Eliminating MaxiCrypt Ransomware (Crypto-Malware/Ransomware)

What is MaxiCrypt ransomware? And how does it execute its attack?

MaxiCrypt ransomware is a file-encrypting threat discovered by Michael Gillespie, a security researcher. This ransomware was first noticed on November 28, 2017 and is reported to arrive on the targeted computer as a corrupted Microsoft Word document. MaxiCrypt ransmoware is considered to be a mid-tier crypto-malware which is found to delete the shadow volume copies of the encrypted files and overwrites the original files to make it hard for its victims to recover the encrypted files.
MaxiCrypt ransomware uses AES cryptography in encrypting files and adds the [[email protected]].maxicrypt extension on each of the files it targets. It targets user-generated files like images, videos, documents, audio, and other popular file formats. It then delivers a ransom note contained in a text file named as How to restore your data.txt that reads as follows:
“MaxiCrypt
===========================================================
YOUR FILES ARE ENCRYPTED!
Your personal ID
R0g000000015ulOw9pi9tsd024hrUxOw-YrYlUVv75LhMFMaaUYQk-B6FXLHRGNHL7TCHaoOYXOYeOFk-6HIECubWOTTO+OtY8zd
HLmVkyhDtq6cHyWbzpKbVvKCGWS2ls5YlpNtstccyZLdF+pdla+9cu+yf2T6iVfBpnaBpPkgDlTyw6qTR8PCoOE1FbnP76txKmZp
nENweVRz0DdQPZRJGZ9zJWuUZ12K16PuKy7HJK19pHycLivHT2GMc1-aWNnVrHSYqKltmSiWRs4H66WwhRgVAZwuRwTJ2n1WI59+
2N1Q7EvF1jZKdTPP9YsRjw3tR7ucHAli1fjYjK53T2ny8rllEyHW9idh8dyni0Nm26EvRI8uF5TssKwBod1Dyg3-QZfoVwjlvFp7
87OSv-p60MbgRNN8XwjbolVEqySTYmwM6KS8gpgwVNRhJozxxRnUpBm6Msn7MNn2pWe5KAL014GkwgPNO82DrJzMl96uIADMY8ts
U3VgFr9jU3rqrV9lZxsidG78dhMBqgCap6+hgQqiKbwaeOcuF18sMgLtucd2ZxdpIEactJzvcr32XnWue0fMD0UgaohJtx25uE7s
RrNM9DX1w502roruwae361Tx8kE8JHeU0ocukG5Bzlf1tKhAukbWmEM11Bl0gNb82fO3fQNE66iKQpWuCysMlV2755HiAScuYB3h
VlogANB6U2toHYYCC14e1Pcu2Lvq8nbkzA38j4lEOcIr6uc8su3RjM5DU8E70N2u3w5JAEHGm4kZ+ocKe0MANK0dCjCsgHV7DPbM
G20nHajKu9ISSQN90frdQDWgQQ-sE8fGuet3t6mcBfcY8liLDPY
Your documents, photos, databases, save games and other important data was encrypted.
Data recovery the necessary decryption tool. To get the decryption tool, should send an email to:
[email protected] or
[email protected]
In a letter to include Your personal ID (see the beginning of this document).
In the proof we have decryption tool, you can send us 1 file for test decryption.
Next, you need to pay for the decryption tool.
In response letter You will receive the address of Bitcoin wallet which you need to perform the transfer of funds.
If You have no bitcoins
* Create a Bitcoin wallet: https://blockchain.info/ru/wallet/new
* Purchase Bitcoin: https://localbitcoins.com/ru/buy_bitcoins or http://www.coindesk.com/information/how-can-i-buy-bitcoins (Visa/MasterCard, etc.)
When money transfer is confirmed, You will receive the decrypter file for Your computer.
After starting the program-interpreter, all Your files will be restored.
Attention!
* Do not attempt to remove a program or run the anti-virus tools
* Attempts to decrypt the files will lead to loss of Your data
* Decoders other users is incompatible with Your data, as each user unique encryption key
==========================================================”
As you can see, the ransom note starts with a demanding message that alerts victims about the encrypted files. It also provides victims with a personal ID number which is instructed to be sent to [email protected] or [email protected] in order to get the decryption tool. If you are one of the unlucky victims of this ransomware, contacting the crooks behind it and paying the ransom is definitely not recommended as you’ll probably end up losing more money but nothing will be done to your encrypted files. So the best option for now is to use whatever back copies you have of the affected files and wait until a free decryptor is released by security experts.
How does MaxiCrypt ransomware disseminate its malicious payload?
As stated early on, MaxiCrypt ransomware spreads as a corrupted Microsoft Word document which has macro scripts used to install the malware onto the computer once it is opened. Such file is disseminated using spam emails disguising as an important email. For this reason, you must be cautious in opening any emails and downloading attachments.
Eliminate MaxiCrypt ransomware and its malicious processes from your computer with the help of the removal guide below.
Step 1: Tap Win + E to open the File Explorer.
Step 2: After opening File Explorer, navigate to the following locations below and look for MaxiCrypt ransomware’s malicious components such as How to restore your data.txt as macro-enabled document responsible for installing the crypto-malware in your computer.

C:\Users\<your username>\AppData\Local\Temp
%HOMEDRIVE%
%USERPROFILE%\Desktop
%USERPROFILE%\Downloads
%AppData%
%Local%
%Temp%
%Roaming%
%LocalLow%

Step 3: Tap Ctrl + Shift + Esc keys to open the Task Manager.

Step 4: After opening the Task Manager, look for MaxiCrypt ransomware’s malicious process, right click on it and select End Process or End Task.

Step 5: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 6: Look for MaxiCrypt ransomware or any suspicious program and then Uninstall it/them.

Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 9: Navigate to the listed paths below and look for the registry keys and sub-keys created by MaxiCrypt ransomware.

HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Step 10: Delete the registry keys and sub-keys created by MaxiCrypt ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty your Recycle Bin.
Use the antivirus program to make sure that MaxiCrypt ransomware is removed completely from your computer – just follow the instructions below to do so.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

Turn on your computer. If it’s already on, you have to reboot
After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
Windows will now load the SafeMode with Networking.
Press and hold both R key and Windows key.

If done correctly, the Windows Run Boxwill show up.
Type in explorer http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between explorer and http. Click OK.

A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.