We are happy to announce that we are releasing a free decryption tool for the Mapo (a GarrantyDecrypt/Outsider variant) ransomware today. We would also like to thank Maciej Kotowicz of Kaspersky’s GReAT for sharing his insights on the ransomware’s encryption process.

Our tool works with encrypted files having the .mapo extension and the following ransom note attached as “MAPO-Readme.txt” file:

Mapo ransomware decryption instruction

1. Make sure that the ransomware is no longer running, it can encrypt your files again, rendering the whole decryption process futile.
2. Download the Mapo Decryptor from https://nomoreransom.cert.pl/static/mapo_decryptor.exe.
3. Obtain the key from by contacting the CERT Polska team. Remember to attach the ransomware note (MAPO-Readme.txt).
4. Run mapo_decryptor.exe (that you downloaded in step 2.) on the infected computer.
5. Click “Yes” in the UAC Window.
   
6. Wait until the decryptor asks for the key with the following message “Input the recovered key”.
7. Decryptor will ask you to provide the key obtained from the service in step 3, copy the key and paste it into the terminal as shown below (right click the title bar first):
   
8. Entering the key and pressing enter will start the decryption process. After the “Press “Enter” to exit…” message, all of your files should be decrypted.
9. If something didn’t work, or not all files were decrypted, don’t hesitate to contact us at [email protected]. Please attach log.txt file, that should be generated next to mapo_decryptor.exe. If you can, attach wrongly decrypted file as well.
10. After decryption and making sure that the files have been decrypted correctly you can safely delete encrypted files.