Mpal ransomware

Mpal ransomware is the malicious program that encrypts personal files with the purpose of blackmailing victims

Mpal ransomware

Mpal ransomware

Mpal ransomware – the cryptovirus that adds .mpal extension to affected data and then displays the message with an offer to decrypt files after the cryptocurrency payment is made. Criminals that develop this virus and other versions of Djvu ransomware prefer Bitcoin cryptocurrency. Also, this family is known for releasing new versions constantly. This is achieved because not many things get changed in the coding, and other features like ransom note file _readme.txt or contact emails remain the same for a while.

Even though Mpal ransomware virus is the first one that came out in May 2020, it is the 223rd in this ransomware family in general. This is a threat that researchers know about and try to monitor as much as possible because of the current activity status of these campaigns and attacks. Unfortunately, the family was decryptable for a while before, but not anymore because previously useable STOPDecrypter is no longer supported. Malware creators changed the coding and methods of encryption, key generation, so experts cannot offer easy decryption procedures as before. However, some of the victims can get their files recovered with the help of the Emsisofts Djvu decrypted tool. One thing though, this tool only works for versions that use offline keys. You can determine if the key used in your case is offline or not by checking the ID in the ransom note. If it ends in t1 it is most likely offline-based.

Other versions of the DJVU and STOP ransomware now mostly use an online key generation method that allows forming a unique identification number for each affected device and victim. However, it means that malware makes the connection to a remote server each time it generates this ID, and it is needed for decryption processes too, so victims need to contact criminals to get the tool and the particular decryption key. Any communication is not safe because malware creators may have different purposes and damage your device further or ask for a bigger amount than the ransom note initially states. More on decryption alternatives below the article.

Name Mpal ransomware
Family Djvu/STOP ransomware 
File extension .mpal is the particular appendix that comes at the end of the original name of the document or an image. This randomized extension is placed after the file-type determining appendix and indicates which files got encrypted. All the data becomes unopenable and useless after encoding
Ransom note _readme.txt is the file that delivers instructions for the malware victim. This file gets placed on the desktop the second data gets encoded
Contact information [email protected] and [email protected]
Distribution The family particularly is known for spreading malicious payloads via files that include scripts of the malware. Such data can be included on the email as an attachment or in the packages of pirated software, software cracks, game cheats
Additional features The malware can load secondary payloads of trojans or other malware. Also, this virus creates hosts to control sites that victims can visit, so anti-malware solutions cannot be accessed easily on the web. During some processes like file-locking malware also shows the fake Windows Update window to mask the background processes
Elimination To properly remove Mpal ransomware you should use anti-malware programs that can potentially detect[1] and clear cryptovirus for you
Repair Remember to repair virus damage and recover crucial parts of the system, so this threat can be deleted completely. Find affected or corrupted files with Reimage Reimage Cleaner Intego

Mpal ransomware is focusing on file encryption because when the access to images, documents, or archives is blocked, the user may be more eager to pay the demanded amount of cryptocurrency. Criminals promise to recover those files after the money transfer, but there is a possibility that actors can damage your machine after that. 

Once the ransom note appears on the screen, you can be sure that Mpal ransomware is done with the encryption process. This happens pretty quick, and in most cases, the victim cannot notice anything suspicious. Djvu versions tend to display the Windows Update window or another fake process indication, so the slowness of the machine is not creating suspicions. 

The main payload file of the virus can get dropped in advanced, way before you notice the encryption[2] or other symptoms of Mpal ransomware, so many changes that already get made in the background can affect the performance and cleaning or file recovery processes. The ransom note _readme.txt is placed on the machine as a final stage of the attack because once all the changes get made, the only thing left is to receive payments from victims:


Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID

You need to react to this attack and clear the machine from malware as soon as you receive the money-demanding message. You can remove Mpal ransomware with anti-malware tools, and the sooner you try to do so the better. Ransomware sometimes can delete the main payload after the encryption process is done, but you need to remove all the files related to the intruder before you even try to restore files or add anything new on the computer.  Mpal ransomware virus
Mpal ransomware is the cryptovirus that can be possibly decrypted in some cases.

Mpal ransomware virus
Mpal ransomware is the cryptovirus that can be possibly decrypted in some cases.

Mpal ransomware in addition to file encryption can load trojans that steal malware or run separate scripts that focus on data extraction. There are many details that can be valuable and useful for criminals because there are new tactics of ransomware creators. They focus on getting some sensitive information from people or companies, so non-paying victims can be blackmailed after that.[3] 

These facts about additional malware and changes that threat does besides encryption affect the Mpal ransomware removal significantly because it keeps AV tools, security features, and programs disabled, avoids detection. You may need to enter the Safe Mode before you can run the anti-malware tool properly, but such a method is the best way to get rid of the malware of this type.

Unfortunately, antivirus programs are not capable of recovering encoded files for you, so you need to rely on different methods for the recovery of your damaged data. Mpal ransomware is a powerful virus, so your options are narrow:

  • decryption tool that works for some versions;
  • data backups stored on the cloud or external device;
  • third-party tools designed to restore files;
  • the system features for data recovery.

Your machine should be double-checked before moving on with any of these methods, so the threat is completely terminated, and all you have to do is clear Mpal ransomware virus damage with something like Reimage Reimage Cleaner Intego and repair files corrupted ins system folders. Then you can rely on the more trustworthy method and replace files affected by the virus with safe copies or try to recover encoded ones.  Mpal cryptovirus
Mpal ransomware – the virus that makes files useless and indicates affected data using .mpal appendix.

Mpal cryptovirus
Mpal ransomware – the virus that makes files useless and indicates affected data using .mpal appendix.

Malware spreading methods involving online services and legitimate names of companies

Ransomware typically is delivered via emails since attachments can be injected with malicious macros and scripts leading to direct payload download. Such emails trick people into opening the notification with names of shopping sites, or companies like DHL, FedEx, and so on. Those emails claim about financial information and orders or invoices, so people open documents and enable the content without notice.

Another, more common method that allows malware creators to attack victims – malicious files in particular packages and cheats or cracks. When torrent services offer such activities as getting cheatcodes for video games or cracks for legitimate software, licensed versions, there are many files that get installed. Many people cannot even notice that some executables or other types of data got added, but ransomware is loaded.

You need to pay attention to services, sources you rely on, and be more suspicious about the content you get exposed to and received emails, even though notifications seem legitimate and real.

The cleaning process starts with Mpal ransomware termination

You may need to gather some help for the best results of Mpal ransomware removal because this threat can affect much more than your personal files stored on the computer. When the threat interferes with parts of the system and disables or even damages functions, you need to take care of that damage before you proceed with data recovery.

Also, you need to remove Mpal ransomware completely from the system before you can restore those encrypted files or add copies of them from the backup. Ransomware can possibly run the second wave of encryption and damage those newly added documents or images causing permanent damage of files and even money if you paid for the possible decryption.

Mpal ransomware virus can be cleared once you deleted and terminated the malware using SpyHunter 5Combo Cleaner or Malwarebytes. These security tools or any anti-malware program that detects the intruder can perform the removal for you and clean all the repeated files or programs. Remember to restore parts of the machine using PC repair or optimization software like Reimage Reimage Cleaner Intego before you try to restore encoded files yourself.

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove Mpal using Safe Mode with Networking

Remove Mpal ransomware from the system using the AV tool by rebooting the machine in Safe Mode with Networking first

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Mpal removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Mpal using System Restore

You may try the System Restore feature for the cleaning purpose because this method allows resetting the machine in a previous state

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Mpal from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Mpal, you can use several methods to restore them:

You can try the Data Recovery Pro as an alternative for file backups or decryption tools

Data Recovery Pro can restore files that get deleted accidentally or affected by the threat like Mpal ransomware

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Mpal ransomware;
  • Restore them.

Windows Previous Versions is the technique that helps with file recovery after ransomware infections

When the System Restore feature gets enabled, you can rely on Windows Previous Versions and restore files affected by Mpal ransomware

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – the method for file restoring

When Shadow Volume Copies are left untouched, you can possibly rely on ShadowExplorer and restore Mpal ransomware encrypted data

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

There is a decryption tool that can possibly work for some of the Mpal ransomware victims

When Mpal ransomware uses older versions of codes and relies on simpler techniques, you can possibly decrypt data using this DJVU decryption tool

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mpal and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2020-05-04 at 03:55 and is filed under Ransomware, Viruses.