MNYRjVvkcozePZLnBhftrvGPfeugmN
Your server ID-KEY:
XXXXXXXXXXXXXXXXXXXXXX
For any questions: [email protected]
ProtonProject EUS © 2019
Associated Names:

Stages of Outsider ransomware infection

  1. Once launched, the cryptoware executable connects to the Command and Control server (С&C). Consequently, it obtains the encryption key and the infection identifier for the victim’s PC. The data is transferred under the HTTP protocol in the form of JSON.
  2. If С&C is unavailable (in times when the PC is not connected to the Internet of the server does not respond), the cryptoware applies the directly specified encryption key concealed in its code and performs the autonomous encryption. In this case, it is possible to decrypt the files without paying the ransom.
  3. The cryptoware uses rdpclip.exe to replace the legitimate Windows file and for implementing the attack on the computer network.
  4. Upon successful file encryption, the cipherer is autonomously removed by means of the delself.bat command file.

Remove MAPO Virus (Outsider Ransomware)

Reasons why I would recommend GridinSoft4

Run the setup file.

Run Setup.exe
GridinSoft Anti-Malware Setup

Press “Install” button.

GridinSoft Anti-Malware Install

Once installed, Anti-Malware will automatically run.

GridinSoft Anti-Malware Splash-Screen

Wait for the Anti-Malware scan to complete.

GridinSoft Anti-Malware Scanning

Click on “Clean Now”.

GridinSoft Anti-Malware Scan Result

How to decrypt .MAPO files?

Mapo ransomware decryption instruction

Make sure that MAPO virus removed

Note!
GridinSoft Antimalware
You need to delete the viruses from your computer first of all
Otherwise, it will lock your PC or damage your files. In case your current anti-virus does not remove such malicious items, it can be deleted with GridinSoft Anti-Malware.

Download MAPO decryptor

You can download and use this decrypter that cert.pl released if you were hit by MAPO extension.

Obtain the key

Obtain the key from mapo.cert.pl:

mapo key tool

mapo key tool

  1. Upload the ransom note file (the MAPO-Readme.txt file) by clicking on the white field on the website.
  2. After choosing the file, the selected filename should be displayed.
  3. Verify the captcha by clicking on it, then click on “Get key” button to retrieve the key.

If the ransom note is correct and supported by mapo decryptor, the key will be returned. Don’t close the website just yet.

Run MAPO Decryptor

  • Run mapo_decryptor.exe (that you downloaded in step 4.2) on the infected computer.
  • Click Yes in the UAC Window.
  • Wait until the decryptor asks for the key with the following message Input the recovered key.
  • Decryptor will ask you to provide the key obtained from the service in step 4.3, copy the key from website and paste it into the terminal as shown below (right click the title bar first).
  • Entering the key and pressing enter will start the decryption process. After the “Press “Enter” to exit…” message, all of your files should be decrypted.

After decryption and making sure that the files have been decrypted correctly you can safely delete encrypted files.

What the next?

References

  1. About AES algorithm: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
  2. Bitсoins wiki: https://en.wikipedia.org/wiki/Bitcoin
  3. Twitter: https://twitter.com/GrujaRS

About the author

Brendan Smith

Cybersecurity analyst covering malware families, suspicious files, and detection alerts. Brendan focuses on clear explanations of what a warning means, when it may be a false positive, and which cleanup steps are appropriate.

View all posts

Leave a Comment