Mailrepa.lotos@aol.com Ransomware

We want to inform you about a new malicious application called Mailrepa.lotos@aol.com Ransomware. This program’s objective is to encrypt the files present on your computer and demand that you buy the decryption tool needed to decrypt them. This tool might not come cheap, and we think that it should cost 2 BTC (1,212.52 USD) or more. Whatever the case may be, you should refuse to comply with the demands of the crook behind this malicious application. We suggest that you remove it from your computer entirely, and we have prepared a guide below, so feel free to use it. However, if you want to find out more about this ransomware, then please continue reading.

From the outset, we want to make you aware of the fact that this ransomware is not the first of its kind because, in the past, we analyzed and written about ransomware such as Space_rangers@aol.com Ransomware, Melme@india.com Ransomware, and Age_empires@india.com Ransomware. Their secretive developer is continuing to release new infections and it appears that there is no end in sight. You might be wondering where this developer comes from and why he/she has not been caught yet. Some of this creator’s releases make reference to both Russian and Indian cultural realia. However, since some of the released ransomware have their ransom notes in both Russian and English languages, we think that the developer is based in Russian, but the ransomware is not limited to one region, and it appears that Mailrepa.lotos@aol.com Ransomware and its counterparts are distributed globally.

As far as this ransomware’s distribution methods are concerned, we found that it is being disseminated using email spam. It seems that the developer has set up a server that sends this ransomware’s dropper file attached to a fake email that can masquerade as a receipt or invoice. Our research suggests that the emails contain Windows Script Files that are executed using Windows Script Host. As a result, once you open the zipped file, it will drop Mailrepa.lotos@aol.com Ransomware’s main executable on your PC. Like the ransomware that came before it, this program is also set to be dropped in one of seven preset locations that include, but not limited to %WINDIR%\Syswow64 and %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup. It must be noted, however, that the main executable is usually named randomly, but we have observed that some iterations of this ransomware might have the executable named Payload.exe, Payload_c.exe or use some other similar name. Hence, identifying it might prove to be difficult.

Once on your computer, this ransomware will scan it for files to encrypt. It is set to target various formats that include, file archives, executables, images, videos, audio files, documents, and so on. Once the files have been encrypted, you will be unable to access their content. This ransomware is set to encrypt the files using the RSA-2048 key. Due to the fact that Mailrepa.lotos@aol.com Ransomware uses the RSA cryptosystem that generates a unique decryption key for each encryption key, so there is no way of decrypting the files using a third-party decryption tool.

Once the encryption is complete, this ransomware will drop two ransom notes. The first one is an image file named how to decrypt your files.jpg dropped in C:\Users\{user name} and is set as the desktop wallpaper. The other file is named Decryption instructions.txt and it is placed on the desktop. Both of these files advice you to contact the developer via the provided Mailrepa.lotos@aol.com email address to decrypt your files. However, decryption does not come cheap, so expect to be asked to pay 2 BTC (1,212.52 USD) at the very least.

Regardless of how much money you are asked to pay for the decryption tool, we suggest that you refuse to comply with the demand and delete Mailrepa.lotos@aol.com Ransomware altogether. We have a manual removal guide below, but you can also use an antimalware program, such as SpyHunter to eradicate this malicious application for you.

Manual removal guide

1. Go to the desktop and delete Decryption instructions.txt
2. Press Windows+E keys.
3. In the File Explorer’s address box, enter C:\Users\{User name}
4. Find how to decrypt your files.jpg and delete it.
5. Then, enter the following addresses to find the main executable.
   • %WINDIR%\Syswow64
   • %WINDIR%\System32
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
6. Identity the malicious executable and delete it.
7. Empty the Recycle Bin.

Delete the registry string

1. Press Windows+R keys.
2. Type regedit in the dialog box and hit Enter.
3. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. Find the REG_SZ string with Value data pointing to the executable’s location.
5. Delete the string.
6. Done.