How to Remove Maze Ransomware

How to Remove Maze Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

*********************************************************************************************************************

Attention! Your documents, photos, databases, and other important files have been encrypted!

*********************************************************************************************************************

What is going on?
Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system

You can read more about this cryptosystem here: hxxps://en.wikipedia.org/wiki/RSA_(cryptosystem)

The only way to recover (decrypt) your files is to buy decryptor with the unique private key

Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!

By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.

In order to either buy the private key or make test decryption contact us via email:
Main e-mail: koreadec@tutanota.com
Reserve e-mail: yourrealdecrypt@airmail.cc

Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies

If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one

Below you will see a big base64 blob, you will need to email us and copy this blob to us.
you can click on it, and it will be copied into the clipboard.

If you have troubles copying it, just send us the file you are currently reading, as an attachment.

Base64:


Maze
is a nasty ransomware infection. It’s a variant of the ChaCha ransomware. That’s why, it turns to the ChaCha20 cipher, when it locks your data up. Let’s elaborate. You see, after the Maze tool slithers into your system, it strikes. It uses strong RSA-2048 and ChaCha20 algorithms to encrypt your files. It targets everything, you keep on your PC. Documents, archives, photos, music, videos. Nothing escapes its reach. To affirm its control over your data, the Maze threat adds an extension at the end of each one. It attaches ‘.maze,’ and a string of random characters. For example, the photo called ‘sunday.jpg’ becomes ‘sunday.jpg.maze.ILnnD.’ After the extension is in place, your files become unusable. You can try to rename them, or move them around, but it’s futile. The only way for you to access them again, is to decrypt them. And, to do that, you must follow Maze’s demands. Demands, which are listed in the ransom note, the infection leaves you. It’s a DECRYPT-FILES.HTML file, and it’s pretty standard. It explains your current situation, and gives you instructions to follow. “The only way to recover (decrypt) your files is to buy decryptor with the unique private key.” And, how do you suppose you get said key? Well, you pay the ransom, and then the people behind Maze, promise to send you the key, you need. And, that’s all you get – a promise. They don’t provide guarantees. The ransom amount varies, but is usually an amount to get paid in Bitcoin. Pay nothing! You can’t trust these cyber extortionists. To choose to trust them, is a mistake. Don’t make it! Don’t pay the ransom. Don’t comply.

How did I get infected with?

Maze uses slyness and subtlety to invade. The infection is quite deceptive, when it comes to infiltration. It uses the old but gold methods to slip past you unnoticed. Then, spreads its clutches and affects your system, throughout. The usual antics, include the use of fake updates, freeware, corrupted links, sites, and torrents. And, of course, spam emails, as well. One day, you get an email that appears legitimate, on surface level. It seems to come from a well-know, well-established company, like PayPal or Amazon. And, when you open it, it urges you to click a certain link. Or, download an attachment. Supposedly, to confirm a purchase or verify your information. If you follow these instructions, you’ll regret it. That’s how you end up with a cyber menace, like Maze. Do yourself a favor, and always be thorough. Take the time to do your due diligence. Read terms and conditions, look for the fine print, and make sure to know what you say YES to. Even a little extra attention can save you a ton of troubles. Do what’s best, and be careful. Don’t give into naivety and distraction. Don’t rush. Always choose caution over carelessness. One keeps infections out, and the other invites them in. Choose wisely.

Remove Maze

Why is Maze dangerous?

Compliance is NOT the way to go. Paying the ransom will get you nothing but regret. It will not bring back control over your data. Do you know why that is? It’s because, you’re dealing with cyber criminals, who only seek to exploit you. These people prey on your gullibility and fear, and seek to benefit off of them. They rely on you to place your trust onto them, despite the fact, all you get in return, are empty words. Think about it. These people give you ZERO guarantees that compliance will work. All, you get, are promises. And, can you trust the word of cyber extortionists? The answer is, ‘No.’ Here’s the thing. If you pay, you’re at their mercy. They have your money, and have no obligation to follow through on what they promised you. So, after payment is complete, they can choose not to send you the decryption key, you need. Or, they can send one that proves useless, and leaves your data locked still. And, even if you do get the proper key, and free your files, don’t rejoice. That key does nothing more than decrypt the encrypted data. It does nothing against the encryptor itself, Maze. It still remains on your computer, ready to strike again. And, what’s to stop it from doing so, a mere minute after you decrypt your files? That will put you back to square one. Only, this time, you’ll have less money. Don’t waste your energy, time and resources, dealing with these data kidnappers. Don’t put your faith onto cyber kidnappers. Place it onto cloud storage services, and backups. That’s the way to go. There aren’t enough ways to stress the importance of this: Don’t comply.

Maze Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Maze Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Maze encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Maze encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment