How to Use McAfee Ransomware Recover (Mr2)

Updated: October 14, 2017

McAfee Ransomware Recover (Mr2) is a framework that supports the decryption of files that have been encrypted because of ransomware. Ransomware malware has evolved to be a tremendous threat over the last few years. Such malware will install on your system, and encrypt or damage data on your system in a way that in many cases is irrecoverable unless you have a decryption key. Consumers may have to pay (from a few hundreds to perhaps a few thousands of US dollars) to the malware authors to obtain the key. Failure to do so typically results in permanent loss of data.

The framework will be regularly updated as the keys and decryption logic required to decrypt files held for ransom by criminals become available. The tool is capable of unlocking user files, applications, databases, applets, and other objects infected encrypted by ransomware.

It is intended for the framework to be made freely available to all. This allows anyone in the security community who may have decryption keys and decryption logic to avoid the burden of developing a decryption framework.

Installer Details

The ransomware tool comes with two installers:

  1. x86 or 32-bit version for installing on 32-bit Windows OS.
  2. x64 or 64-bit version for installing on 64-bit Windows OS.

Please use the appropriate installer for your operating system.

The installer includes a built-in Uninstaller. The same installer, when run again after installation, gives the user the option to uninstall the software. Users can also navigate through the Windows Uninstallation menu to remove this tool.

The Program Menu

Once the install process is complete, the tool can be found in the Windows program menu under McAfee as well as in the recently added program list:

Running the tool

This product is a command-line tool. To run, click on the filename in the Windows program menu under McAfee or the recently added list.

Commands

The command line lets you download and run the decryption tool, and recover files encrypted by ransomware.

Supported commands:

CommandDescription
-help Show detailed help about all supported commands.
-list

Show list of all decryption tools, with versions, available within the framework’s cloud backend.

It will also mark decryption tool versions with (**) that are already downloaded and present on local machine.

-get

Download decryption tool for given name and version from the framework’s cloud backend.

This command may take some time to complete, depending on the size of the decryption tool and other related dependencies.

Options:

<name> Name of the decryption tool. This is a mandatory option.
-ver Version of the decryption tool to be downloaded. This is optional. If not specified, the latest version of decryption tool will be downloaded.
-run

Run the decryption tool for given name and version. The decryption tool must be downloaded by the “-get” command before using this command.

This command may take some time to complete, depending on the size of the decryption tool and other related dependencies.

Options:

<name> Name of the decryption tool. This is a mandatory option.
-ver Version of the decryption tool. This is optional. If not specified, the latest downloaded version of the tool will run.
-about

Show the help text of the decryption tool, for given name and version. The decryption tool must be downloaded by the “-get” command before using this command.

This command may take some time to complete, depending on the size of the decryption tool and other related dependencies.

Options:

<name> Name of the decryption tool. This is a mandatory option.
-ver Version of the decryption tool. This is optional. If not specified, the latest downloaded version of tool help will be shown.

 

Example

Assume your files are encrypted by Stampado ransomware. Below we see the affected system’s screen after the infection, with email ID to be contacted and text box to enter the unlocking code.

Let’s download and run the “stampado” ransomware decryption tool to recover your files.

  1. Get the list of all ransomware decryption tools by running the MfeDecrypt -list command:

  2. From the list, pick “stampado” and Version “1.0.0” and run MfeDecrypt -get stampado -ver 1.0.0 to download the tool:

  3. [OPTIONAL] If you run the MfeDecrypt -list command again, you will see that “stampado” Version “1.0.0” is marked as “**”, which means that tool is present on your system.

  4. To understand command options for “stampado” version “1.0.0”, run MfeDecrypt -about stampado -ver 1.0.0:

  5. Get the email ID displayed in the Stampado ransomware dialog—for example, FileUnlocker64@mail2tor.com—and pass it to the stampado decryption tool as show in its help text, i.e. MfeDecrypt -run stampado -ver 1.0.0 -args “-e FileUnlocker64@mail2tor.com”.

  6. Take the code displayed and enter that in the Stampado window to decrypt and recover your files.

Supported Operating Systems

This tool is designed to run on Windows 7 and later versions.

Prerequisites

  1. Make sure your machine has network connectivity.
  2. Terminate and quarantine existing ransomware on your system by updating to the latest signature of your antimalware product, before running a specific decryption tool.
  3. On Windows 7, Windows Vista, and Windows Server 2008, make sure you have the https://support.microsoft.com/en-us/help/2533623/microsoft-security-advisory-insecure-library-loading-could-allow-remot patch or update installed on your system.

Disclaimer

  1. This tool does generate some network traffic. We do not gather any user or system-specific information.
  2. If a newer version of this framework is available, we recommend that you uninstall the previous version prior to installing any newer version.