How to decrypt .Merry files and remove Merry Christmas ransomware

SpyHunter is free tool to detect the virus, to delete malware you need to purchase the full version. More info about SpyHunter, uninstall guide.

Today we will discuss ransomware, titled Merry Christmas. This program appeared on the web about a month ago, just before Christmas, and many had hopes that it, in keeping with its name, will soon cease to work. When that did not happen the speculations were raised that the program may have had in mind the Orthodox Christmas, celebrated by Julian calendar, which begins on the night of January 13-14. Now, after this date, we can only hope that this program will stop its work after the Chinese Christmas, which probably is celebrated just before Chinese New Year. This year, Chinese New Year will come on January 28 so that soon we will know the answer. However, most likely, the virus will not stop its work as long as there is to be effective, and will only change its name, and slightly change the structure to protect itself from a quick hacking.

Merry Chrismas ransomware

Merry Christmas gets on users' computers by traditional way: using fake e-mail notifications. These letters are mainly targeted at office workers: accountants, recruiting managers and other personnel. Thus hackers are trying to gain the greatest possible benefit, infecting the networks of large companies. The letters are drafted so as not to arouse suspicion. At the beginning of its existence, the creators of Merry Christmas send out letters, which stated that the recipient company has violated some rules CCPA, or Consumer Credit Protection Act. The letter had the attached file that was supposed to be a copy of the complaint on which the charge of the violation was made up. A week later, the virus changed its tactics, and letters began to take shape of a subpoena on behalf of a fictitious company or an individual. In both cases, there was a file, attached to a letter and if the recipient opened it, the viral script launched and downloaded the latest version of Merry Christmas to his computer.

After penetration of the virus on the user's computer it gets installed and scans your computer for files that may contain important information. In addition, the virus collects data on the general configuration of your computer, applications and running processes. All this information is sent to the C&C server, and then virus starts to encrypt the data. Encryption is carried out using known RSA and AES encryption algorithms. These algorithms cannot be decrypted without the key, so the only way to get your data back without paying any money - is to wait for the official release of the decoder.

Among other features, Merry Christmas has another difference compared to other ransomware: it infects computer with a virus called DiamondFox. The virus is widely used by hackers around the world, and sold on all illegal auctions for a modest fee. This virus can perform a variety of tasks, ranging from the banal espionage and keylogging and ending with the capture of full control over the user's computer, joining it to a botnet and using for DDoS attacks and Internet fraud. You can read more about DiamondFox virus in this article.

Removing a virus from your computer in safe mode includes some of operations that may create difficulties for the novice users. If you are not sure whether you can perform a manual removal with help our instructions - we strongly recommend you to use the automatic way to remove the virus with the help of Spyhunter AntiMalware. This program is specifically designed to deal with such viruses, and able to completely clean your PC within 10-15 minutes. You can read the complete information on Spyhunter, and try a free scanner by clicking on the button lower. Download SpyHunter.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

Data Recovery, for sure, is a priority for any ransomware victim. In this case, we can only advise you to methods that do not guarantee success. Each ransomware operates differently, and, depending on the antivirus software, your computer and the rights of the user account, some viruses can not completely close access to the files. To find out whether you can restore files without paying ransom - check out the article about how to decrypt the files, encrypted by ransomware.

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.