Remove MARS ransomware and decrypt locked file

Delete MARS ransomware from PC

MARS ransomware is a computer virus that was discovered by Michael Gillespie. This dubious malware infects a system, locks the files and demands money for fixing them. During encryption, this virus appends the files with “.mars” extension. For example, your photo named as “my_photo.jpg” will be transformed into “my_photos.jpg.mars”. Following to finishing the encryption process, “!!!MARS_DECRYPT.TXT” (it is a ransom money note) can be found in every folder that contains the encrypted files.

The created ransom note contains details like size of ransom, how to pay for it and so on. It informs victims that MARS ransomware has encrypted all type of files including pdf, odt, fbt, mdb, cdr, psd, ods etc and in order to decrypt them users need to purchase decryption tools. The cost of decryption tool is 500$ in BTC. Once payment is done, users may be able to download decryption tools.

Before paying money, users are offered to send 3 encrypted files for test decryption to their email address. Remember that, the size of file is not more than 1mb. After that, users will receive decrypted files and BTC wallet address that should be used to pay money for decryption software. Users are also informed that if they cannot contact MARS developers through the provided email addresses then they can do that via Telegram by contacting mars_dec.

What to do next?

Paying money to MARS ransomware is completely waste of time. This virus is not going to restore your files once you pay money for decryption key. After getting money, hackers close communicating with the users. Therefore, it is strongly recommended not to trust on the cyber hackers behind any ransomware including this. Even if you get decryptor from hackers there is no any surety that it does not contain other threats. So, it is very much important to remove this virus and all its associated files by using powerful malware removal tool.

How to restore files without paying money?

Encryption technique used by MARS ransomware is strong and there is no way of breaking the algorithm without proper decryption key. So, if you want to restore files then you have to use alternative method as paying ransom is not the option. Before you try to recover data you must make sure to delete MARS ransomware from the computer otherwise it will keep encrypting your data or even the backup files. After that, you can easily get back your files by using data recovery software.

Intrusion tactics of MARS ransomware:

The most commonly used method for spreading MARS ransomware and other malware are malspam campaigns. Cyber criminals are most likely to inject malicious products in spam emails as attachments. Such emails seem to be coming from reputable organization such as banking, healthcare etc. Short message is designed that gives a piece of advice to users to open attachments provided on the emails. If the clicking is done, users unknowingly initiate the malicious payload to run and download malware. Moreover, ransomware viruses can also get distributed through unreliable file download sources, Trojans, third party software updating tools or unofficial software activation tools.

Remove MARS ransomware

In order to remove MARS ransomware from the computer, we are going to discuss two possible ways to remove this infection namely manual and automatic removal method. Manual removal process is time-consuming and slight mistake can corrupt the system. So, we suggest our users to use reliable antivirus removal tool that has the capability to remove MARS ransomware and all its associated files immediately from the PC.

Text presented in this ransom note:

All your files have been encrypted with MARS Virus.
Your unique id: –

Our virus encrypted 231 of your office files (xls, xlsx, doc, docx, ppt, pptx, odt, ods, pdf, dwg, psd, dbf, fpt, php, cdr, mdb, accdb).
You can buy decryption for 500$ in Bitcoins.
But before you pay, you can make sure that we can really decrypt any of your files.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.

To do this:
1) Send your unique id – and max 3 files for test decryption to [email protected] or [email protected]
2) After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment.
3) Be careful! Fakes are possible in Telegram, never pay until you receive test files after decryption!
4) After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment.

or do this(If you have not received a reply by email):

1) Download and install Telegram Messanger: hxxps:// (for Windows, Linux, macOS)
2) Find user mars_dec
3) Send your unique id – and max 3 files for test decryption.
4) After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment.
5) Be careful! Fakes are possible in Telegram, never pay until you receive test files after decryption!
6) After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment.

Can I get a discount?
    No. The ransom amount is calculated based on the number of encrypted office files and discounts are not provided. All such messages will be automatically ignored.
What is Bitcoin?
Where to buy bitcoins?
    or use
Where is the guarantee that I will receive my files back?
    The very fact that we can decrypt your random files is a guarantee. It makes no sense for us to deceive you.
How quickly will I receive the key and decryption program after payment?
    As a rule, within a few hours, but very rarely there may be a delay of 1-2 days.
How does the decryption program work?
    It’s simple. You need to copy the key and select a folder to decrypt. The program will automatically decrypt all encrypted files in this folder and its subfolders.
I will complain about your Telegram account and mailbox’s..
    God help you. You won’t find us anyway. But many people will be deprived of any opportunity to recover their files.

Do You Suspect Your Computer May Be Infected with ‘MARS ransomware’ & Other Threats? Scan Your Computer for Threats with SpyHunter

Spyhunter is a powerful malware remediation and protection tool designed to help provide users with in-depth system security analysis, detection and removal of a wide range of threats like MARS ransomware as well as a one-on-one tech support service.

For more information, read SpyHunter’s EULA, Threat Assessment Criteria, and Privacy Policy. The scanner you download here is free version and is able to scan your system for possible threat’s presence. however, it requires a 48 hour period to remove detected threats without any charge. if you want not to wait for that period, you will have to purchase its licensed version.

(Data Recovery Solution)

The first recommendation is to recover your encrypted data with backup files you have created. In case there is no backup available, try to restore your encrypted data with data recovery tool suggested here.

Recommended methods for MARS ransomware removal and restore encrypted files

MARS ransomware is very harmful crypto-malware designed to encrypt all types of files including photos, audios, videos, documents and other files, and make them inaccessible. After encryption process, it spreads the ransom note in each folder of your computer that claims the decryption is possible only when you use its data recovery service. We recommended you to please avoid paying demanded ransom money to them.

In that case, you need to remove MARS ransomware and all the related components from PCs immediately and then perform data recovery process. Here, we are discussing about both malware removal and data recovery method that could help you to solve your problem. Ransomware removal method will help to find the location of this nasty crypto-malware in your computer and remove them completely while data recovery method will help you to get back your damaged or locked files in your machine. Let’s go for the solution.

Remove MARS ransomware using “Safe Mode with Networking”

  • Restart your PCs and press “F8” function key multiple times you see the “Advance Boot Options” window
  • Select “Safe Mode with Networking” in the list
  • Now, log in to account with MARS ransomware infection
  • Open your internet browser and download the legitimate anti-malware software. You can download “SpyHunter” anti-malware software that has the ability to delete all types of malware or spyware from machine.
  • Update the anti-malware software and starts the “Full Scan” operation to remove all programs related to MARS ransomware from machine.

Remove MARS ransomware using “Safe Mode with Command Prompt” and “System Restore”

  • Restart your computer and press “F8” function key multiple times until “Windows Advance Options” menu appears

  • Select “Safe Mode with Command Prompt” option in the list

  • Now, type “cd restore” command in command Prompt and hit “Enter” key to execute it

  • After that, type “rstrui.exe” command in command line and hit “Enter” key
  • Once “rstrui.exe” command executed, “System Restore” window will appear
  • Click on “Next” button

  • Choose one of available “Restore Points” and click on “Next”

  • In the confirmation dialog box, click on “Yes” to start “System Restore” process

  • After restoring your computer to previous date, download/install and scan your computer with powerful anti-malware software to eliminate any remaining malicious programs related of MARS ransomware. You can download the powerful antivirus software via “download link” below

Download Spyhunter Anti-Malware Tool

Restore files encrypted by MARS ransomware using “Windows Previous Versions” feature

To restore individual files encrypted by MARS ransomware, follow the steps below:

  • To restore a file, right-click on it and go to “Properties”
  • Select the “Previous Versions” tab
  • If the relevant files has a “Restore Point”, select it and click on “Restore” button

Note: This method is only effective if “System Restore” function was enabled on your Windows operating System. On other hand, some ransomware variants like MARS ransomware are known to remove “Shadow Volume Copies” of the files. So, we can say that this method may not work for data recovery.

Restore files locked by MARS ransomware using “Shadow Explorer”

To restore files, you can use “Shadow Explorer” application. This application allows you to browse the “Shadow Copies” created by Windows OS Shadow Copy Service. “Shadow Explorer” helps if you are unable of access the “Shadow Copies” by default especially in “Windows Home Editions”. Note that “Shadow Copies” can directly be accessed only in Business Ultimate and Enterprise versions.

“Shadow Explorer” provides Volume Shadow copy service and other features including retrieve all the variants of files and folders available, allow to access through shadow copies and show available current copies.

Important Note: This data recovery application is designed to decrypt or recover your files from Shadow copies which is created by “Windows Volume Shadow Copies Service”. But when we talk about MARS ransomware or other harmful ransomware variants, it usually deletes “Shadow volume copies” and any other backup files using malicious tricks. So if System has already been infected with this type of ransomware virus, then you can’t access “Shadow Copies” using this software. Anyway, you can use “Shadow Explorer” if you want and please check if it works.

How to download/install and use “Shadow Explorer” on Windows PCs?

  • Click on “Download” button below to download the “Shadow Explorer” application

Download Shadow Explorer

  • Double-click on “Installer file” or “Downloaded ZIP file” to install this software
  • Once installed, open “Shadow Explorer” as Administrator

  • Now, from the drop down list you can select from one of the available point-in-time Shadow copies

  • You can right-click on any file or folder and export it
  • After that, choose a folder where the files from “Shadow Copies” are saved to

  • In case if a file or folder in the destination folder already exists, “Shadow Explorer” asks for the confirmation before overwriting. Check the box “Do not show this dialog again”, if you don’t want to show this again.
  • There is a button in the settings (File, Settings) to reset this decision

Recovery of files encrypted by MARS ransomware or similar ransomware

If you are unable to recover your lost files by using “System Restore”, “Windows Previous versions features” and “Shadow Explorer”, then you can go for another data recovery solution. As said earlier in most of the cases, ransomware variants like MARS ransomware are capable of deleting “Shadow volume copies” created by Windows OS by default. In this case, you can use “Stellar Data Recovery Software”. This powerful data recovery software is designed to recover all files encrypted by MARS ransomware.

“Stellar Data Recovery Software” is user-friendly software for Windows and Mac OS X based devices that features include RAID and Virtual drive recovery and repairing all types of corrupted files. It works with both non-bootable and encrypted drives. In simple word, we can say that this powerful data recover software does great job.

This powerful recovery software takes less time to recover files locked by MARS ransomware and support all known files type and custom types can be added with advanced options menu. “Stellar Data Recovery Software” recovers emails, photos, audios, videos, documents and etc from any storage media devices like hard drives, SSD, DVD, USB drives, and others

On other hand, it recovers crucial data from missing or deleted partitions of hard drive volume in just few steps. It generates a preview of search results during scan so you get to see all the recoverable files before recovery. This preview result appears on screen in “Tree-View” and deleted list formats.

How to download/install and use “Stellar Data Recovery Software” on Windows PCs?

  • Click on “Download” button below to download “Stellar Data Recovery Software” in your computer

Download Stellar Data Recovery Software

  • Double-click on “Installer file” to install the application
  • Once installed, open “Stellar Data Recovery Software”
  • Select type of data you want to recover. Option: All Data, Office Documents, Folders, Emails, Audios and Videos. And then click on “Next”

  • Now, select he folder location, drive or volume you want to scan for data and click on “Scan”

  • Wait for the completion. Once done, select the files and click on “Recover” button to save your recover files

Related posts

Leave a Comment