Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


MOTD Virus Remove and Restore .enc Files

This article is created to help you remove MOTD ransomware and restore .enc files encrypted by the virus on your computer, if it is infected by this threat.

A ransomware virus using a combination of the AES and RSA ciphers has been detected to encode user files adding the .enc file extension to them and making them no longer openable. The ransomware infection also performs multiple other modification, such as dropping a ransom note, named motd.txt in which the cyber-criminals demand users to send unique ID to their e-mail sook2serit@seznam.cz. Then, the victim is demanded to pay the sum of 2 BTC to get the encrypted files back. In case your computer has been infected by MOTD ransomware, we advise you to focus on reading this article thoroughly.

Threat Summary

Name

MOTD

Type Ransomware
Short Description This ransomware encrypts files based on RSA and AES ciphers. After this demands a hefty ransom payoff.
Symptoms The user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .enc has been used.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by MOTD

Download

Malware Removal Tool

User Experience Join our forum to Discuss MOTD.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

MOTD Ransomware – How Does It Spread

For the infection process, this virus may use different distribution techniques. The primary version on which experts are working is spam messages sent out via various e-mail addresses used by spammers. These accounts and e-mail spam are the most effective method of infection with ransomware viruses. They usually either contain a malicious web link, causing the infection via a browser redirect or the most often met case, a malicious archive with the infection file inside, like the example below displays:

As seen above, most of the spammed messages are usually spread along with different deceitful messages that trick inexperienced users to open the attachments which are either executable files or documents with malicious macros enabled.

Other forms of replication also include using malicious downloads, fake update setups and other game cracks, patches and fixes, uploaded on suspicious websites.

MOTD Ransomware – Infection Process

After the user opens a malicious file by MOTD ransomware, the inevitable happens. The virus connects to the following remote host:

→50.56.221.73

After already connected to it, the malware begins to download the payload, which consists of malicious executable and may have multiple other files alongside it. The files may be under different names, for example “motd” and be located in the usually targeted Windows folders:

After this has been done, the ransomware may delete any shadow copies or other backups on the encrypted machine. This is usually achievable by executing the vssadmin command in Windows administrative mode.

After this has been performed, MOTD ransomware may also perform other modifications on the affected computer, such as modify the Windows Registry Entries, by adding values with custom data in them. The most often attacked registry entries are the ones which contain the function to run malicious files on system start-up:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

MOTD Ransomware – Encryption Process

The encryption process of MOTD is conducted with the assistance of two primary encryption algorithms:

  • Advanced Encryption Standard (AES)
  • Rivest Shamir Adleman (RSA)

The purpose of the encryption algorithms is to replace data of the original files, more specifically chunks of it with data from the encryption algorithm. The data which is replaced renders the files no longer openable. The encrypted files look like the following:

After encryption is complete, the following ransom message is added to notify the user of the situation:

!WARNING!
YOU ARE INFECTED
WITH THE MOST CRYPTOGRAPHIC ADVANCED RANSOMWARE
All your data of all your users, all your databases and all your Websites are encrypted
Send your UID to e-mail: sook2serit@seznam.cz
YOUR UUID IS: {UNIQUE ID}
!WARNING!

Remove MOTD Ransomware and Restore Encrypted .enc Files

For the removal of MOTD ransomware, we recommend following the removal instructions at the bottom of this article. For maximum effectiveness the malware researching experts recommend using an advanced anti-malware tool which will automatically delete this threat.

For the file restoration, it is advisable to focus on trying out alternative methods, like the ones mentioned in step “2. Restore files encrypted by MOTD” below, since at this point there is no official decryption. We will continue to track the threat and update this article if there is a free decryptor released in the meantime.

Manually delete MOTD from your computer

Note! Substantial notification about the MOTD threat: Manual removal of MOTD requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove MOTD files and objects
2.Find malicious files created by MOTD on your PC

Automatically remove MOTD by downloading an advanced anti-malware program

1. Remove MOTD with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by MOTD
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.