How to Remove AIR (Makop) ransomware and Restore Encrypted .AIR Files?
Introduction: Inside the World of AIR (Makop) Ransomware
The AIR (Makop) ransomware is one of the more persistent and dangerous ransomware variants in circulation today. A derivative of the Makop/Phobos family, it continues to impact systems globally—particularly targeting Windows Servers, VMware ESXi environments, and network-attached storage (NAS) systems. As a cybersecurity professional, I’ve encountered numerous strains, but AIR (Makop) stands out for its consistent methodology, resilience, and the devastating effect it can have on unprotected systems.
Related article: How to Remove BlackFL Ransomware and Restore Your .BlackFL Data?
What is AIR (Makop) Ransomware?
AIR (Makop) ransomware is a crypto-malware strain designed to encrypt data and extort victims for decryption keys. It appends a unique ID, attacker email address, and the .AIR extension to affected files, for example:
1.jpg becomes 1.jpg.[2AF20FA3].[xueyuanjie@onionmail.org].AIR
Upon encryption, the malware drops a ransom note titled +README-WARNING+.txt and changes the desktop wallpaper to reinforce the urgency of its demands. Victims are told to contact the attackers via onionmail or mail2tor addresses, and to send two sample files for “free decryption” as proof.
Also read: How to Remove Mamona Ransomware and Restore .haes Extension Files?
Ransom Note Behavior and Threat Tactics
The ransom note contains several instructions and threats, including:
- Payment instructions (typically in cryptocurrency)
- Warnings against using antivirus or third-party recovery tools
- Threats of permanent data loss if decryption attempts fail
- An ID unique to each infected system for tailored communication
This manipulation reflects a core feature of ransomware-as-a-service (RaaS) ecosystems—deceptive trust-building to encourage payment.
The actual ransom note message is as follows:
****** YOUR FILES HAVE BEEN ENCRYPTED ******
The file structure was not damaged, we did everything possible so that this could not happen.
If you wish to decrypt your files you will need to pay us.****** YOU CAN WRITE US TO OUR MAILBOXES: xueyuanjie@onionmail.org or xueyuanjie@mail2tor.com ******
****** IF YOU HAVN’T RECEIVED A RESPONSE. WRITE TO JABBER: xueyuanjie@exploit.im ******
Its just a business. We absolutely do not care about you and your deals, except getting benefits.
If we do not do our work and liabilities – nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions (jpg,xls,doc, etc… not databases!)
And low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.
After payment we will send to you our scanner-decoder program and detailed instructions for use.
With this program you will be able to decrypt all your encrypted files.****** ATTENTION ******
DON’T TRY TO CHANGE ENCRYPTED FILES BY YOURSELF !!!
If you will try to use any third party software for restoring your data or antivirus solutions – please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.When writing a letter, please indicate your ID in the subject. Your ID: … “
Who and What Does It Target?
1. Windows Server Environments
- Exploits RDP vulnerabilities and unpatched software
- Encrypts databases, shared folders, and critical infrastructure
- Utilizes AES and RSA to lock data, demanding ransom post-encryption
2. VMware ESXi Servers
- Targets virtualized infrastructures by attacking ESXi hypervisors
- Encrypts VM disks, effectively halting business operations
- Utilizes lateral movement via tools like PsExec and NLBrute
3. NAS Devices
- Includes QNAP and Synology platforms
- Encrypts SMB/FTP shares critical to SMEs and enterprise backups
Reported and Suspected Victims of Makop/AIR Ransomware
Introducing the AIR (Makop) Decryptor Tool: Your Best Bet for Data Recovery
For those affected, there is a proven and efficient alternative to paying the ransom—our AIR (Makop) Decryptor Tool.
What It Does?
This tool identifies and decrypts files encrypted by AIR (Makop), restoring data with no risk of further corruption. It works across Windows, ESXi, and NAS systems—even handling files renamed with full attacker markers (e.g. .AIR, [email], [victim ID]).
Why It Works?
- Utilizes secure online key servers and proprietary algorithm mapping
- Requires only the unique victim ID (from ransom note) for decryption
- Works even on large-scale environments, including virtual machines and enterprise servers
How to Use It?
- Purchase – Contact us securely via WhatsApp or email
- Launch with Admin Rights – Internet required
- Enter Victim ID – From your ransom note
- Start Decryption – Let the tool recover your files in real-time
Also read: How to Decrypt .satanlock Files and Remove SatanLock V2 Ransomware?
Benefits
- Zero risk of data corruption
- Compatible with NAS, ESXi, and Windows
- User-friendly interface with fast, efficient recovery
- Money-back guarantee if the tool fails
Attack Lifecycle of AIR (Makop): MITRE TTP Mapping
| Phase | MITRE Technique | Description |
| Initial Access | T1021.001 RDP | Brute force RDP to gain access |
| Execution | T1204.002 User Execution | Phishing via attachments |
| Persistence | T1547.001 Registry Run Keys | Modifies startup entries |
| Defense Evasion | T1070.004 File Deletion | Deletes Volume Shadow Copies |
| Credential Access | T1003 Credential Dumping | Uses Mimikatz |
| Discovery | T1082 System Discovery | Network scanning tools |
| Lateral Movement | T1021.002 SMB & PsExec | Spreads across internal systems |
| Impact | T1486 Data Encryption | Locks all file types, including VM images |
Common Tools Used by Attackers
- Everything.exe – File enumeration
- Mouselock.exe – Disables user interaction
- NS.exe – Network scanning
- mc_hand.exe – Primary payload
- PowerShell – Script execution and automation
- PuTTY / Advanced Port Scanner – Network foothold
- Mimikatz – Credential dumping
- Custom batch scripts – Deletes shadow copies, disables recovery
Identifying an AIR (Makop) Attack
Signs include:
- Files renamed with .AIR and victim ID
- +README-WARNING+.txt notes in multiple folders
- Suspicious outbound connections to C2 servers
- System slowdown due to encryption activity
- Locked administrative shares or inaccessible virtual machines
Recovery Options
1. Use Our AIR (Makop) Decryptor Tool
The most reliable method—recover your data safely and affordably.
2. Free Decryptors (if available)
Check sites like NoMoreRansom.org, but note: Makop variants rarely have public decryptors.
3. Restore from Backups
Offline backups stored on separate media (USB, cloud, NAS).
4. Shadow Copy Recovery
Check via vssadmin list shadows, though this is often deleted by the ransomware.
5. Data Recovery Software
Tools like Recuva or PhotoRec can sometimes recover partial files.
How to Protect Against Future Attacks
| Area | Recommended Actions |
| Patching | Apply regular updates to all software and operating systems |
| Access Controls | Enforce MFA and remove unused RDP |
| Network Segmentation | Isolate sensitive infrastructure with VLANs and firewalls |
| Backup Strategy | Follow 3-2-1 rule: 3 copies, 2 types of storage, 1 offsite |
| Endpoint Protection | Deploy EDR tools and updated antivirus |
| Awareness Training | Educate employees on phishing and malware |
| Incident Response | Keep a tested IR plan with pre-assigned roles |
Real-World Impact: Why You Need a Plan
Organizations that suffered from AIR (Makop) attacks faced:
- Multi-day operational shutdowns
- Irrecoverable data loss due to poor backup practices
- Financial loss from ransom payments or breach response
- Reputational damage from leaked customer data
Having a proactive recovery tool like the AIR (Makop) Decryptor in your toolkit can save time, money, and business continuity.
Conclusion
AIR (Makop) ransomware is a formidable cyber threat that continues to evolve. With variants targeting everything from personal PCs to VMware ESXi environments, victims need practical, professional solutions—not empty promises from attackers. Our AIR (Makop) Decryptor tool offers exactly that: a verified, effective method to recover your data without funding cybercrime.
Frequently Asked Questions
Contact Us To Purchase The AIR (Makop) Decryptor Tool
2 Comments