Cyber Security Center

MUST ransomware removal


MUST ransomware is file-encrypting malware, part of the Dharma ransomware family. This version can be differentiated from the many other ones by the .MUST file extension added to encrypted files. The ransomware displays a pop-up ransom note, as well as drops a FILES ENCRYPTED.txt text file.

 

Ransomware (3)

MUST ransomware is malware that encrypts files. It belongs to the notorious Dharma ransomware family, which is responsible for releasing ransomware like RXD, Elvis, Kut, bH4T and 259. This version adds a .MUST file extension to encrypted files, which is how users can identify which ransomware they are dealing with. Once files are encrypted, users will not be able to open them, until they are decrypted. To decrypt them, victims would be required to pay a ransom, though the price is not mentioned in the ransom note. But whatever the price may be, users are always cautioned that paying the ransom is a risky idea. There are no guarantees that a decryptor would be sent to users, since the people behind this ransomware are cyber criminals who are unlikely to feel obligated to help users once they get the money. Furthermore, whenever users pay the ransom, it makes ransomware a profitable business for cyber crooks, which encourages them to continue.

For users who are not planning on paying the ransom and do not have backup, the only option may be to wait for a free decryptor to be released by malware researchers or anti-virus vendors. It’s not always possible to develop a free decryptor but there is always a possibility it will be released. There is a free decryptor for Dharma ransomware on NoMoreRansom but it will not work on MUST or other ransomware versions. However, users should still back up the encrypted files and occasionally check NoMoreRansom for a decryptor. Users should also start regularly backing up files so that this situation does not happen again.

At this time of writing, backup is currently the only way users can recover files for free. However, users need to fully remove MUST ransomware from their computers, otherwise those backed up files may become encrypted as well.

Can ransomware infections be avoided?

In many cases, a ransomware infection can indeed be avoided if users are careful enough. In fact, developing a few simple habits can mean avoiding an infection.

Because malspam is a common way ransomware is spread, users have to learn how to recognize a malicious email. And until proven otherwise, all unsolicited emails with attachments should be considered potentially malicious. When users receive an unsolicited email with an attachment from an unknown sender, they first need to check whether the sender is actually legitimate. That can easily be done by researching the sender’s email address to see whether it actually belongs to whomever the sender claims to be. The emails carrying malware often try to trick users into opening the email attachment by claiming it’s some kind of important document, usually money related, that needs to be reviewed immediately. If users are not familiar with what the email is talking about, they should avoid opening the attachment until it’s scanned with anti-virus software or VirusTotal. Overall, if users pay close attention to which emails they open, they should be able to detect a potentially malicious one.

Another bad habit users have that often leads to a ransomware infection is downloading copyrighted content via torrents, aka pirating. It’s not a secret that torrent sites are full of all kinds of malware, especially in torrents for popular movies and TV shows. Not only is pirating illegal, it’s also dangerous for the computer, which is why users are discouraged from doing it.

Is it possible to recover MUST ransomware encrypted files?

When the ransomware is initiated, it will start encrypting users’ important files, including photos, documents and videos. Users will know which of their files have been encrypted by the .MUST file extension added to encrypted files. Files with that extension will be unopenable until users decrypt them with the special decryptor. Once the encryption process is complete, the ransomware will show a pop-up ransom note and drop a FILES ENCRYPTED.txt text one. The text ransom note contains very little information, only that data has been encrypted, and two contact email addresses: james2020m@aol.com and james2020m@cock.li. The pop-up ransom note contain the victim’s unique ID which needs to be included in the email if users choose to contact the cyber criminals behind this ransomware. However, as we said above, paying the ransom is not a great idea. Not only does it not guarantee that files will be encrypted, it also supports future criminal activity.

Here is the text from the pop-up ransom note dropped by MUST ransomware:

YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email James2020m@aol.com YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:James2020m@cock.li
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

At this moment in time, the only way users can recover files is if they have backup. But before they can safely access the backup, they need to remove MUST ransomware from their computers fully. Failing to do so could result in backed up files becoming encrypted as well.

MUST ransomware removal

Because this is a complex malware infections, users should not attempt manual MUST ransomware removal. Instead, they need to use anti-virus software. It should also be mentioned that just because users delete MUST ransomware does not mean that files will become automatically decrypted.

MUST ransomware is detected as:

  • Trojan.Ransom.Crysis.E by BitDefender
  • Ransom.Crysis by Malwarebytes and Symantec
  • Ransom.Win32.CRYSIS.SM by TrendMicro
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom-Dharma!ECFA0CE6B19C by McAfee
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • Win32:RansomX-gen [Ransom] by Avast/AVG