www.pcrisk.com
Open in
urlscan Pro
2606:4700:3108::ac42:2bdf
Public Scan
URL:
https://www.pcrisk.com/removal-guides/16313-mespinoza-ransomware
Submission: On January 09 via manual from US — Scanned from DE
Submission: On January 09 via manual from US — Scanned from DE
Form analysis 3 forms found in the DOM
POST index.php
<form action="index.php" method="post">
<input style="border: 1px solid #a2a2a2; padding: 5px 5px 5px 15px; font-size: 90%; color: #4E4E4E; margin: 2px; display: inline; width: auto; height: auto; position: relative; top: auto; left: auto; cursor: auto; opacity: 1;"
aria-label="Search this website" name="searchword" id="mod_search_mobile" maxlength="150" class="inputbox" type="text" size="34" value="Search.." onblur="if(this.value=='') this.value='Search..';"
onfocus="if(this.value=='Search..') this.value='';">
<input type="hidden" name="task" value="search">
<input type="hidden" name="option" value="com_search">
<input type="hidden" name="Itemid" value="1">
</form>POST https://www.paypal.com/cgi-bin/webscr
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" value="_s-xclick" name="cmd">
<input type="hidden" value="EA4EWNMHF7XZW" name="hosted_button_id">
<input type="image" alt="PayPal - The safer, easier way to pay online!" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" name="submit">
<img loading="lazy" alt="" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" height="1" width="1">
</form>POST index.php
<form action="index.php" method="post">
<div class="search" style="text-align:center;">
<label for="mod_search_searchword" style="display: none;">Search..</label><input style="border: 1px solid #dbdbdb; padding: 5px 5px 5px 15px; width: 92%; font-size: 90%; color: #4E4E4E; margin: 2px;" name="searchword" id="mod_search_searchword"
maxlength="150" alt="Search" class="inputbox" type="text" size="34" value="Search.." onblur="if(this.value=='') this.value='Search..';" onfocus="if(this.value=='Search..') this.value='';">
</div>
<input type="hidden" name="task" value="search">
<input type="hidden" name="option" value="com_search">
<input type="hidden" name="Itemid" value="57">
</form>Text Content
* Removal guides
* News
* Blog
* Top Antivirus 2023
* Website Scanner
* About Us
* Contact
*
* Removal guides
* News
* Blog
* Top Antivirus 2023
* Website Scanner
Home > Removal guides >
FacebookTwitterLinkedIn
HOW TO AVOID DATA LOSS CAUSED BY MESPINOZA RANSOMWARE
Also Known As: Mespinoza virus
Type: Ransomware
Damage level: Severe
Written by Tomas Meskauskas on September 24, 2021 (updated)
▼ REMOVE IT NOW Get free scan and check if your computer is infected.
To use full-featured product, you have to purchase a license for Combo Cleaner.
Seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt,
the parent company of PCRisk.com read more.
* Description
* Summary
* Removal
* Prevention
WHAT IS MESPINOZA?
Discovered by GrujaRS, Mespinoza is malicious software that encrypts data and
blocks access to it unless a ransom is paid. Programs of this type are
classified as ransomware. Mespinoza adds the ".locked" extension to each
encrypted file. For example, "1.jpg" becomes "1.jpg.locked", and so on. It also
creates a ransom message within the "Readme.README" file.
The "Readme.README" ransom message states that this ransomware encrypts all
files and backups. To recover them, victims are encouraged to contact the cyber
criminals who designed Mespinoza via the alanson_street8@protonmail.com or
lambchristoffer@protonmail.com email address.
They can attach up to two encrypted files, which cannot exceed 2 MB - cyber
criminals offer to decrypt these free of charge. Victims are warned not to
restart their computers or move encrypted files. Further instructions should be
provided after sending an email to them.
Typically, programs of this type encrypt files with strong encryption
algorithms, and thus victims cannot decrypt their files without the correct
decryption tools. Unfortunately, only the cyber criminals who designed the
ransomware have valid tools/keys. Note, however, that they tend not to send any
of the promised tools/keys even if victims meet all demands (contact and pay
them).
Since there are no free tools capable Mespinoza file decryption, the only way to
recover data without having to pay a ransom is to restore files from a backup.
Files will remain encrypted even if ransomware is removed from the system -
removing ransomware simply prevents it from causing further encryption.
Screenshot of a message encouraging users to pay a ransom to decrypt their
compromised data:
Generally, ransomware-type programs lock (encrypt) files and create or display
ransom messages that contain instructions about how to contact and/or pay
ransoms to cyber criminals. Main differences are usually cryptographic
algorithm (symmetric or asymmetric) that is used to encrypt files and cost of a
decryption tool and/or key.
Some examples of other ransomware-type malware includes Corpseworm, Lokf, and
LOCKEDS.
In most cases, victims cannot recover files without tools held only by cyber
criminals who the designed ransomware, unless (in rare cases) ransomware
contains bugs/flaws, is not finished, or victims have data backed up. Therefore,
maintain backups and store them on a remote server and/or unplugged storage
device.
HOW DID RANSOMWARE INFECT MY COMPUTER?
Computers are infected with malicious programs through spam campaigns, fake
software updaters, Trojans, unofficial, untrustworthy software download sources,
and unofficial activation tools. Systems become infected via spam campaigns when
cyber criminals send emails that contain malicious attachments and recipients
open them.
They disguise these emails as official, important, and so on, and hope that
people will download and open the attached file or website link, which downloads
a malicious file. Typically, they attach Microsoft Office, PDF documents,
JavaScript, executable (.exe) files, archives such as ZIP, RAR, etc.
Fake software updating tools usually infect systems by exploiting bugs/flaws of
outdated software installed on the system or by installing malicious software
rather than updates. Trojans are malicious programs that, if installed, cause
chain infections. Most Trojans infect computers with additional malware.
Examples of dubious software download sources are freeware download pages, free
file hosting websites, Peer-to-Peer (P2P) networks such as torrent clients,
eMule, unofficial sites, and so on. People who use these tools/sources to
download files and/or programs risk downloading malicious files disguised as
legitimate.
If opened, the files install malware. Unofficial software activation
('cracking') tools supposedly activate licensed programs free of charge
(bypassing paid activation), however, cyber criminals use them to distribute
malware.
Threat Summary: Name Mespinoza virus Threat Type Ransomware, Crypto Virus, Files
locker. Encrypted Files Extension .locked Ransom Demanding Message Readme.README
Cyber Criminal Contact alanson_street8@protonmail.com,
lambchristoffer@protonmail.com. Detection Names ALYac (Trojan.Ransom.Mespinoza),
BitDefender (Gen:Heur.Ransom.REntS.Gen.1), ESET-NOD32 (A Variant Of
Win32/Filecoder.NYO), Kaspersky (Trojan.Win32.Zudochka.dlu), Full List Of
Detections (VirusTotal) Symptoms Cannot open files stored on your computer,
previously functional files now have a different extension (for example,
my.docx.locked). A ransom demand message is displayed on your desktop. Cyber
criminals demand payment of a ransom (usually in bitcoins) to unlock your files.
Distribution methods Infected email attachments (macros), torrent websites,
malicious ads. Damage All files are encrypted and cannot be opened without
paying a ransom. Additional password-stealing trojans and malware infections can
be installed together with a ransomware infection. Malware Removal (Windows)
To eliminate possible malware infections, scan your computer with legitimate
antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner
To use full-featured product, you have to purchase a license for Combo Cleaner.
7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the
parent company of PCRisk.com read more.
HOW TO PROTECT YOURSELF FROM RANSOMWARE INFECTIONS
Do not open attachments or web links attached to irrelevant emails. In many
cases, these emails are sent from unknown, suspicious addresses. Cyber criminals
usually disguise their emails as important, official, etc. Keep installed
software up-to-date, however, use implemented functions and tools provided by
official software developers.
Files should be downloaded from official and trustworthy websites, and via
direct links. Other sources/tools (examples are mentioned above) should not be
trusted. It illegal to activate software using unofficial activation
('cracking') tools. Furthermore, they often infect systems by installing
malware.
Therefore, never use tools of this type. Regularly scan the operating system
with a reputable antivirus or anti-spyware suite. Keep this software up-to-date.
If your computer is already infected with Mespinoza, we recommend running a scan
with Combo Cleaner Antivirus for Windows to automatically eliminate this
ransomware.
Text presented in Mespinoza ransomware text file ("Readme.README"):
> Hi Company,
>
> Every byte on any types of your devices was encrypted.
> Don't try to use backups because it were encrypted too.
>
> To get all your data back contact us:
> alanson_street8@protonmail.com
> lambchristoffer@protonmail.com
> --------------
>
> FAQ:
>
> 1.
> Q: How can I make sure you don't fooling me?
> A: You can send us 2 files(max 2mb).
>
> 2.
> Q: What to do to get all data back?
> A: Don't restart the computer, don't move files and write us.
>
> 3.
> Q: What to tell my boss?
> A: Shit happens.
Screenshot of files encrypted by Mespinoza (".locked" extension):
MESPINOZA RANSOMWARE REMOVAL:
Instant automatic malware removal: Manual threat removal might be a lengthy and
complicated process that requires advanced computer skills. Combo Cleaner is a
professional automatic malware removal tool that is recommended to get rid of
malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you
agree to our Privacy Policy and Terms of Use. To use full-featured product, you
have to purchase a license for Combo Cleaner. 7 days free trial available. Combo
Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read
more.
VIDEO SUGGESTING WHAT STEPS SHOULD BE TAKEN IN CASE OF A RANSOMWARE INFECTION:
Quick menu:
* What is Mespinoza virus?
* STEP 1. Reporting ransomware to authorities.
* STEP 2. Isolating the infected device.
* STEP 3. Identifying the ransomware infection.
* STEP 4. Searching for ransomware decryption tools.
* STEP 5. Restoring files with data recovery tools.
* STEP 6. Creating data backups.
REPORTING RANSOMWARE TO AUTHORITIES:
If you are a victim of a ransomware attack we recommend reporting this incident
to authorities. By providing information to law enforcement agencies you will
help track cybercrime and potentially assist in the prosecution of the
attackers. Here's a list of authorities where you should report a ransomware
attack. For the complete list of local cybersecurity centers and information on
why you should report ransomware attacks, read this article.
List of local authorities where ransomware attacks should be reported (choose
one depending on your residence address):
* USA - Internet Crime Complaint Centre IC3
* United Kingdom - Action Fraud
* Spain - Policía Nacional
* France - Ministère de l'Intérieur
* Germany - Polizei
* Italy - Polizia di Stato
* The Netherlands - Politie
* Poland - Policja
* Portugal - Polícia Judiciária
ISOLATING THE INFECTED DEVICE:
Some ransomware-type infections are designed to encrypt files within external
storage devices, infect them, and even spread throughout the entire local
network. For this reason, it is very important to isolate the infected device
(computer) as soon as possible.
Step 1: Disconnect from the internet.
The easiest way to disconnect a computer from the internet is to unplug the
Ethernet cable from the motherboard, however, some devices are connected via a
wireless network and for some users (especially those who are not particularly
tech-savvy), disconnecting cables may seem troublesome. Therefore, you can also
disconnect the system manually via Control Panel:
Navigate to the "Control Panel", click the search bar in the upper-right corner
of the screen, enter "Network and Sharing Center" and select search result:
Click the "Change adapter settings" option in the upper-left corner of the
window:
Right-click on each connection point and select "Disable". Once disabled, the
system will no longer be connected to the internet. To re-enable the connection
points, simply right-click again and select "Enable".
Step 2: Unplug all storage devices.
As mentioned above, ransomware might encrypt data and infiltrate all storage
devices that are connected to the computer. For this reason, all external
storage devices (flash drives, portable hard drives, etc.) should be
disconnected immediately, however, we strongly advise you to eject each device
before disconnecting to prevent data corruption:
Navigate to "My Computer", right-click on each connected device, and select
"Eject":
Step 3: Log-out of cloud storage accounts.
Some ransomware-type might be able to hijack software that handles data stored
within "the Cloud". Therefore, the data could be corrupted/encrypted. For this
reason, you should log-out of all cloud storage accounts within browsers and
other related software. You should also consider temporarily uninstalling the
cloud-management software until the infection is completely removed.
IDENTIFY THE RANSOMWARE INFECTION:
To properly handle an infection, one must first identify it. Some ransomware
infections use ransom-demand messages as an introduction (see the WALDO
ransomware text file below).
This, however, is rare. In most cases, ransomware infections deliver more direct
messages simply stating that data is encrypted and that victims must pay some
sort of ransom. Note that ransomware-type infections typically generate messages
with different file names (for example, "_readme.txt", "READ-ME.txt",
"DECRYPTION_INSTRUCTIONS.txt", "DECRYPT_FILES.html", etc.). Therefore, using the
name of a ransom message may seem like a good way to identify the infection. The
problem is that most of these names are generic and some infections use the same
names, even though the delivered messages are different and the infections
themselves are unrelated. Therefore, using the message filename alone can be
ineffective and even lead to permanent data loss (for example, by attempting to
decrypt data using tools designed for different ransomware infections, users are
likely to end up permanently damaging files and decryption will no longer be
possible even with the correct tool).
Another way to identify a ransomware infection is to check the file extension,
which is appended to each encrypted file. Ransomware infections are often named
by the extensions they append (see files encrypted by Qewe ransomware below).
This method is only effective, however, when the appended extension is unique -
many ransomware infections append a generic extension (for example,
".encrypted", ".enc", ".crypted", ".locked", etc.). In these cases, identifying
ransomware by its appended extension becomes impossible.
One of the easiest and quickest ways to identify a ransomware infection is to
use the ID Ransomware website. This service supports most existing ransomware
infections. Victims simply upload a ransom message and/or one encrypted file (we
advise you to upload both if possible).
The ransomware will be identified within seconds and you will be provided with
various details, such as the name of the malware family to which the infection
belongs, whether it is decryptable, and so on.
Example 1 (Qewe [Stop/Djvu] ransomware):
Example 2 (.iso [Phobos] ransomware):
If your data happens to be encrypted by ransomware that is not supported by ID
Ransomware, you can always try searching the internet by using certain keywords
(for example, a ransom message title, file extension, provided contact emails,
crypto wallet addresses, etc.).
SEARCH FOR RANSOMWARE DECRYPTION TOOLS:
Encryption algorithms used by most ransomware-type infections are extremely
sophisticated and, if the encryption is performed properly, only the developer
is capable of restoring data. This is because decryption requires a specific
key, which is generated during the encryption. Restoring data without the key is
impossible. In most cases, cybercriminals store keys on a remote server, rather
than using the infected machine as a host. Dharma (CrySis), Phobos, and other
families of high-end ransomware infections are virtually flawless, and thus
restoring data encrypted without the developers' involvement is simply
impossible. Despite this, there are dozens of ransomware-type infections that
are poorly developed and contain a number of flaws (for example, the use of
identical encryption/decryption keys for each victim, keys stored locally,
etc.). Therefore, always check for available decryption tools for any ransomware
that infiltrates your computer.
Finding the correct decryption tool on the internet can be very frustrating. For
this reason, we recommend that you use the No More Ransom Project and this is
where identifying the ransomware infection is useful. The No More Ransom Project
website contains a "Decryption Tools" section with a search bar. Enter the name
of the identified ransomware, and all available decryptors (if there are any)
will be listed.
RESTORE FILES WITH DATA RECOVERY TOOLS:
Depending on the situation (quality of ransomware infection, type of encryption
algorithm used, etc.), restoring data with certain third-party tools might be
possible. Therefore, we advise you to use the Recuva tool developed by CCleaner.
This tool supports over a thousand data types (graphics, video, audio,
documents, etc.) and it is very intuitive (little knowledge is necessary to
recover data). In addition, the recovery feature is completely free.
Step 1: Perform a scan.
Run the Recuva application and follow the wizard. You will be prompted with
several windows allowing you to choose what file types to look for, which
locations should be scanned, etc. All you need to do is select the options
you're looking for and start the scan. We advise you to enable the "Deep Scan"
before starting, otherwise, the application's scanning capabilities will be
restricted.
Wait for Recuva to complete the scan. The scanning duration depends on the
volume of files (both in quantity and size) that you are scanning (for example,
several hundred gigabytes could take over an hour to scan). Therefore, be
patient during the scanning process. We also advise against modifying or
deleting existing files, since this might interfere with the scan. If you add
additional data (for example, downloading files/content) while scanning, this
will prolong the process:
Step 2: Recover data.
Once the process is complete, select the folders/files you wish to restore and
simply click "Recover". Note that some free space on your storage drive is
necessary to restore data:
CREATE DATA BACKUPS:
Proper file management and creating backups is essential for data security.
Therefore, always be very careful and think ahead.
Partition management: We recommend that you store your data in multiple
partitions and avoid storing important files within the partition that contains
the entire operating system. If you fall into a situation whereby you cannot
boot the system and are forced to format the disk on which the operating system
is installed (in most cases, this is where malware infections hide), you will
lose all data stored within that drive. This is the advantage of having multiple
partitions: if you have the entire storage device assigned to a single
partition, you will be forced to delete everything, however, creating multiple
partitions and allocating the data properly allows you to prevent such problems.
You can easily format a single partition without affecting the others -
therefore, one will be cleaned and the others will remain untouched, and your
data will be saved. Managing partitions is quite simple and you can find all the
necessary information on Microsoft's documentation web page.
Data backups: One of the most reliable backup methods is to use an external
storage device and keep it unplugged. Copy your data to an external hard drive,
flash (thumb) drive, SSD, HDD, or any other storage device, unplug it and store
it in a dry place away from the sun and extreme temperatures. This method is,
however, quite inefficient, since data backups and updates need to be made
regularly. You can also use a cloud service or remote server. Here, an internet
connection is required and there is always the chance of a security breach,
although it's a really rare occasion.
We recommend using Microsoft OneDrive for backing up your files. OneDrive lets
you store your personal files and data in the cloud, sync files across computers
and mobile devices, allowing you to access and edit your files from all of your
Windows devices. OneDrive lets you save, share and preview files, access
download history, move, delete, and rename files, as well as create new folders,
and much more.
You can back up your most important folders and files on your PC (your Desktop,
Documents, and Pictures folders). Some of OneDrive’s more notable features
include file versioning, which keeps older versions of files for up to 30 days.
OneDrive features a recycling bin in which all of your deleted files are stored
for a limited time. Deleted files are not counted as part of the user’s
allocation.
The service is built using HTML5 technologies and allows you to upload files up
to 300 MB via drag and drop into the web browser or up to 10 GB via the OneDrive
desktop application. With OneDrive, you can download entire folders as a single
ZIP file with up to 10,000 files, although it can’t exceed 15 GB per single
download.
OneDrive comes with 5 GB of free storage out of the box, with an additional 100
GB, 1 TB, and 6 TB storage options available for a subscription-based fee. You
can get one of these storage plans by either purchasing additional storage
separately or with Office 365 subscription.
Creating a data backup:
The backup process is the same for all file types and folders. Here’s how you
can back up your files using Microsoft OneDrive
Step 1: Choose the files/folders you want to backup.
Click the OneDrive cloud icon to open the OneDrive menu. While in this menu, you
can customize your file backup settings.
Click Help & Settings and then select Settings from the drop-down menu.
Go to the Backup tab and click Manage backup.
In this menu, you can choose to backup the Desktop and all of the files on it,
and Documents and Pictures folders, again, with all of the files in them. Click
Start backup.
Now, when you add a file or folder in the Desktop and Documents and Pictures
folders, they will be automatically backed up on OneDrive.
To add folders and files, not in the locations shown above, you have to add them
manually.
Open File Explorer and navigate to the location of the folder/file you want to
backup. Select the item, right-click it, and click Copy.
Then, navigate to OneDrive, right-click anywhere in the window and click Paste.
Alternatively, you can just drag and drop a file into OneDrive. OneDrive will
automatically create a backup of the folder/file.
All of the files added to the OneDrive folder are backed up in the cloud
automatically. The green circle with the checkmark in it indicates that the file
is available both locally and on OneDrive and that the file version is the same
on both. The blue cloud icon indicates that the file has not been synced and is
available only on OneDrive. The sync icon indicates that the file is currently
syncing.
To access files only located on OneDrive online, go to the Help & Settings
drop-down menu and select View online.
Step 2: Restore corrupted files.
OneDrive makes sure that the files stay in sync, so the version of the file on
the computer is the same version on the cloud. However, if ransomware has
encrypted your files, you can take advantage of OneDrive’s Version history
feature that will allow you to restore the file versions prior to encryption.
Microsoft 365 has a ransomware detection feature that notifies you when your
OneDrive files have been attacked and guide you through the process of restoring
your files. It must be noted, however, that if you don’t have a paid Microsoft
365 subscription, you only get one detection and file recovery for free.
If your OneDrive files get deleted, corrupted, or infected by malware, you can
restore your entire OneDrive to a previous state. Here’s how you can restore
your entire OneDrive:
1. If you're signed in with a personal account, click the Settings cog at the
top of the page. Then, click Options and select Restore your OneDrive.
If you're signed in with a work or school account, click the Settings cog at
the top of the page. Then, click Restore your OneDrive.
2. On the Restore your OneDrive page, select a date from the drop-down list.
Note that if you're restoring your files after automatic ransomware detection, a
restore date will be selected for you.
3. After configuring all of the file restoration options, click Restore to undo
all the activities you selected.
The best way to avoid damage from ransomware infections is to maintain regular
up-to-date backups.
▼ Show Discussion
Back To Top
ABOUT THE AUTHOR:
Tomas Meskauskas - expert security researcher, professional malware analyst.
I am passionate about computer security and technology. I have an experience of
over 10 years working in various companies related to computer technical issue
solving and Internet security. I have been working as an author and editor for
pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about
the latest online security threats. Contact Tomas Meskauskas.
PCrisk security portal is brought by a company RCS LT. Joined forces of security
researchers help educate computer users about the latest online security
threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can
send us a donation.
Search..
About PCrisk
PCrisk is a cyber security portal, informing Internet users about the latest
digital threats. Our content is provided by security experts and professional
malware researchers. Read more about us.
How to prevent against infection
* How did ransomware infect my computer?
* Preventing ransomware infections
* Reporting ransomware to authorities
* Data backup and recovery
* How to use E-mail safely?
New Removal Guides
* Desktopanalyticscenter.site Ads
* Page Downloader Adware
* Upsilon Ransomware
* Browser-Security Browser Hijacker
* KoRyA Ransomware
* Bettercallsaul Ransomware
Malware activity
Global malware activity level today:
Increased attack rate of infections detected within the last 24 hours.
Top Removal Guides
* XHAMSTER Ransomware
* Gosearches.gg Redirect
* Professional Hacker Managed To Hack Your Operating System Email Scam
* Bpsm Ransomware
* GodFather Malware (Android)
* Chrome "Managed By Your Organization" Browser Hijacker (Windows)
QR Code
Scan this QR code to have an easy access removal guide of Mespinoza virus on
your mobile device.
We Recommend:
Get rid of Windows malware infections today:
▼ REMOVE IT NOW
Download Combo Cleaner
Platform: Windows
Editors' Rating for Combo Cleaner:
Outstanding!
[Back to Top]
To use full-featured product, you have to purchase a license for Combo Cleaner.
7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the
parent company of PCRisk.com read more.
Copyright © 2007-2023 PCrisk.com. Any redistribution or reproduction of part or
all of the contents in any form is prohibited.
Privacy policy | Site Disclaimer | Terms of use | About us | Contact us | Search
this website
Twitter Facebook LinkedIn Youtube
This website uses cookies to ensure you get the best experience on our website.
Read our privacy policy
Got it!