The majority of file-encrypting viruses from this family (ZIDA, USAM, VAWE, etc), including this current ransomware spread using deceptive techniques, such as fake Adobe update pop-ups. Once installed, it shows an imitation of a Windows update screen while encrypting almost all data on the computer with the AES-256 cryptographic algorithm. As soon as the encryption process is finished, users cannot open or use any of the encoded files that are marked with .maas file extension. Additionally, this ransomware is capable to modify Windows hosts file and embed malicious codes. They are programmed to block the network connection to any type of security websites and tools. In other words, victims are unable to search for help online or run security software on the infected system. Likewise, many people struggle with MAAS removal and get lost when they see the ransom note.
Details of the ransom note
Developers have created a message that appears after the encryption process and informs users about the ransomware attack. They point out that there is a possibility to restore corrupted data if the victims agree to pay up. In fact, they demand to transfer $490 in Bitcoins within the first 72 hours of the infection for a decryption tool. It is considered to be a 50% discount as later the price doubles to $980. The transcript of _Readme.txt ransom note is shown in the image below. However, there have been numerous cases with previous STOP/DJVU variants that cybercriminals simply disappeared after they received the payment and never sent MAAS decryptor to the victims. Even though the attackers try to comfort their victims, people should never trust them as they are cybercriminals. Otherwise, many people might suffer from financial losses or other significant consequences. All security experts advise to never even try to contact the attackers and remove MAAS ransomware virus instead. People should also be aware that this file-encrypting malware family is known for installing AZORULT password-stealing software. Thus, the elimination procedure should be automatic to get rid of all cyber threats at once. We suggest installing the RESTORO tool to help you. Current situation regarding MAAS file decryption: The decryptor isn’t available. Check back soon as keys for VAWE and USAM, the latest versions, is already available.If you are in a rush, you can repair video files using instructions provided in this guide.
Summary of the cryptomalware
In-motion demonstration of live Maas ransomware attack, after which files can no longer be opened: Description: MAAS ransomware, also known as MAAS file virus, is a malicious crypto-malware that makes files inaccessible in order to demand a ransom from the victim. The malicious program is a variant of the infamous STOP/DJVU malware. Once encrypted, files can no longer be opened, and the victim finds a ransom note _readme.txt, which contains a message from the cybercriminals: pay the ransom or lose the data for good. Offer price: 490-980 Currency: USD Operating System: Windows Application Category: Ransomware (malware) Author: STOP/DJVU authors
Primary STOP/DJVU distribution methods: software cracks and malicious online ads
The primary MAAS ransomware distribution method is based on illegal software downloads. The malware developers tend to pack fake peer-to-peer downloads with ransomware executables and upload them to popular torrent websites. Users who visit these sites and search for software cracks for popular software such as Adobe Photoshop or games are the primary targets for the cybercriminals. Once they download and open the malicious files, the ransomware immediately encrypts all files and leaves the victim no option to open them than paying a ransom. In addition, the ransomware developers created a very effective way to spread infections — they upload fake Adobe Flash Player update pop-ups that trigger automatic installation of file-encrypting viruses. They have designed the malicious pop-up to look almost exactly the same as the legitimate update notifications. Likewise, the majority of people fall for the trick and install ransomware by clicking on the update button. Usually, people can encounter such deceptive pop-ups while browsing on highly suspicious pages that redirect people to various advertisements and questionable networks. Note that other unverified ads can also hold malicious codes and trigger malware installation. Therefore, you should refrain from clicking on any form of advertising content while browsing on the Internet. Otherwise, you risk installing file-encrypting viruses and other dangerous cyber threats. Finally, experts advise to never download suspicious applications and get software only from legitimate websites. Cybercriminals also tend to upload files with ransomware executables that look like well-known applications on peer-to-peer (P2P) websites. Never browse on them and do not install any programs from it under any circumstances. This way you will significantly decrease the risk of malware infiltration.
Remove MAAS ransomware virus and recover your files
Before you can try to decrypt the affected files, you must first remove MAAS ransomware virus from your system. The only safe way to do so is to install a professional malware removal tool. Our team recommend RESTORO as it can not only help you uninstall the file-encrypting virus but also delete the password-stealing software that was installed alongside. Although, you can use another antivirus of your choice. If you are unable to start MAAS file virus removal, you should decontaminate the malicious codes running on your system by booting your PC into Safe Mode. It is an easy process. However, in case you are an inexperienced computer user, we suggest following the elimination guidelines at the end of this article. They will show you how to run a full system scan without any disruptions. Later, you can try to restore the encrypted data. For that, the best way is to use the latest backup copy from your Cloud. Although, if you do not store backups, you might try alternative STOP/DJVU decryption methods. Just be aware that other cybercriminals might try to trick you into purchasing useless decryption software online. Do not fall for these scams and follow only expert’s advice. You can find currently available file recovery tools, including video file repair tool usage instructions in the guide below or in the aforementioned article containing decryption instructions. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove MAAS ransomware virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove MAAS ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt MAAS files
Fix and open large MAAS files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. MAAS ransomware is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt MAAS files, follow the given tutorial.
Meanings of decryptor’s messages
The MAAS decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your MAAS extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of MAAS ransomware should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.