Maktub Ransomware Removal Guide

Maktub Ransomware is an infection that spreads using a malicious EXE file. This file is hidden behind a Notepad icon that the victims of this ransomware download without suspecting a threat. When you open this file, it will take about 20 to 60 seconds for an RTF file (rich text file) to open up. This file is likely to be named after the executable itself, and it provides information about “Updating our privacy policies and terms of service.” This document does not actually provide users with any useful information as it does not mention any specific details. According to our researchers, this file is used as a distraction to initiate the encryption process without alarming you. If you do not recognize a scam, your personal files will be encrypted before you know it, after which, you will be introduced to a list of demands. Unfortunately, deleting Maktub Ransomware will not disable the mess initiated by this threat.

A few minutes after the RTF file appears, all of your Desktop icons will be transferred to a folder named “backup_eqijxri.” Note that this name might be random, and it is most likely to coincide with the extension attached to the encrypted files. Additionally, a window will pop-up (controlled via the same malicious executable) with the “Maktub locker” logo, and this is where the name of the infection comes from. This logo is followed by a WARNING sign in capital letters, as well as a timer that counts down the time you have left to follow the instructions provided to you. Surprisingly, this timer gives 12 hours to fulfill the demands Maktub Ransomware, and that is not common. We have previously analyzed hundreds of ransomware infections, including the latest of them, Better_call_saul Ransomware and Locked Ransomware, and most of them give up to 72 hours to pay a ransom. The urgency of this infection is meant to make computer users panic and do before they think which, unfortunately, is usually beneficial to cyber criminals.

As mentioned previously, the files corrupted by Locked Ransomware might have a random extension attached to them. In our case, it is the .eqijxri extension, and an example of a file encrypted by this ransomware is “windows.jpg.eqijxri”. Needless to say, it will not be challenging to figure out which files are encrypted and which ones are not. Furthermore, you will not be able to open them, which is the greatest proof that they have been encrypted. According to the pop-up notification that automatically appears when the encryption is complete, your files were encrypted using a unique key, and only a decryption key stored in a “secret Internet server” can decrypt your files. The warning also states that this key will be automatically deleted if you do not pay the ransom within the given time. After scaring you, this warning continues listing the steps that you supposedly need to take in order to retrieve the decryption key. Here is an excerpt from the malicious ransomware notification.

Open http://bs7aygotd2rnjl4o.onion.link or
http://bs7aygotd2rnjl4o.torstorm.org or

http://bs7aygotd2rnjl4o.tor2web.org

in your browser. They are public gates to the secret server.

If you have problems with gates, use direct connection:
1) Download TOR Browser from http://torproject.org
2) In the Tor Browser open the http://bs7aygotd2rnjl4o.onion
(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).
Write in the following public key in the input from on server: [public key]

It was found that Maktub Ransomware also creates a file, _DECRYPT_INFO_eqijxri.html, with the instructions that users need to follow to decrypt files. Whether you follow the instructions via this file or the main pop-up window, you will end up in the same spot, which is paying money. You have to think very carefully before you make the final decision because you do not want to be wasting your money for no good reason. Can we guarantee that your files would be decrypted if you followed all of the demands? Unfortunately, we cannot, and this is why you need to be cautious. All in all, regardless of how you proceed now, you need to delete this ransomware from your Windows operating system.

If you want to remove Maktub Ransomware manually, you need to eliminate the malicious executable that continues running once the encryption is completed. If you remove this file successfully, you will have this ransomware erased, but that is not all you need to do. We strongly recommend investing in security software that could help you prevent the attacks of other malicious threats in the future. If you do not implement security software, another malicious threat – even a ransomware – could slither in using an inconspicuous link or installer.

How to delete Maktub Ransomware

1. Launch Task Manager (simultaneously tap Ctrl+Shift+Esc/Ctrl+Alt+Delete).
2. Click the Processes tab and terminate the malicious file process (named after the malicious EXE file).
3. Locate the malicious EXE file, right-click it, and select Delete.
4. Move to the Desktop and Delete the file called "_DECRYPT_INFO_eqijxri.html".