Maktub ransomware removal instructions
What is Maktub?
Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted. After encryption, Maktub opens a window containing a message stating that the files are encrypted and that user must pay a ransom to decrypt them. It is also stated that the ransom must be paid within the given time frame, otherwise encryption will become impossible.
The message states that the victim must pay the ransom within 12 hours. Be aware that the algorithm used to encrypt the files generates two keys - public and private. The private key is stored on remote servers controlled by cyber criminals. Therefore, if the ransom is not paid within the given time frame, the key will supposedly be deleted. It is impossible to decrypt the files without this key. The displayed window also contains step-by-step payment instructions. To pay, users must download the Tor browser, go to Maktub's website, and follow the further instructions. Note that Maktub developers allow victims to decrypt a number of files free of charge as an 'insurance'. Currently, the size of ransom is unknown, however, ransomware-type malware often makes demands for 0.5 - 1.5 Bitcoin ($204.55 - $613.65). Unfortunately, at time of research, there were no tools capable of decrypting files affected by Maktub. Therefore, the only and best solution to this problem, is to restore your system from a backup.
Screenshot of a message encouraging users to contact the developers of Maktub ransomware to decrypt their compromised data:
Maktub is simply another ransomware program and, therefore, shares many similarities with Teslacrypt, Locky, CryptoWall, Surprise, Vault, and many other viruses. All are designed to stealthily infiltrate the system and encrypt stored files. The main differences between these viruses are the size of ransoms demanded and types of algorithms used to encrypt the files. It is highly probable that your files will remain encrypted even if you pay the ransom. Paying is equivalent to sending your money directly to cyber criminals - you merely support their malicious business. For this reason, you should never attempt to contact cyber criminals or pay their ransoms. Ransomware is often distributed via P2P networks (for example, Torrents), malicious email attachments, fake software updates, and trojans and, therefore, you should be cautious when downloading files from untrusted sources and opening attachments sent from unrecognized emails. In addition, all installed applications should be kept up-to-date and using a legitimate anti-virus, or anti-spyware suite is paramount.
|Threat Type||Ransomware, Crypto Virus, Files locker|
|Encrypted Files Extension||Random string.|
|Ransom Demanding Message||Pop-up windows, HTML files, websites in TOR network.|
|Detection Names||Avast (Win32:Filecoder-AD [Trj]), BitDefender (Trojan.Agent.CCGV), ESET-NOD32 (Win32/Filecoder.MaktubLocker.B), Kaspersky (Trojan-Downloader.Win32.Cabby.zipxi), Full List Of Detections (VirusTotal)|
|Symptoms||Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files.|
|Distribution methods||Infected email attachments (macros), torrent websites, malicious ads.|
|Damage||All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.|
|Malware Removal (Windows)||
To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Malwarebytes.
Text presented by the Maktub demanding a ransom within a pop-up window:
Your personal files are encrypted!
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the key. The server will eliminate the key after a time period specified in this window.
in your browser. They are public gates to the secret server.
If you have problems with gates, use direct connection:
1) Download TOR Browser from hxxp://torproject.org
2) In the Tor Browser open the hxxp://bs7aygotd2rnjl40.onion.link
(Note that this server is available via Tor Browser only. Retry in hour if site is not reachable).
Write in the following public key in the input form on server:
Appearance of Maktub ransomware's pop-up window (GIF):
Appearance of Maktub ransomware's HTML file (GIF):
Screenshot of a MS Word document opened once the malicious executable is opened:
Text presented within this file:
Beschreibung Menge Preis Betrag
Maktub ransomware website homepage ('Hello'):
Text presented within this page:
We're very sorry that all of your personal files have been encrypted. But three are good news - they aren't gone, you still have the opportunity to restore them! statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don't make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of yours files, you will need to pay a certain amount. But let'start with something else...
Maktub ransomware pricing ('How much does it cost?'):
Text presented within this page:
HOW MUCH DOES IT COST?
We hope that you are convinced that we can decrypt all of yours files. Now, the most important thing! The faster you transfer the money, the cheaper file decryption will be. At every stage of payment, you get 3 days or 72 hours. You can see the countdown in the right top corner. After the clock shows 00:00:00 you go to the next stage of payment and the price automatically increases. We only accept the electronix currency Bitcoin as a form of payment. Here is sa table that shows the date of payment and the price. Your current stage is marked in yellow.
Stage Time of payment How much money should be sent
1 During the first 3 days x BTC
2 From 3 to 6 days x BTC
3 From 6 to 9 days 3333
4 From 9 to 12 days 102043 bytes
5 From 12 to 15 days 102043 bytes
6 More than 15 days 102043 bytes
After 15 days of no payment, we do not quarantee that we saved the key. This site can be disconnected at any moment and you will lose your data forever. Please take this seriously.
Maktub payment instructions ('Where do I pay?'):
Text presented within this page:
WHERE DO I PAY?
The whole process of payment confirmation is automated! You won't have to wait while we manually check the status of the incoming payment. As soon as you send the money, it will only take a few hours for the system to automatically count them and create the program that will decode your file.
After sending your payment just refresh this site after a couple of hours.
You must transfer BTC to the following address:
Maktub ransomware allowing users to 'decrypt files for free' ('We are not lying!'):
Text presented within this page:
WE ARE NOT LYING!
Googling " MAKTUB LOCKER" will instantly bring up many suggestions on deleting the program from your personal computer. But not one of the third party programs will be able to do the most important thing - to decrypt your files! In order to do this, you need to have the private master-key that only we have. And only we can restore all of your files. And to show that we aren't making unfounded statements, we'll prove it. Upload any encrypted file,no larger than 200kb, and we will decrypt it, absolutely free!
File available to decrypt:2
Maktub ransomware removal:
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
- What is Maktub?
- STEP 1. Maktub virus removal using safe mode with networking.
- STEP 2. Maktub ransomware removal using System Restore.
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Log in to the account infected with the Maktub virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window, click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Maktub ransomware virus infiltrating your PC).
6. In the opened window, click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Maktub ransomware files.
To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Maktub are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.
To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.
To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Maktub ransomware.)
HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user intervention:
Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:
- The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.
Other tools known to remove Maktub ransomware: