Mmpa ransomware, also known as file encrypting malware, comes from the notorious Djvu/STOP ransomware family, which is already responsible for releasing hundreds of ransomware versions. This one can be differentiated from the others by the .mmpa extension added to encrypted files. Drops the _readme.txt ransom note.
Mmpa ransomware comes from a family of file-encrypting malware known as Djvu/STOP. The gang releasing these ransomware threats is responsible for more than two hundred versions, including Foqe, Moss, and Lyli. This ransomware adds .mmpa to encrypted files, hence why it’s known as Mmpa ransomware. Users will be unable to open encrypted files until they are decrypted with a special tool.
The ransomware will drop a _readme.txt ransom note, which will explain that users can decrypt files by purchasing the decryptor for $980, or $490 if contact is made within 72 hours. However, paying the ransom is not recommended because it does mean files will be decrypted. When users pay the ransom, they are supposed to contact the cyber crooks behind this ransomware, and they will supposedly send the decryptor once they confirm the payment. However, in reality whether victims receive the decryptor really depends on how willing the cyber crooks are to help. And since they’re not really obligated to help, they don’t always do. Many users in the past were left with no decryptors after paying, and likely many more will be in the same situation in the future.
Unfortunately, the only free way to recover files is backup. If users have backup, they can access it to start file recovery as soon as they remove Mmpa ransomware. It is very important that users fully delete the ransomware before accessing backup because otherwise files in that backup may become encrypted as well.
For users who don’t have backup, there is a possibility that a free decryptor may be released in the future. Malware researchers and anti-virus vendors do release free decryptors whenever possible, but one for Mmpa ransomware is not available. Older versions of Djvu/STOP are decryptable with Emsisoft’s decryptor for STOP Djvu but it does not work for versions that use online keys to encrypt files. That, unfortunately, includes Mmpa ransomware.
It should be mentioned that there are many fake decryptors on the Internet and they may be carrying malware. If a legitimate decryptor was to be released, it would come from legitimate sources, such as NoMoreRansom, Emsisoft, other anti-virus vendors and malware researchers.
What does the ransomware do?
When the ransomware starts file encryption, it shows a fake Windows Update window that says important updates are being installed. What it’s actually doing is encrypting photos, documents, videos, and other files. All encrypted files will have a .mmpa extension added to them, and users will be unable to open them. A ransom note _readme.txt is also dropped and it contains information about the decryptor.
The decryptor is offered for $980 but supposedly, if users contact the cyber crooks behind the ransomware within 72 hours, they will receive a 50% discount. However, trusting cyber criminals to keep their word is not recommended. They will not necessarily send the decryptor after a payment is made, and many users in the past have been left with no decryptor and lost money. Furthermore, paying the ransom only encourages cyber criminals to continue, as ransomware becomes profitable for them. This unfortunately means that backup is currently the only way to recover files.
Here is the full Mmpa ransomware ransom note:
Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
How did ransomware infect a computer?
Ransomware usually infects computers of users who have bad browsing habits. That includes opening spam email attachments, downloading pirated content via torrents, as well as clicking on ads while on dangerous websites.
Users who end up with ransomware on their computers are often pirates of copyrighted content. And they do the pirating via torrents, which they download from torrent sites that are not properly regulated. Because anyone can upload anything on them, malicious parties often try to trick users into downloading malware disguised as popular movies, TV shows, games, software, etc. Malware in torrents is particularly common when a movie, TV show, or game is very popular. For example, torrents for episodes of Games of Thrones were often malware when the show was airing its seasons.
Another very common way to spread ransomware is email attachments. When users download those malicious attachments and open them, the malware initiates. The emails carrying malware can come in a variety of different forms. Some may pretend to be some kind of official correspondence, while others may bee blank and just have an attachment. Senders often claim to be from know companies and organizations, which allows them to gain the trust of more gullible users. However, if users are more careful and pay more attention to what attachments they open, they should be able to notice that something is not right. The first thing users should check in an unsolicited email is the sender’s email address. If it’s a random one, it’s probably spam. But even if it look legitimate, users should still use a search engine to check that it actually belongs to someone real. Users should also be check the email text for grammar and spelling mistakes, as those are often a sign of an email being potentially malicious. Finally, it’s recommended that users always scan unsolicited email attachments with anti-virus software or VirusTotal before opening them.
Mmpa ransomware removal
The safest way to delete Mmpa ransomware is to use anti-malware software. Ransomware is a complex threat, and manual removal may do even more damage. Unfortunately, users removing the ransomware does not mean files will be decrypted. To decrypt files, a decryptor is necessary.
Users who have backup can start decrypting files as soon as they remove Mmpa ransomware from their computers.