How to Rescue Your PC from Marlboro Ransomware and Decrypt .Oops Files

Many people see the New Year holiday as a time to relax with family and friends, but cyber criminals never stop trying to come up with new ways of extorting money from average PC users and developing new attacks and rogue software. In the first month of the brand new year 2017, ransomware continues to emerge as a top data security threat. Marlboro ransomware was discovered on January 12 this year by a cyber security research group called MalwareHunterTeam. It is unusual to see a malicious ransomware infection using the same name as a leading brand of cigarette.

If you have accidentally fallen victim to this ransomware, this post provides you with the methods that you can use to remove Marlboro ransomware from the infected computer and get the data back.

Download Marlboro Ransomware removal tool

What is Marlboro Ransomware?

When people talk about Marlboro, we always associate it with the best-selling brand of cigarettes in the world, but from this year, cyber hackers give new meaning to it. Marlboro ransomware was initially found on a malware spam campaign spreading dangerous Word documents that have been attached with spam emails. It is a fairly new strain of ransomware, but we have seen such spam campaigns distributing ransomware before and these tricks are still constantly appearing. Spam email messages would include malicious file attachments which are usually in Microsoft Word format. Any user who downloads or opens the malicious payload will get the Marlboro ransomware that blocks the user from accessing most of files on the compromised computer.

Name of Ransomware
Type   Trojan, Malware
Operating System(s) Affected   All editions of Windows
Date of First Time Being Posted to The Internet   12 January 2017
Main Ransomware Behaviors   Attaches to an email message,   Adds keys to the registry,

  Changes the extension of file names to .oops,

  Encrypts files and drops ransom notes

Main Method of Distribution
  Spam email campaigns,     Unsecured websites, 

  Software and system vulnerabilities,

  Social network and instant messaging applications

Ransomware Virus Removal   Restore your computer system,    Scan your PC with recommended malware removal software
Risk of Getting Infected   Losing digital assets like photos, videos and audio files forever,      Losing financial assets

Targeting at Windows users, this ransomware is developed with two separate versions for 32-bit and 64-bit Windows systems. Such hacking technique is commonly used by lots of malicious software such as Trojans horse, adware, or Point-of-sale malware (POS malware), but this is the first time we’ve seen a ransomware uses two different installers according to the particular architecture of different computers. In most situations, once a ransomware infects your system, all critical files are encrypted with strong and complicated encryption technique and it is practically impossible to decrypt them. Fortunately, the author of Marlboro ransomware adopts simplistic encryption and this ransomware is decryptable without paying the ransom.

After getting into the computer, Marlboro will use XOR encryption mode to encrypt users’ files. All encrypted files will be renamed and have .oops extension appended to them. Unlike other ransomware that use random string of numbers and letters to replace the original file name, the .oops file ransomware causes less anxiety as it you can still recognize the original suffix and know what files have been encrypted. Take for example the case of a file named “icon.jpg” will be renamed to “icon.jpg.oops” after the file gets locked by the .oops virus.

Infected by Marlboro

Once the encryption process is finished, the ransomware will drop and open a ransom note in .html format informing users that the files in this computer are all encrypted. To explain what is happening on the computer and how to pay the ransom for getting the data back, this file is explicitly called “_HELP_Recover_Files_.html”. The hacker behind this ransomware attack is demanding a ransom of 0.2BTC ( (around $USD 180) from affected users. Security experts and FBI do not support paying a ransom in a ransomware attack because it doesn’t guarantee that users will get their data back. Paying a ransom not only emboldens current cyber criminals to target more web users, it also offers an incentive for more other criminals to get involved in such type of illegal activities. Once you pay, there is an increased chance that you will be subjected to further attacks. The note will appear as the following:


Besides, it will also drop a file named “deMarlboro” on the user’s desktop to help the user decrypt the files once the demanded ransom gets paid. Based on the file name, it is reasonable to learn the name of this ransomware.



What File extensions Does Marlboro Ransomware Encrypt?


.ARC, .DOC, .DOT, .MYD, .MYI, .NEF, .Ott, .PAQ, .PPT, .RTF, .SQLITE3, .SQLITEDB, .XLS, .aes, .asc, .asf, .asm, .asp, .aspx, .avi, .bak, .bat, .bmp, .brd, .bz2, .class, .cmd, .com, .cpp, .crt, .csr, .csv, .dat, .dbf, .dch, .dif, .dip, .djv, .djvu, .docb, .docm, .docx, .dotm, .dotx, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mpeg, .mpg,.ms11, .not, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .pptm, .pptx, .psd, .qcow2, .rar, .raw, .sch, .sldm, .sldx, .slk, .sql, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar, .tbk, .tif, .tiff, .txt, .tz, .uop, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip


How Does Marlboro Ransomware Spread?

Spammers are deploying clever tactics like whaling and spear-phishing these days. Marlboro is capable of retrieving information about the PC that fell victim and send it to C&C servers controlled by cyber criminals. Criminal gangs could use macros to instruct victim’s machine into download code from a remote location and execute any kind of malware, for this reason Microsoft made the feature inactive by default. Every time a user enable the macro, the office application displays user a message to inform about associated risks.

What To Do If Your PC Gets Infected by Marlboro Ransomware?


The automatic remover should be your first choice while you are facing such a serious situation. A professional removal tool may help you to get rid of the ransomware completely. The database of the removal tool keeps daily update and it can remove the malware as long as the malware is detected. Now you can download the free scanner to do a thorough scan for your computer system.


You can get its scan service free of charge. During the process of scan, it will show a list of all detected items including the name, position and other detailed information. You can remove the detected items after the scan completes if you have purchased this product. If the removal is completes but your data is still locked, you can try the next step.



If the antivirus program fail to detect or remove the ransomware or you data cannot be recovered, you can utilize tools like Data Recovery, MiniTool Power Data Recovery Free to recover the corrupt file safely. But this seems not much helpful as you wish by the current evidence we have. If you create the restore point frequently or happen to have the restore point , you can choose to restore the system from the latest system restore point. However, this method can only be done when your restore point remains intact.

This option will take your PC back to an earlier point in time without affecting your files but it will delete the programs, updates and drivers that are appeared on your PC later than the restore point.

Perform a system restore for Windows 7

Step 1 Log in your computer as the administrator.

Step 2 Open Control Panel from Start menu.

control panel windows7

Step3 Click System and Security and click on Restore your computer to an earlier time.

system and security windows7

Restore your computer to an earlier time


Step 4 Press Open System Restore button.

Open system restore windows 7

Step 5 Click on the Next > and you will see a list of the restore point that you have created before. Choose the latest one that before your computer system got infected with CryptoWall 4.0 and then click on Next >.

choose restore point windows 7

Step 6 Confirm your restore point and click on Finish.

Finish windows7

Step 7 Click Yes to confirm your operations and start to restore the system.

Yes windows7

Step 8 The restore is in process.

restore begins windows 7

Step 9 You will see the message during the restore process. The time it takes to complete the whole process is uncertain as it depends on the system condition. You PC will automatically restart when restore finishes.

restore message

Perform a system restore for Windows 8

Step 1 Move your cursor on the screen’s right edge, and then click Search.

Step 2 Enter Control Panel in the search box, and click Control Panel.

control panel windows 7

Step 3 Enter Recovery in the Control Panel search box, and then tap or click Recovery.

Search-ControlPanel-Recovery type



Step 4 Click Open System Restore.


If you are asked for the administrator password, you should enter the password on the box.


Step 5 Click Next > and you will see a list of available restore points that you can choose. You should select the most recent point before the ransomware appeared on the system and click on Next >.


Step 6 Select Finish and click on Yes to start the restore.


Step 7 Now please wait until the restore process get finished. Don’t be surprised if you see your computer restart several times during the restore process.

Perform a system restore for Windows 10

Step 1 Right-click (or press and hold) the Start button, and then select Control Panel.

Step 2 Search Control Panel for Recovery.

Step 3 Select Recovery > Open System Restore > Next.

open system restore-min_zps8mn3pvdj

Step 4 Choose the restore point related to the problematic app, driver, or update, and then select Next > Finish.

show creadted restore point


Step 5 Click on Yes to make confirm for your actions.


A good news for computer users is that security researchers has quickly identified a bug with the ransomware’s encryption routine and created a free decrypter to help victims recover their files. The decrypter for Marlboro ransomware is now available on the Emsisoft website. It has been created by Emsisoft CTO and security researcher Fabian Wosar.

Tips on Protecting Yourself from Ransomware

  • Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
  • Always keep your security software up to date to protect yourself against any new variants of malware.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. A lot of ransomware is distributed in Office documents that trick users into enabling macros. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.

SpyHunter is such a program that protects your computer from file encrypting ransomware programs like Marlboro ransomware and Cerber ransomware family. Advanced security suites often include additional measures that can stop web pages containing malicious software like ransomware from even loading. Currently, this program only provides free malware scanning feature for users who do not activate the registration. Users need to purchase the full version to get good all-round protection for your computer system and remove infections.

Share Button