Remove Merl Virus (.merl file extension). Decrypt .merl files.

If your documents, photos, and other files stop opening, .merl file extension is added at the end of their filename, then your computer is infected with a ransomware virus. When it hits a computer, this malware encrypts all personal files using a very strong hybrid encryption system. After the file is encrypted, the extension ‘.merl’ is added at the end of its name. Like other similar ransomware, Merl’s goal is to force users to buy the decryptor and key needed to decrypt files that have been encrypted.

What is Merl ransomware virus?
Is my computer infected with Merl virus?
How to remove Merl ransomware virus
How to decrypt .merl files
How to recover files encrypted with Merl virus

What is Merl ransomware virus?

Merl virus is a malicious program that belongs to the group of STOP (Djvu) ransomware viruses. This virus can infect almost all modern versions of the operating systems of the Windows family, including Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. It uses a hybrid encryption mode and a long RSA key, which virtually eliminates the possibility of hacking the key. Merl ransomware virus is usually spread through hacked programs, key generators, activators and adware. When a user launches such a program, the computer becomes infected with this ransomware virus.

Merl uses system directories to store its own files. In order to run automatically each time the OS starts, the ransomware creates an entry in the Windows registry section that defines the list of programs that start when the computer is turned on or rebooted.

To determine which key to use for encryption, Merl virus tries to establish a network connection with its command server. The virus transmits information about the infected computer to the server, and receives the encryption key from it. In addition, the command server can transmit additional commands and modules to the virus that will be executed on the victim’s computer.

If the data exchange with the command server was successful, then the virus uses the received encryption key (online key). This key is unique for each infected computer. If Merl could not establish a connection with its server, then a fixed key (offline key) will be used to encrypt the files. This key is the same for all infected computers. This key can be determined by security researchers, which gives hope to the victims of Merl virus, in some cases, to decrypt the files affected by it.

Merl virus can encrypt all files on the victim’s computer, no matter where they are. Files located on the internal drives of the computer, connected external devices and cloud storage can be encrypted. The type of file and its contents are not important for the virus; any file can be encrypted. The only thing is that the virus does not encrypt files located in the Windows system directories, as well as files with the name ‘_readme.txt’.

After the file is encrypted, it will be renamed. The virus adds the .merl extension at the end of its name. In every directory where at least one file has been encrypted, the virus creates a file called “_readme.txt”. Example contents of this file:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-063L4ferhE
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail «Spam» or «Junk» folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helprestore@firemail.cc

Reserve e-mail address to contact us:
datarestore@iran.ir

Your personal ID:
0192################################################

Merl authors report that the victim’s files are encrypted and the only way to decrypt them is to buy a key and a decryptor, that is, to pay a ransom. Attackers demand $980, if the victim agrees to pay the ransom within 72 hours, then the ransom is reduced to $490. Criminals offer to decrypt one file for free and thus confirm that it is possible that the victim can return all his files. Of course, successful decryption of one file does not guarantee that after the ransom is paid in full, the victim will receive a key and a decryptor.

Threat Summary

Is my computer infected with Merl virus

Determining whether a computer is infected or not is quite easy . Try opening your files, such as documents, photos, music, etc. in relevant programs. If, for example, when you open a document, Windows reports that the file is of an unknown type, then most likely the document is encrypted and the computer is infected. Of course, the presence of files with the extension .merl and files with the name _readme.txt is also a 100% sign of ransomware infection.

How to remove Merl ransomware virus

If you become a victim of Merl virus, then the best way to remove it from your computer is to use malware removal tools. Below we list the utilities that have the ability to find all components of the ransomware and remove them.

Use Zemana Anti Malware to remove Merl virus

Zemana Anti-Malware can find all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of Merl ransomware, you can easily and quickly remove it.

• Download Zemana setup file called Zemana.AntiMalware.Setup from the following link. Save it on your Desktop.
  Zemana Anti Malware download link
• Run the installer and then follow the prompts to install Zemana on your personal computer.
• During installation don’t make any changes to default settings.
• When setup is done, it will automatically start and update itself.
• Click the “Scan” button to begin scanning your personal computer for Merl file virus. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour.
• After Zemana Anti-Malware (ZAM) has completed scanning your computer, you’ll be shown the list of all detected threats on your computer. Make sure all threats have ‘checkmark’ and press “Next” button to remove the found malware.

Run MalwareBytes Anti-Malware to remove Merl virus

We suggest you to use the MalwareBytes Anti Malware to fully remove Merl file virus. Moreover, this malware removal tool will help you to remove other malicious software, PUPs, toolbars and adware that your machine can be infected too.

• Please go to the link below to download the latest version of MalwareBytes AntiMalware (MBAM).
  Malwarebytes download link
• After downloading is done, run the file called mb3-setup.
• It will open the “Setup wizard” which will help you set up MalwareBytes on the PC system. Follow the prompts.
• Once installation is complete successfully, click Finish button. Then MalwareBytes will automatically run and you can see its main window.
• Click the “Scan Now” button to perform a system scan with this utility for Merl virus related folders,files and registry keys.
• Once the scan get finished, MalwareBytes will open a scan report. When you are ready, click “Quarantine Selected” button.

Remove Merl virus with Kaspersky virus removal tool

Kaspersky virus removal tool (KVRT) is a free portable program that scans your computer for ransomware and allows delete it easily. Moreover, it will also help you remove other malicious software.

How to decrypt .merl files

Since Merl virus belongs to Stop (djvu) ransomware, ‘STOP (djvu) decryptor’ can be used to decrypt .merl files. STOP (djvu) decryptor is a free tool that is created by Emsisoft to decrypt files that were encrypted by malware belonging to Stop ransomware family.

Emsisoft decryptor for stop djvu

How to use STOP (Merl) decryptor to decrypt .merl files

• Visit the page linked below to download Merl decryptor
  STOP Djvu decryptor
• Scroll down to ‘New Djvu ransomware’ section.
• Download the ‘decrypt_STOPDjvu.exe’ file to your desktop.
• Run decrypt_STOPDjvu.exe
• Select the directory or drive where the encrypted files are located.
• Click the Decrypt button.

How to recover files encrypted with Merl virus

Unfortunately, free Merl decryptor is not always able to decrypt files. But even in this case, it is possible to restore the contents of encrypted files. Below in this article we will give several ways, please try all of them. Perhaps one of them will allow you to completely restore the files, or rather, return them to their original state, to the state that was before their encryption.

At this stage, I want to emphasize that before recovering files, you must definitely check your computer for viruses, find and remove malware that encrypted your files. The only way to skip this step is to get the disk with encrypted files and connect it to another computer, then use it to restore your files. Attention, using a disk on another computer, there is a small chance that you accidentally infect that computer with this virus.

Restore .merl files using ShadowExplorer

To restore documents, photos, databases and other important files, that is, practically “decrypt .merl files without a key,” we first recommend using a free program called ShadowExplorer. If you have not come across this program, then here is some information about it. It is a small utility that allows you to easily access copies of files that are created automatically by a standard Windows function called ‘Windows Previous Versions’.

Download the program using the link that you can find below. We recommend that you save the downloaded file to your desktop, so you can easily find it after the download is complete.

ShadowExplorer

When the program download is complete, you will see a file called ShadowExplorer-0.9-portable.zip. The utility is in the archive, so you need to unzip the archive before starting the program. Right-click on this file and select the option called Extract All. Now open folder ShadowExplorerPortable.

In the list of files, find the ShadowExplorerPortable program and run it.

The main program window will open before you, as in the following example. The main window is divided into two parts – left and right. In the left part of the window, select the drive on which the encrypted files are located and select the date closest to the moment when the virus attacks your computer, encrypts the files and has changed the file extension to .merl. In the right part of the window, select the file you want to restore, then right-click on it.

A small pop-up menu will open before you, select Export in it. In the next window, select the directory where the recovered files will be saved.

What else do I want to say about the process of recovering encrypted files using the ShadowExplorer tool. Unfortunately, very often ransomware disable the Windows Previous Versions function and delete all saved copies of files. Therefore, after starting the ShadowExplorer, you may find that it is impossible to recover files. In this case, use another method of recovering encrypted .merl files, which is given below.

Restore .merl files using PhotoRec

Another way to recover encrypted .merl files is the ability to use utilities designed to find and recover accidentally deleted and lost data. We recommend that you use the free PhotoRec tool. It is one of the best and has already helped readers of our site repeatedly recover encrypted files in a seemingly absolutely hopeless situation.

Before using the program, you need to download it. Use the link below.

PhotoRec

When the file is downloaded, in the folder where you saved it you will see a file with the name ‘testdisk-7.0.win_.zip’. This file is the archive that contains the PhotoRec. To use the PhotoRec, this archive must be unzipped. Right-click on the file and select the item called Extract All. Open the folder with the name testdisk-7.0, you will see a list of files similar to the one below.

In the contents of the directory that opens, find the file with the name QPhotoRec_Win and run it. You will be shown a window similar to the one in the following figure. This is the main PhotoRec window.

Here you need to select the physical disk and the disk partition (disk name) where the encrypted .merl files are located. Note that in section ‘File System Type’, option ‘FAT/NTFS’ must be selected. Now select the folder where the recovered files will be written. We recommend using a partition or drive that does not contain encrypted files. It is better to use external media. It is very important! Since the PhotoRec restores files that were deleted by the Windows OS, if you restore them to the same drive on which you are trying to find them, a situation may occur when the Windows simply physically overwrites them and you can no longer recover such files.

Next, at the bottom of the window, click File Formats. A small window opens that lists the types of files that the PhotoRec can find and restore.

Leave only those file types that you need to recover selected. For example, if you want to restore images of ‘jpg’ format, then select the file type ‘jpg’. Having decided which files to recover, click OK button.

Having completed the steps listed above, you have made all the settings necessary to search and restore encrypted .merl files. It remains only to click on the Search button. The process of searching and restoring files can take a very long time, be sure not to turn off the computer or restart it. During this process, the program will show the current search location (disk sector), how many and which files were found and restored.

When the file recovery process is complete, click the Quit button. Then open the directory that you previously selected as the place where the recovered files will be written.

Here you will see one or more directories with the name recup_dir (recup_dir.1, recup_dir.2, …). Check these folder to find the files you need. The file name may not be restored, so to find what you need, use file sorting, as well as the standard Windows OS search by file contents.

I hope this information helped you remove Merl virus and restore the encrypted files. If you have any questions or you have information that will help readers of this article, then please add your comment below.