Remove MarsJoke Ransomware

How to Remove MarsJoke Ransomware?

Reader recently start to report the following message being displayed when they boot their computer:

Your personal files are encrypted !!!
Your documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the decryption key. If you see the main locker window follow the instructions on the locker. Otherwise, it’s seems that you or you antivirus deleted the locker program. Now you have the last chance to decrypt your files;
Open site hxxp:// or hxxp:// or hxxp:// in your browser. They are public gates to the secret server.
If you have problems with gates, use direct connection:
1.Download Tor Browser from hxxp://
2.In the Tor Browser open the rd7v7mhidgrulwqg.onion
Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable.
3.Copy and paste the following public key in the input form on server. Avoid misprints.
4.Follow the instructions on the server.
These instructions are also saved to the file named ReadMeFilesDecrypt!!!.txt in Documents folder. You can open it and use copy-paste for address and key.

Do you think having your files encrypted is funny? Probably not. However, hackers seem to enjoy locking files a bit too much. MarsJoke is the nth nasty file-encrypting program that’s roaming the Web. Ransomware-type programs are on the rise right now. Our research team comes across new ransomware viruses practically every day. Do you know why? Because ransomware is effective. These infections are clever ways for crooks to steal your money. The MarsJoke virus is no exception. Immediately after it lands on board, the parasite scans your PC. This way, it manages to locate all your personal data. Yes, all of it. Being a typical ransomware infection, MarsJoke is very aggressive and immensely dangerous. This program mainly targets US state/local government organizations. It attacks K-12 educational institutions as well. Of course, that doesn’t mean your computer is safe. Ransomware viruses like this one don’t discriminate. MarsJoke uses the strong AES-256 encrypting algorithm to lock your files. As mentioned, the parasite takes down anything of value it finds on board. Music, pictures, MS Office documents, videos, presentations. There might be some private, precious information stored on your PC. It falls victim to this program too. Do you now see why ransomware has earned the title “most devastating virus”? By encrypting your data, MarsJoke could cause you some serious and irreversible damage. The parasite’s encrypting cipher helps it hold hostage all your information. Once encryption is complete, your files are turned into gibberish. No, your computer won’t be able to read them. You won’t be able to use your data as a result either. MarsJoke adds ReadMeFilesDecrypt!!!.txt files to all folders that contain encrypted data. Those are indeed a lot of folders. What is the purpose of the .txt files, you may ask? They provide detailed payment instructions. Yes, hackers are impudent enough to ask for money.  And no, that’s not all. According to the aggravating ransom note, your files might remain locked forever. To prevent that, you’re supposed to pay a certain sum of money in Bitcoin. Crooks demand 0.7 Bitcoins for the privilege to restore your encrypted information. For those of you unfamiliar with Bitcoin (online currency), that equals about 423 USD. Are you willing to give more than 400 dollars to hackers? If not, ignore the parasite’s empty threats and uninstall this infection on the spot.

How did I get infected with?

Ransomware uses various sneaky methods to get spread online. It usually gets attached to spam emails and lets you do the work. Remember, hackers could send infections straight to your inbox. Delete what you don’t trust and don’t be careless. If you click open the wrong email, you’ll automatically set free some nasty virus . As a result, you’ll end up causing your own machine serious damage. Stay away from spam email attachments, spam emails, bizarre messages, etc. The key to your safety is caution, keep that in mind. Ransomware also travels the Web with the help of other parasites. For instance, MarsJoke might have been assisted by a Trojan horse. Check out the machine for more malicious programs. Cyber parasites get attached to freeware/shareware bundles as well. Make sure you avoid illegitimate programs as they often pose a threat to your security. Don’t hesitate to deselect what you don’t trust and always watch out for malware. The virus might have sneaked in via some corrupted web link, pop-up or torrent. Long story short, the Internet is full of dangers. It is your job to prevent virus installation and to outwit hackers.

remove MarsJoke

Why is MarsJoke dangerous?

There’s a reason why so many people dread ransomware. Such file-encrypting programs get out of hand very quickly and shouldn’t be underestimated. The MarsJoke virus denies you access to your very own private data. This pest of a program also plays mind games with you. As mentioned, MarsJoke is aiming at your bank account. You’re now involved in a dangerous cyber fraud which may cost you lots of money. Simply ignore hackers’ nasty payment instructions and don’t let them scam you. Even if you follow all of crooks’ commands, you might still receive absolutely nothing. That is because hackers are interested in stealing money, not in restoring files. They promise you a decryptor but just don’t deliver. To prevent getting blackmailed, keep your Bitcoins and delete this virus. Please follow our manual removal instructions down below.

MarsJoke Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover MarsJoke Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with MarsJoke encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate MarsJoke encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment