MORTAR Ransomware

MORTAR ransomware targets corporate networks, encrypts files using strong encryption algorithms, and locks victims out of critical data. Once active, it appends a unique victim ID to files and drops a ransom note demanding payment for decryption access.

MORTAR is a dangerous file-locking malware strain designed to disrupt business operations and pressure victims into paying cybercriminals. The ransomware encrypts documents, databases, archives, photos, and other important files using AES-256 and RSA-2048 encryption. Victims typically discover the attack after seeing renamed files and ransom notes named README-[Victim-ID].txt.

Threat Summary	Details
Threat Type	Ransomware, Crypto Virus, File Locker
Encrypted File Extension	Unique victim ID extension (example: .4RcrXfvVksS5ACA)
Ransom Note Filename	README-[Victim-ID].txt
Email Contact	Not specified directly; uses Tor-based communication portal
Detection Names	Win32:Malware-gen, Trojan:Win32/Wacatac.B!ml, WinGo/Filecoder.QV Trojan, Trojan-Ransom.Win32.Agent.gen
Symptoms	Files become inaccessible, renamed extensions appear, ransom note is dropped, system slowdown
Damage	Permanent file encryption, business disruption, possible data theft
Distribution Methods	Phishing emails, malicious attachments, fake updates, cracked software, exposed RDP services
Danger Level	Severe
Removal Tool →	SpyHunter

How Did I Get Infected With MORTAR Ransomware?

MORTAR ransomware spreads through several common malware delivery methods. Attackers often disguise malicious payloads as invoices, documents, software installers, or urgent email attachments.

The most common infection vectors include:

• Phishing emails containing ZIP archives or malicious Office documents
• Fake software updates and cracked applications
• Trojan loaders already present on infected systems
• Malvertising campaigns and compromised websites
• Exploited Remote Desktop Protocol (RDP) credentials
• Unpatched vulnerabilities in internet-facing services

Corporate environments are especially vulnerable because attackers frequently use stolen administrator credentials to move laterally across networks before deploying the ransomware payload.

What MORTAR Ransomware Does to Your Files

Once executed, MORTAR scans the system and connected network locations for valuable data. It encrypts files using a combination of AES-256 and RSA-2048 cryptography, making recovery extremely difficult without the attackers’ decryption key.

Files receive a unique victim-based extension. For example:

• document.docx → document.docx.4RcrXfvVksS5ACA
• photo.jpg → photo.jpg.4RcrXfvVksS5ACA

After encryption, the ransomware drops a text ransom note that instructs victims to visit a Tor website for payment negotiations.

MORTAR may also attempt to:

• Disable security tools
• Delete shadow volume copies
• Prevent backup restoration
• Encrypt shared network drives
• Interfere with recovery environments

The ransomware’s primary goal is operational disruption and financial extortion.

Should You Be Worried About MORTAR?

Yes. MORTAR ransomware represents a severe cybersecurity threat, especially for organizations with poorly segmented networks or weak backup strategies.

Even if victims pay the ransom, there is no guarantee attackers will provide a working decryptor. Many ransomware operators disappear after receiving payment or provide broken recovery tools.

Additional risks include:

• Permanent data loss
• Business downtime
• Exposure of sensitive information
• Regulatory compliance violations
• Secondary malware infections

Removing MORTAR from the infected system is critical to stop further encryption activity. However, malware removal alone does not decrypt already locked files. Recovery is only possible through clean backups or future decryptor releases if researchers discover flaws in the ransomware’s encryption implementation.

Ransom Note Dropped by MORTAR

MORTAR creates ransom notes named:

README-[Victim-ID].txt

The note informs victims that attackers infiltrated the network and encrypted all files. It claims the only way to restore data is to purchase a decryption utility through a Tor portal.

The note typically includes:

• A Tor website address
• Login credentials
• Instructions for contacting attackers
• Warnings against third-party recovery attempts

Notably, the ransom amount is not always specified immediately. Attackers often negotiate payments directly with victims after initial contact.

How to Remove MORTAR Ransomware

Disconnect the infected machine from the network immediately to prevent further spread.

Recommended removal steps:

1. Disconnect internet and local network access
2. Isolate infected devices
3. Boot Windows into Safe Mode
4. Run a full anti-malware scan
5. Remove malicious executables and persistence entries
6. Restore clean backups only after complete malware removal

For automatic detection and removal, use a trusted anti-malware solution:

You should also change all passwords associated with compromised systems and audit network activity for signs of lateral movement.

Conclusion

MORTAR ransomware is a highly destructive file-encrypting malware strain aimed primarily at corporate environments. Its use of AES-256 and RSA-2048 encryption makes file recovery extremely difficult without backups. Organizations should focus on layered defenses, secure backups, strong password policies, and rapid incident isolation to minimize damage from ransomware attacks.

If you discover encrypted files with unusual victim-ID extensions and ransom notes named README-[Victim-ID].txt, isolate the affected systems immediately and begin incident response procedures without delay.

Manual Ransomware Removal Guide

Warning: Manual removal is complex and risky. If not done correctly, it can lead to data loss or incomplete removal of ransomware. Only follow this method if you are an advanced user. If unsure, proceed with Method 2 (SpyHunter Removal Guide).

Step 1: Disconnect from the Internet

1. Unplug your Ethernet cable or disconnect Wi-Fi immediately to prevent further communication with the ransomware’s command and control (C2) servers.

Step 2: Boot into Safe Mode

For Windows Users:

1. For Windows 10, 11:
   • Press Windows + R, type msconfig, and hit Enter.
   • Go to the Boot tab.
   • Check Safe boot and select Network.
   • Click Apply and OK, then restart your PC.
2. For Windows 7, 8:
   • Restart your PC and press F8 repeatedly before Windows loads.
   • Select Safe Mode with Networking and press Enter.

For Mac Users:

1. Restart your Mac and immediately press and hold the Shift key.
2. Release the key once you see the Apple logo.
3. Your Mac will start in Safe Mode.

Step 3: Locate and Terminate Malicious Processes

For Windows Users:

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for suspicious processes (e.g., unknown names, high CPU usage, or random letters).
3. Right-click on the process and select End Task.

For Mac Users:

1. Open Activity Monitor (Finder > Applications > Utilities > Activity Monitor).
2. Look for unusual processes.
3. Select the process and click Force Quit.

Step 4: Delete Malicious Files

For Windows Users:

1. Press Windows + R, type %temp%, and hit Enter.
2. Delete all files in the Temp folder.
3. Navigate to:
   • C:\Users\[Your Username]\AppData\Roaming
   • C:\Users\[Your Username]\AppData\Local
   • C:\Windows\System32
4. Look for suspicious files related to the ransomware (random file names, recently modified) and delete them.

For Mac Users:

1. Open Finder and go to Go > Go to Folder.
2. Type ~/Library/Application Support and delete suspicious folders.
3. Navigate to ~/Library/LaunchAgents and remove unknown .plist files.

Step 5: Remove Ransomware from Registry or System Settings

For Windows Users:

Warning: Incorrect changes in the Registry Editor can damage your system. Proceed with caution.

1. Press Windows + R, type regedit, and hit Enter.
2. Navigate to:
   • HKEY_CURRENT_USER\Software
   • HKEY_LOCAL_MACHINE\Software
3. Look for unfamiliar folders with random characters or ransomware-related names.
4. Right-click and select Delete.

For Mac Users:

1. Go to System Preferences > Users & Groups.
2. Click on Login Items and remove any suspicious startup items.
3. Navigate to ~/Library/Preferences and remove malicious .plist files.

Step 6: Restore System Using System Restore (Windows) or Time Machine (Mac)

For Windows Users:

1. Press Windows + R, type rstrui, and hit Enter.
2. Click Next, choose a restore point before the infection, and follow the prompts to restore your system.

For Mac Users:

1. Restart your Mac and hold Command + R to enter macOS Utilities.
2. Select Restore from Time Machine Backup.
3. Choose a backup prior to the ransomware infection and restore your system.

Step 7: Use a Decryption Tool (If Available)

• Visit No More Ransom (www.nomoreransom.org) and check if a decryption tool is available for your ransomware variant.

Step 8: Recover Files Using Backup

• If you have backups on an external drive or cloud storage, restore your files.

---

Automatic Ransomware Removal Using SpyHunter

If manual removal seems too risky or complicated, using a reliable anti-malware tool like SpyHunter is the best alternative.

Step 1: Download SpyHunter

Download SpyHunter from the official link: Download SpyHunter

Or follow the official installation instructions here:
SpyHunter Download Instructions

Step 2: Install SpyHunter

1. Open the downloaded file (SpyHunter-Installer.exe).
2. Follow the on-screen prompts to install the program.
3. Once installed, launch SpyHunter.

Step 3: Perform a Full System Scan

1. Click on Start Scan Now.
2. SpyHunter will scan for ransomware and other malware.
3. Wait for the scan to complete.

Step 4: Remove Detected Threats

1. After the scan, SpyHunter will list all detected threats.
2. Click Fix Threats to remove the ransomware.

Step 5: Use SpyHunter’s Malware HelpDesk (If Needed)

If you are dealing with a stubborn ransomware variant, SpyHunter’s Malware HelpDesk provides custom fixes to remove advanced threats.

Step 6: Restore Your Files

If your files are encrypted:

• Try No More Ransom (www.nomoreransom.org) for decryption tools.
• Restore from cloud storage or external backups.

---

Preventing Future Ransomware Attacks

• Keep backups on an external hard drive or cloud storage.
• Use SpyHunter to detect threats before they infect your system.
• Enable Windows Defender or a trusted antivirus program.
• Avoid suspicious emails, attachments, and links.
• Update Windows, macOS & software regularly.