Removal of Maktub ransomware

Also Known As: Maktub virus
Distribution: Low
Damage level: Severe

Maktub ransomware removal instructions

What is Maktub?

Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted. After encryption, Maktub opens a window containing a message stating that the files are encrypted and that user must pay a ransom to decrypt them. It is also stated that the ransom must be paid within the given time frame, otherwise encryption will become impossible.

The message states that the victim must pay the ransom within 12 hours. Be aware that the algorithm used to encrypt the files generates two keys - public and private. The private key is stored on remote servers controlled by cyber criminals. Therefore, if the ransom is not paid within the given time frame, the key will supposedly be deleted. It is impossible to decrypt the files without this key. The displayed window also contains step-by-step payment instructions. To pay, users must download the Tor browser, go to Maktub's website, and follow the further instructions. Note that Maktub developers allow victims to decrypt a number of files free of charge as an 'insurance'. Currently, the size of ransom is unknown, however, ransomware-type malware often makes demands for 0.5 - 1.5 Bitcoin ($204.55 - $613.65). Unfortunately, at time of research, there were no tools capable of decrypting files affected by Maktub. Therefore, the only and best solution to this problem, is to restore your system from a backup.

Screenshot of a message encouraging users to contact the developers of Maktub ransomware to decrypt their compromised data:

Maktub decrypt instructions

Maktub is simply another ransomware program and, therefore, shares many similarities with Teslacrypt, Locky, CryptoWall, Surprise, Vault, and many other viruses. All are designed to stealthily infiltrate the system and encrypt stored files. The main differences between these viruses are the size of ransoms demanded and types of algorithms used to encrypt the files. It is highly probable that your files will remain encrypted even if you pay the ransom. Paying is equivalent to sending your money directly to cyber criminals - you merely support their malicious business. For this reason, you should never attempt to contact cyber criminals or pay their ransoms. Ransomware is often distributed via P2P networks (for example, Torrents), malicious email attachments, fake software updates, and trojans and, therefore, you should be cautious when downloading files from untrusted sources and opening attachments sent from unrecognized emails. In addition, all installed applications should be kept up-to-date and using a legitimate anti-virus, or anti-spyware suite is paramount.

Threat Summary:
Name Maktub virus
Threat Type Ransomware, Crypto Virus, Files locker
Encrypted Files Extension Random string.
Ransom Demanding Message Pop-up windows, HTML files, websites in TOR network.
Detection Names Avast (Win32:Filecoder-AD [Trj]), BitDefender (Trojan.Agent.CCGV), ESET-NOD32 (Win32/Filecoder.MaktubLocker.B), Kaspersky (Trojan-Downloader.Win32.Cabby.zipxi), Full List Of Detections (VirusTotal)
Symptoms Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files.
Distribution methods Infected email attachments (macros), torrent websites, malicious ads.
Damage All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Malwarebytes.
▼ Download Malwarebytes
To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

Text presented by the Maktub demanding a ransom within a pop-up window:


Your personal files are encrypted!

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the key. The server will eliminate the key after a time period specified in this window.

Open hxxp://
or hxxp://
or hxxp://
in your browser. They are public gates to the secret server.

If you have problems with gates, use direct connection:
1) Download TOR Browser from hxxp://
2) In the Tor Browser open the hxxp://

(Note that this server is available via Tor Browser only. Retry in hour if site is not reachable).

Write in the following public key in the input form on server:

Appearance of Maktub ransomware's pop-up window (GIF):

Pop-up window opened by Maktub ransomware

Appearance of Maktub ransomware's HTML file (GIF):

Appearance of an HTML file created by Maktub ransomware

Screenshot of a MS Word document opened once the malicious executable is opened:

Microsoft Word document opened by Maktub ransomware

Text presented within this file:

Ausstehende Zahlung
Beschreibung    Menge    Preis    Betrag
MwSt. 19%:

Maktub ransomware website homepage ('Hello'):

Maktub welcome page

Text presented within this page:


We're very sorry that all of your personal files have been encrypted. But three are good news - they aren't gone, you still have the opportunity to restore them! statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don't make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of yours files, you will need to pay a certain amount. But let'start with something else...

Maktub ransomware pricing ('How much does it cost?'):

Page presenting Maktub's ransom size

Text presented within this page:


We hope that you are convinced that we can decrypt all of yours files. Now, the most important thing! The faster you transfer the money, the cheaper file decryption will be. At every stage of payment, you get 3 days or 72 hours. You can see the countdown in the right top corner. After the clock shows 00:00:00 you go to the next stage of payment and the price automatically increases. We only accept the electronix currency Bitcoin as a form of payment. Here is sa table that shows the date of payment and the price. Your current stage is marked in yellow.

Stage Time of payment How much money should be sent

1      During the first 3 days      x BTC
2      From 3 to 6 days           x BTC
3      From 6 to 9 days           3333
4      From 9 to 12 days         102043 bytes
5      From 12 to 15 days        102043 bytes
6      More than 15 days         102043 bytes

After 15 days of no payment, we do not quarantee that we saved the key. This site can be disconnected at any moment and you will lose your data forever. Please take this seriously.

Maktub payment instructions ('Where do I pay?'):

Maktub's 'where to pay' page

Text presented within this page:


The whole process of payment confirmation is automated! You won't have to wait while we manually check the status of the incoming payment. As soon as you send the money, it will only take a few hours for the system to automatically count them and create the program that will decode your file.

After sending your payment just refresh this site after a couple of hours.

You must transfer BTC to the following address:


Maktub ransomware allowing users to 'decrypt files for free' ('We are not lying!'):

Maktub's free decryption page

Text presented within this page:


Googling " MAKTUB LOCKER" will instantly bring up many suggestions on deleting the program from your personal computer. But not one of the third party programs will be able to do the most important thing - to decrypt your files! In order to do this, you need to have the private master-key that only we have. And only we can restore all of your files. And to show that we aren't making unfounded statements, we'll prove it. Upload any encrypted file,no larger than 200kb, and we will decrypt it, absolutely free!

File available to decrypt:2

Maktub ransomware removal:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Malwarebytes By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the Maktub virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Maktub ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Maktub ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Maktub are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Maktub, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

 To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Maktub ransomware.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Maktub ransomware:

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Maktub virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Maktub virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

Download Malwarebytes

Platform: Windows

Editors' Rating for Malwarebytes:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.