How to remove MRDC ransomware and restore files

Take a trial with free scanner to check if your system is infected by MRDC ransomware

For more information, read SpyHunter’s EULA, Threat Assessment Criteria, and Privacy Policy. The scanner you download here is free version and is able to scan your system for possible threat’s presence. however, it requires a 48 hour period to remove detected threats without any charge. if you want not to wait for that period, you will have to purchase its licensed version.

Easy tips to delete MRDC ransomware and decrypt data

MRDC ransomware is a ransomware-type infection that prevents victims from accessing their files by encrypting them and then creates ransom demanding message to ask ransom demanding message for the alleged decryption. Also, it renames the encrypted files by replacing them with [[email protected]].[random_string].MRDC”.

For example, it renames a file “1.jpg” to “[[email protected]].g2tFia1T-eQErQuE4.MRDC”, “2.jpg” to “[[email protected]].h3yLop2R-fKFdCnI5.MRDC”, and so on. MRDC belongs to the infamous MATRIX ransomware family.

As mentioned in the MRDC’s ransom note, the files are encrypted with AES-256 and RSA-2048 cryptographic algorithms. The unique decryption tool as a result of the files encryption process is stored on some remote server.

The victims are asked to contact the crooks behind the infection via the provided email addresses or through Tox Chat messaging client to get the decryption tool from them.

They are provided with only 72 hours or otherwise, their files will be published on the darknet and sold to interested parties. It is likely that the crooks put ransom demands and provide the details related to this once being contacted.

The victims are offered to send up to five encrypted files before paying for the decryption tool. To prove that the attackers have the unique decryption tool, they offer the decryption of those files for free.  Additionally, they warn not to try to decrypt the files by themselves as the attackers will not be able to help them in decrypting them after that.

Here is the full text presented in MRDC ransomware’s ransom note:

Аll yоur vаluаblе dаtа hаs bееn еnсryptеd!

Hеllо!

Sоrry, but wе hаvе tо infоrm yоu thаt duе tо sесurity issuеs, yоur sеrvеr wаs hасkеd. Plеаsе bе surе thаt yоur dаtа is nоt brоkеn. All yоur vаluаblе filеs wеrе еnсryptеd with strоng сryptо аlgоrithms AES-256+RSA-2048 аnd rеnаmеd. Yоu саn rеаd аbоut thеsе аlgоrithms in Gооglе. Yоur uniquе dесryptiоn kеy is sесurеly stоrеd оn оur sеrvеr аnd yоur dаtа саn bе dесryptеd fаst аnd sаfеly.

Wе саn prоvе thаt wе саn dесrypt аll yоur dаtа. Plеаsе just sеnd us 3-5 smаll еnсryptеd filеs whiсh аrе rаndоmly stоrеd оn yоur sеrvеr. Wе will dесrypt thеsе filеs аnd sеnd thеm tо yоu аs prооf. Plеаsе nоtе thаt filеs fоr frее tеst dесryptiоn shоuld nоt соntаin vаluаblе infоrmаtiоn.

As yоu knоw infоrmаtiоn is thе mоst vаluаblе rеsоurсе in thе wоrld. Thаt’s why аll yоur соnfidеntiаl dаtа wаs uplоаdеd tо оur sеrvеrs. If yоu nееd prооf, just writе us аnd wе will shоw yоu thаt wе hаvе yоur filеs. If yоu will nоt stаrt а diаlоguе with us in 72 hоurs wе will bе fоrсеd tо publish yоur filеs in thе Dаrknеt. Yоur сustоmеrs аnd pаrtnеrs will bе infоrmеd аbоut thе dаtа lеаk by еmаil оr phоnе. This wаy, yоur rеputаtiоn will bе ruinеd. If yоu will nоt rеасt, wе will bе fоrсеd tо sеll thе mоst impоrtаnt infоrmаtiоn suсh аs dаtаbаsеs tо intеrеstеd pаrtiеs tо gеnеrаtе sоmе prоfit.

Plеаsе undеrstаnd thаt wе аrе just dоing оur jоb. Wе dоn’t wаnt tо hаrm yоur соmpаny. Think оf this inсidеnt аs аn оppоrtunity tо imprоvе yоur sесurity. Wе аrе оpеnеd fоr diаlоguе аnd rеаdy tо hеlp yоu. Wе аrе prоfеssiоnаls, plеаsе dоn’t try tо fооl us.

If yоu wаnt tо rеsоlvе this situаtiоn, plеаsе writе tо ALL оf thеsе 3 еmаil аdrеssеs:

[email protected]

[email protected]

[email protected]

In subjеct linе please writе уоur ID: –

Impоrtаnt! Аlsо уоu cаn usе sеcurеd LIVE TОX CHАT for fast nеgоtiаtiоn with us:

  1. Cоpу tо thе сlipbоаrd оur Tоx Chаt ID:

empty

  1. Оpеn yоur brоwsеr аnd fоllоw thе link: hxxps://tox.chat/download.html
  2. Dоwnlоаd uTоx Chаt Cliеnt bу clicking the buttоn:
  3. Еxесutе uTоx Chаt Cliеnt еxесutаblе filе:
  4. Pаstе оur Tоx Chаt ID in thе fiеld and prеss enter:
  5. Write us what you think necessary!

Important!

* Wе аsking tо sеnd уоur mеssаgе tо АLL оf оur 3 еmаil аdrеssеs bесаusе fоr vаriоus rеаsоns, уоur еmаil mау nоt bе dеlivеrеd.

* Оur mеssаgе mау bе rесоgnizеd аs spаm, sо bе surе tо сhесk thе spаm fоldеr.

* If wе dо nоt rеspоnd tо уоu within 24 hоurs, writе tо us frоm аnоthеr еmаil аddrеss. Usе Gmаil, уаhоо, Hоtmаil, оr аnу оthеr wеll-knоwn еmаil sеrviсе.

Important!

* Plеаsе dоn’t wаstе thе timе, it will rеsult оnlу аdditinаl dаmаgе tо уоur соmpаnу!

* Plеаsе dо nоt try tо dеcrypt thе filеs yоursеlf. Wе will nоt bе аble tо hеlp yоu if filеs will bе mоdifiеd.

 Usually, it is not possible to regain access to the files without using the right decryption tool and the crooks behind MRDC ransomware are the only people who have the right decryption tool. The problem is that paying the attackers a ransom does not provide any fruitful result as these people never provide the decryption tool.

Therefore, it is not recommended to contact/ pay to the crooks. It is possible to recover the files without contacting those evil people as there are several alternatives you have. Existing backups are the one of the most important data recovery option in such a case.

If you have one such backup, you will have nothing to look back. Simply remove MRDC ransomware from system and then use the backup you have to restore the files. The problem arises when there is no backup file you have for your crucial data. This is the reason why experts always recommend always have a backup of all crucial files.

 In case, you have no existing backups, once check if Shadow Copies exist. These are automatically created backups from Windows OS. Sometimes, in ransomware infection cases, the Shadow copies are left untouched during the entire process of system attack and files encryption.

Below the post, in the data recovery section, you will find complete guide how to recover files using Shadow Copies. Another data recovery option is to use third party data recovery tools. You will find a suggestion of one such tools just below. There, you will also find recommendation to use automatic tool to remove MRDC ransomware.

How did MRDC ransomware enter my system?

Ransomware and other malicious malware are often delivered through spam emails. The recipients infect systems through received malicious attachments or websites links in them. Crooks behind them often trick people into opening malicious Microsoft Office and PDF documents, executables, archives, and JavaScript files.

Another way to distribute malware is through fake software updaters that are designed as tools that supposedly update or fix installed software. Those tools install certain malware in regular way or infect systems by exploiting bugs/ flaws of outdated software that users have installed on them.

Trojans are malicious malware that can be used to distribute malware too. These malware are especially designed to cause additional malware installation. Files downloaded through third-party downloaders, free file hosting or freeware download pages, p2p networks or other souces of this kind can be malicious as well.

Users may install malware by downloading and executing those files. Usually, crooks disguise them as regular, harmless. One more way to trick people into infecting their systems is through cracking tools. These tools cause system infection by supposedly bypassing activation keys of paid software.

How to prevent ransomware infection?

Installed software should have to be activated using tools or implemented functions from its developers. Same applies to the software that needs to be updated. Most of the other tools are malicious. Also, it is not legal to use unofficial tools to activate legit software.

Attachments and website links on any irrelevant emails received from unknown, suspicious addresses should never be opened. It is very common that emails of this kind are used by cooks who aim to trick people into infecting their systems with malware.

Programs and files should always be downloaded from official websites and through direct links. It is not recommended to use other sources aforementioned in the previous section. Also, it is recommended to scan your system using some reputable antivirus for threats on regular basis.

To restore encrypted files on your machine, you can take a trial with a suggested data recovery tool to check if it can help achieving your files back.

[Tips & Tricks]

  • How to remove MRDC ransomware and related components?
  • How to recover files encrypted by ransomware?

One thing is clear now that ransomware virus like MRDC ransomware is capable encrypting all types of files stored in your machine and makes them inaccessible. After complete encryption process, it attempt to generate monetary profit by offering bogus data recovery service. It is not good to pay demanded extortion money to cybercriminals for data recovery. You don’t waste your money and time on their fake service related to file recovery. We recommended you to avoid their bogus service and stop paying any amount of extortion money to them. Before you execute the various steps as solution, you have to take certain steps like backup the files, make sure this instruction page always open so that you can easily execute the steps as mentioned below and be patient with each step.

Procedure 1: Remove MRDC ransomware from System manually

Procedure 2: Remove MRDC ransomware and all the related components from computer automatically

Procedure 3: How to restore files encrypted by MRDC ransomware

It is possible to delete MRDC ransomware related components from computer with our easy solution. To do this, you have two methods of ransomware removal i.e., manual and automatic method. When we talk about manual method, the process includes various removal steps and requires technical expertise. Manual method of malware removal is time consuming process and if any mistake done in implementation of steps, resultant in several other damages in your computer. So, you should follow manual process carefully and if not possible you to complete the process, then you can go for automatic solution. Once the ransomware removed using these methods, you can go for third procedure i.e., data recovery procedure.

Procedure 1: Remove MRDC ransomware from System manually

Method 1: Restart the PC in Safe Mode

Method 2: Remove MRDC ransomware related process from Task Manager

Method 3: Delete MRDC ransomware malicious registries

Method 1: Restart the PC in Safe Mode

Step 1: Press “Windows + R” key from keyboard to open “Run” Window

Step 2: In the “Run” Window, you need to type “msconfig” and then press “Enter” key

Step 3: Now, select “Boot” tab and “Safe Boot

Step 4: Click on “Apply” and “OK

Method 2: Remove MRDC ransomware related process from Task Manager

Step 1: Press “CTRL + ESC + SHIFT” altogether to open “Task Manager

Step 2: In the “Task Manager” Window, locate “Details” tab and search for all the malicious process related to MRDC ransomware.

Step 3: Right click on it and end the process

Method 3: Delete MRDC ransomware malicious registries

Step 1: Press “Windows + R” key from keyboard to open “Run” dialog box

Step 2: Type “regedit” command in text box and press “enter” key

Step 3: Now, press “CTRL + F” keys and type MRDC ransomware or the file name of malicious executable associated with malware. Usually, such suspicious files are located in “%AppData%, %Temp%, %Local%, %Roaming%, %SystemDrive% and so on.

Step 4: You should check the malicious files data by right click on the value. Detect all such suspicious registry objects in “Run” or “RunOnce” sub keys and delete them.

Procedure 2: Remove MRDC ransomware and all the related components from computer automatically

We have already discussed about manual method of MRDC ransomware removal using several methods. You can choose any methods as per your technical skills and PC requirements. If you are non-technical users, then it can be difficult to implements these steps completely so you can go for automatic solution. To remove MRDC ransomware and all the related components, you can use automatic method of malware removal. You should have powerful tool that has the ability to remove all components related to MRDC ransomware, unwanted registry entries and others.

Here, we are discussing about “SpyHunter” antivirus software that is designed to detect and delete all types of malware including Adware, potentially unwanted program (PUP), rootkits, browser hijacker, Trojan horse virus, backdoor, ransomware and others. “SpyHunter” security application is powerful anti-malware software that works on advance scanning mechanism to identify viruses quickly. It is inbuilt with enhanced multi-layer process that helps you search for all types of malware. If you searching for solution to remove MRDC ransomware and other related viruses during scanning process, then it is recommended to remove it soon.

How to download/ install and use “SpyHunter” security software?

Step 1: At first, you need to click on “Download” button to go to “SpyHunter” page

Take a trial with free scanner to check if your system is infected by MRDC ransomware

For more information, read SpyHunter’s EULA, Threat Assessment Criteria, and Privacy Policy. The scanner you download here is free version and is able to scan your system for possible threat’s presence. however, it requires a 48 hour period to remove detected threats without any charge. if you want not to wait for that period, you will have to purchase its licensed version.

Step 2: After downloading, double click on “Installer” file to install this program on your System

Step 3: After complete installation process, open SpyHunter application and click on “Start Scan Now” button to start scanning process. For the first time, you should select “Full Scan” option

Step 4: Now, click on “View Scan Results” to see the list of detected threats or infections

Step 5: Click on “Next” button to register the software and remove permanently if you find MRDC ransomware and related infections.

Procedure 3: How to restore files encrypted by MRDC ransomware

Method 1: Recovery of files encrypted by MRDC ransomware using “Shadow Explorer”

Method 2: Recovery of files encrypted by MRDC ransomware using powerful data recovery software

Method 1: Recovery of files encrypted by MRDC ransomware using “Shadow Explorer”

Shadow Volume Copies” are temporary backup files created by the OS for short span of time for all files and data that has been deleted or damaged recently. If there is “File history” enabled in PC, then you can use “Shadow Explorer” to retrieve the data. When we talk about advanced Ransowmare virus, it deletes the “Shadow Volume Copies” as well as prevents you from recovering the files and data with help of administrative commands.

Step 1: At first, you need to click on link given below to download “Shadow Explorer” on your computer

https://www.shadowexplorer.com/uploads/ShadowExplorer-0.9-portable.zip

Step 2: Browse the location where the files has been downloaded.

Step 3: Double click on the ZIP files to extract the folder

Step 4: Click to open “ShadowExplorerPortable” folder and double click on the file.

Step 5: In order to select the time and data as per your requirement, a drop down menu appears on the screen. Select the files that you want to restore and click on “Export” button.

Method 2: Recovery of files encrypted by MRDC ransomware using powerful data recovery software

You should make sure that your System is free from ransomware attack and all the files associated with MRDC ransomware have been removed successfully. Once done, you should to go for data recovery solution. After complete ransomware related files removed, you can use “Stellar Phoenix Data Recovery Software” to retrieve the files. To restore encrypted files, you can follow the steps given below.

How to download/install and use “Stellar Phoenix Data Recovery Software”?

Step 1: At first, you need to click on download button to download Stellar Phoenix Data Recovery Software in your computer

To restore encrypted files on your machine, you can take a trial with a suggested data recovery tool to check if it can help achieving your files back.

Step 2: Once downloaded, double click on “installer file” to install

Step 3: Now, click on “I accept the agreement” in “License Agreement page” and click on “Next”

Step 4: After complete installation process, run the application.

Step 5: On the new interface, select the file types that you want to retrieve and then select “Next” button

Step 6: Now, select the “Drive” where you want the software to do scanning. Click on the “Scan” button

Step 7: Wait for the complete the process. It may take some times to complete process depending on the size of selected drives. After complete scanning process, you would notice a file explorer with the preview of data that can be recovered. You have to choose the files that you want to restore.

Step 8: Finally, choose the location where you want to save the restored files.

Prevention tips to protect your System from MRDC ransomware related attacks in future

  • You should have strong backup of all files and data stored in your computer because some ransomware is designed to look for network shares and encrypt all files stored in your machine. You would do well to store data backups on secure cloud server with high-level encryption and multiple-factor authentication.
  • Ransomware type virus often relies on exploit kits to gain illicit access to a System or network. If you run outdated or obsolete software on your computer, then you are in risk of ransomware because the software developers are not putting out security updates anymore. To remove abandonware and replace it with software still being supported by manufacturer.
  • The cybercriminals behind ransomware attack are using former banking Trojan as delivery vehicle for ransomware. It relies on malspam to infect your System and get foothold on your network. Once it gain access to your network, it shows worm like behaviour spreading from System to System using list of common passwords.
  • You should be alert while surfing online and avoid installing freeware from unknown sources, stop opening attachments coming from unknown emails and click on ads or popup messages after double reading.
  • Don’t pay extortion money in case of attack. We recommended you to stop paying ransom and FBI agrees. Cybercriminals don’t have scruples and there is no guarantee you will get files back. By paying extortion money, you are showing cybercriminals that ransomware attack work.