MarioLocker Ransomware

MarioLocker Ransomware is a bit different from other ransomware applications that we usually encounter. Even though this threat does encrypt various files located on an infected computer and shows a message, it does not provide instructions on how to pay a ransom and get your data decrypted. Most of such malicious applications are used for money extortion, but, under such circumstances, it is possible that the malware’s developers had something else in mind. Perhaps, they created it to ruin someone’s files individually or, maybe, the threat is still in development, and its later versions might start showing a message asking to pay a ransom and explaining how to do so. We discuss more this malware further in this article, and if you are interested in it, we encourage you to keep reading. Also, we provide removal instructions that show how to erase MarioLocker Ransomware manually at the end of this page.

Since we do not know if MarioLocker Ransomware was created to encrypt a particular user’s data or if it is still in the development stage, we cannot tell much about its distribution. If it was used to attack a specific computer, it might no longer be spread. However, if what we encountered is just a test version, it is possible that its creators might start distributing it as soon as they finish developing it. Such malicious applications are often spread via spam emails, unreliable file-sharing sites, or exploits. Thus, we highly recommend being cautious with all files received or downloaded from the Internet. If you have doubts or even if a file does not seem to be suspicious, but comes from an untrustworthy source, you should scan it with a reliable antimalware tool first. Also, it would be smart to make sure that your device has no weaknesses that could be exploited, for example, outdated or unpatched software, weak passwords, or unsecured RDP (Remote Desktop Protocol) connections.

According to our researchers, MarioLocker Ransomware does not need to create copies or its launcher or any other data to settle in. Meaning, it runs right from the directory where its installer was downloaded and opened. Since it could be any recently obtained file, the malware might run from the Desktop, Downloads, or Temporary Files directories. It looks like the threat can encrypt lots of different file types, which means it may make a lot of a user’s files unreadable. During this process, the malicious application should create numbered a list (YourFiles.txt) of all targeted files. Also, each encrypted file should receive the .wasted extension with a number ascribed to it in the malware’s list. For example, if you have a picture called architecture.jpg and it is the first file mentioned in the threat’s list (YourFiles.txt), such a file should be renamed to architecture.jpg.wasted1 after it gets encrypted. The second file should receive the .wasted2 extension and so on.

Unfortunately, removing the extensions added by MarioLocker Ransomware will not change anything as the only way to restore files is to use special decryption tools. Usually, hackers are the only ones who have such tools, although in some cases, cybersecurity specialists manage to create them too. In most cases, cybercriminals demand their victims to pay a ransom and offer decryption tools in return. What it is essential to know if you ever end up in such a situation is that there is always a chance that hackers might trick you. In other words, you should not trust them even if they promise that they will help you.

As said earlier, the message (@Readme.txt) that our encountered version of MarioLocker Ransomware leaves on an infected device does not look like a ransom note. That is because it only explains how to find the document containing a list of encrypted files, but does not explain what a user would have to do to get them decrypted. Thus, the only thing left after receiving such a malicious application might be deleting it. The instructions located below show how to remove MarioLocker Ransomware manually, but if you find the task a bit challenging, keep in mind that you can eliminate it with a reliable antimalware tool too. The moment your computer is cleaned and becomes malware-free, it ought to be safe to transfer backup copies, which you could keep on cloud storage or removable media devices, to replace encrypted data.

Eliminate MarioLocker Ransomware

1. Click Ctrl+Alt+Delete.
2. Choose Task Manager and select Processes.
3. Find a process belonging to the threat.
4. Mark it and click End Task.
5. Exit Task Manager.
6. Click Win+E.
7. Find these paths:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
8. Find the malicious application’s launcher (suspicious file downloaded before your computer became infected).
9. Right-click it and select Delete.
10. Locate the malware’s documents (@Readme.txt and YourFiles.txt), right-click them, and press Delete.
11. Exit File Explorer.
12. Empty Recycle Bin.
13. Restart the computer.