Review
A virus which was initially detected in the beginning of 2017, known as Merry Christmas has come up with it’s latest version, using the .MERRY file extension. The ransomware aims to encrypt the files on the infected computers and then ask users to read the “MERRY_I_LOVE_YOU_BRUCE.HTA” which It drops after encryption. In the file, there are instructions on how to pay the ransom fee and restore the encrypted files this way. But, do not be worried, because this ransomware type of infection is now decryptable. If you want to remove Merry X-mas ransomware and decrypt your files for free, we recommend to read our article about it.
What Does Merry Christmas .MERRY File Virus Do?
After it has already caused an infection, the ransomware virus adds it’s own ransom note and changes the wallpaper of the infected computer to the following “evil Santa” image.
The note which the virus leaves is called MERRY_I_LOVE_YOU_BRUCE.HTA and it has the following content:
ALL COMPUTER DATA ENCRYPTED
TIME AFTER ALL FILES WILL BE DELETED
YOUR ID
NOW YOU NEED TO PAY TO RECOVER YOUR DATA
AFTER MONEY TRANSFER YOU WILL RECIEVE THE DECRYPTOR
CONTACTS
TELEGRAM @comodosecunty
EMAIL comodosec@yandex.com
Any attempts to return your files with the third-party tools can be fatal for your encrypted files! The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files! There are several plain steps to restore your files but if you do not follow them we will not be able to help you!
But this is not where the terror of this ransomware infection end. The malware is also capable of performing several other activities such as deleting the shadow copies by inserting variants of the following command:
vssadmin delete shadows /for={volume} /shadow={id} /quiet
In addition to this, after infection, the malware also cuts out any internet connection, because it deletes drivers of your local network. This type of danger is new and completely different from what has been met before. Luckily, the virus is decryptable.
How Did I Get Infected with This Virus
To get infected with this ransomware virus, one does not need much. All it takes is to open a malicious e-mail and to not have any anti-malware protection installed. Usually the .MERRY ransomware virus may come standard with the infection method – as a malicious e-mail attachment which may pretend to be a document or another type of file. Most inexperienced users are misled that this is an actual e-mail from legitimate services, like PayPal, e-Bay and other companies and open the attachment.
From there, the infection sets off. The .MERRY ransomware creates mutexes, “touches” files and modifies(deletes) or adds new registry values that make it’s executable to encrypt files on system startup, for example.
The virus may also connect to a remove C2 server and download the payload of .MERRY ransomware after which place it in crucial Windows directories, such as:
- %AppData%
- %Roaming%
- %Local%
- %LocalRow%
How To Remove .Merry Extension Virus and Decrypt The Files
In order to remove this ransomware virus, we strongly urge you to follow our removal instructions below. For maximum effectiveness and automatic and fill removal, experts recommend using an anti-malware software. Furthermore, after having removed the .Merry file extension ransomware, you may want to focus on decrypting your files, web link for which you can find in the red box below.
Booting in Safe Mode
For Windows:
1) Hold Windows Key and R
2) A run Window will appear, in it type “msconfig” and hit Enter
3) After the Window appears go to the Boot tab and select Safe Boot
Cut out .Merry Ransomware in Task Manager
1) Press CTRL+ESC+SHIFT at the same time.
2) Locate the “Processes” tab.
3) Locate the malicious process of .Merry Ransomware, and end it’s task by right-clicking on it and clicking on “End Process”
Eliminate .Merry Ransomware‘s Malicious Registries
For most Windows variants:
1) Hold Windows Button and R.
2) In the “Run” box type “Regedit” and hit “Enter”.
3) Hold CTRL+F keys and type .Merry Ransomware or the file name of the malicious executable of the virus which is usually located in %AppData%, %Temp%, %Local%, %Roaming% or %SystemDrive%.
4) After having located malicious registry objects, some of which are usually in the Run and RunOnce subkeys delete them ermanently and restart your computer. Here is how to find and delete keys for different versions.
For Windows 7: Open the Start Menu and in the search type and type regedit –> Open it. –> Hold CTRL + F buttons –> Type .Merry Ransomware Virus in the search field.
Win 8/10 users: Start Button –> Choose Run –> type regedit –> Hit Enter -> Press CTRL + F buttons. Type .Merry Ransomware in the search field.
Automatic Removal of .Merry Ransomware
Decrypt Files Encrypted by The .Merry Ransomware Ransomware.
For the decryption, please follow this web link:
https://decrypter.emsisoft.com/mrcr
