What is MADA ransomware? And how does it implement its attack?
MADA ransomware is a crypto-malware designed to encrypt files. It is another variant of the notorious Jigsaw ransomware which keeps on spawning variants every now and then. MADA ransomware, according to researchers, is quite identical to Monument ransomware and Payms ransomware. And once it is able to get a hold of the targeted system, it will start to scan the system looking for files to encrypt. Based on the analysis done on this Jigsaw variant, it is found to be targeting files with these extensions:
.1c, .3fr, .accdb, .mp3, .mrw, .nef, .ai, .arw, .cdr, .cer, .cfg, .config, .cr2, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .dwg, .dxf, .dxg, .eps, .erf, .gif, .mp4, .iso, .jpe, .jpeg, .jpg, .bac, .mk, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .kdc, .mef, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .lnk, .mdb, .mdf, .pfx, .php, .pptx, .htm, .psd, .pst, .ptx, .r3d, .rar, .html, .indd, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .docx, .srw, .tif, .wb2, .png, .ppt, .pptm, .wma, .wpd, .wps, .x3f, .crt, .crw, .css, .xlk, .xls, .bay, .bmp, .xlsb, .xlsm, .xlsx, .zip
MADA ransomware uses the AES encryption cipher in encrypting files and appends the .LOCKED_BY_pablukl0cker extension on the encrypted files. For instance, a file named image101.jpg will become image101.jpg.LOCKED_BY_pablukl0cker. Once the encryption is completed, it opens a program window containing the following text:
“OOPS! YOUR FILES ARE CRYPTED BY MADA RANSOMWARE!!!
Your documents, photos, videos etc.
And after 72 hours, all your files will be removed permanently !!!
But there is nothing to worry about it will only happen when you fly in a fuck
Every hour I delete one randomly selected file and delete it permanently!!!
I can not recover such a file anymore, even after making the payment!!!
You will lose only a few files for the first 24 hours.
but the next day a few hundred, the third day, a few thousand, etc …
If you turn off your computer or try to shut me down, I will fire again.
I automatically remove 1000 files permanently for trying to recommend me in a fuck!!!
Remember that even the best anti-virus is unable to recover encrypted files!
If you have any questions, please contact us via e-mail [email protected]!!!
Payment for decrypting files is only possible in BITCOIN!!!
If you do not know how to buy bitcoins, visit www[.]4coin[.]pl!!!”
How does MADA ransomware proliferate?
MADA ransomware infiltrates a system using spam emails. Meaning to say, it takes advantage of social engineering to proliferate its malicious payload. Its malicious payload may be disguised as a document with macro scripts used to connect to its remote server to download and install MADA ransomware into the system.
Carefully follow the instructions laid out below to obliterate MADA ransomware and its malicious processes from your computer.
Step 1: Open the Task Manager simply by tapping the Ctrl + Shift + Esc keys on your keyboard.
Step 2: Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources like firefox.exe and is most likely related to MADA ransomware.
Step 3: After that, close the Task Manager.
Step 4: Tap the Win + E keys to launch File Explorer.
Step 5: Next, navigate to the following locations below and look for the malicious components of MADA ransomware such as GoogleChromeUpdate as well as other suspicious files and then delete all of them.
- C: \Users\<your username>\AppData\Roaming
- %APPDATA%
- %APPDATA%\System32Work\ Address.txt
- %APPDATA%\System32Work\ dr
- %APPDATA%\System32Work\ EncryptedFileList.txt
- %LOCALAPPDATA%
- %UserProfile%\Local Settings\Application Data
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
- %TEMP%
Step 6: Close File Explorer.
Step 7: Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 8: Under the list of installed programs, look for MADA ransomware or anything similar and then uninstall it.
Step 9: After that, Close Control Panel.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the following path:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE
- HKCU\SOFTWARE\WOW6432Node
Step 11: Delete the registry keys and sub-keys created by MADA ransomware.
Step 12: Close the Registry Editor and empty your Recycle Bin.
It is important to make sure that nothing is left behind and that MADA ransomware is completely removed use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.