1 of 2
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

MVP Ransomware

MVP Ransomware is an infection that you might encounter if you speak Russian. That means that your operating system’s language, your keyboard, and, probably, your geographical location must fit certain conditions. The infection could be silently spread via unsecure RDP channels, and smart spam emails could be used to trick you into executing it yourself. The emails should be presented in Russian too, and the misleading messages should be followed by malicious attachments or links that hide the launcher. Regardless of how the infection enters your operating system, it can be extremely damaging. The first task for the infection is to encrypt your personal files. Next, it has to deliver a message with very specific instructions and demands. After this, the ball is in the victim’s court. If you are considering taking the demands seriously, we have to warn you that you are unlikely to achieve anything. Instead of focusing on the decryption of files, you might need to focus on the removal of MVP Ransomware.

As soon as our research team started inspecting MVP Ransomware, it became clear that this infection belongs to the Scarab Ransomware family. There are quite a few infections that come from it, including Scarab-Good Ransomware, Scarab-Glutton Ransomware, and Scarab-Deep Ransomware. In most cases, the name “Scarab” is included, but that is not a given. Not all of these threats are specifically targeted at Russian-speaking users either. Our researchers also found a version of Scarab-Bomber Ransomware that had this specific target. After successful execution, MVP Ransomware encrypts files, and, during the process, it also renames them (the names become jumbles of random characters) and adds the “.mvp” extension. After this, a file named “Как расшифровать файлы.TXT.” The original file might be placed along with the launcher, but it was found that copies are created in every folder that contains encrypted files. Even though these files are not malicious per se, we recommend deleting them once you read the message inside them. This is the easiest part of the removal process; however, eliminating the launcher of the malicious infection might be pretty straightforward too. We discuss that further in the report.

The message that the attacker behind MVP Ransomware created and delivered via the TXT file informs straight away that files were encrypted, and so it becomes clear right away that malware is involved. The message suggests that 24 personal files can be deleted every 24 hours until files are decrypted. It also suggests that the cost of decryption can be increased by 30% every 24 hours until the 72-hour mark is reached. This is how you are informed that you would need to pay for some kind of decryptor, but there is no other information regarding the payment. You are simply asked to email a special ID in the message to thermal@cock.li, and once a few of your chosen files are decrypted for free, you would then need to pay. While we do not know exactly how much you would be asked to pay, we do not recommend paying even if it just 1 ruble. Cyber criminals do not care about you, and their promises to decrypt files are most likely to be fictitious. All they want is money, and they can promise you great things just to get it. Of course, it is your files that have been compromised, and you are the one making decisions.

Deleting MVP Ransomware ransom notes is easy. Deleting the launcher might be too, but only if you know where to find it. So, where is it? The name could be random, or it could be misleading. Its location could be very random too. Basically, if you do not know the exact location, you might be unable to remove MVP Ransomware manually, but that is okay. You always have the option to install an anti-malware program that can erase the threat automatically. Should you invest in a tool just to have it clean your system? You should, but that is not all. It can also help you ensure reliable protection against malware in the future. If your system remains unguarded, other threats – including file-encrypting ransomware – could invade it, and you do not want it, do you? If your files were encrypted successfully, but backups do not exist, we do not have a solution for you. If backups exist, you still have your files, and you can transfer them onto the computer to replace the corrupted copies after you remove the ransomware.

MVP Ransomware Removal

  1. Delete all copies of the file called Как расшифровать файлы.TXT.
  2. Find and Delete the [unknown name].exe file that launched the infection.
  3. Tap Win+E keys to access Explorer and then enter %APPDATA% into the field at the top.
  4. Right-click and Delete the file named systems.exe.
  5. Tap Win+R keys to access RUN and then enter regedit.exe to launch Registry Editor.
  6. Move to HKEY_CURRENT_USER\Software\.
  7. Right-click and Delete the [random name] key that is linked to the ransomware.
  8. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
  9. Right-click and Delete the [random name] value that is linked to the systems.exe file.
  10. Empty Recycle Bin and then quickly perform a full system scan using a legitimate malware scanner.
Download Spyware Removal Tool to Remove* MVP Ransomware
  • Quick & tested solution for MVP Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.