Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


MotoxLocker Virus – Remove and Restore Your Files

stf-motoxlocker-motox-locker-detoxcrypto-ransomware-variant-detox-crypto-virus-croation-ransom-note-message

A ransomware crypto-virus that goes by the name of MotoxLocker was discovered by researchers from the MalwareHunterTeam. They claim that the virus is a new variant of the DetoxCrypto ransomware and that it uses the AES algorithm for encryption. Locked files do not get a new extension, and the ransom note is written in Croatian. To see how to remove this ransomware and how you can try to decrypt your files, read the article to the end.

Threat Summary

Name MotoxLocker
Type Ransomware, Crypto-Virus
Short Description The ransomware will encrypt your files with AES encryption, without adding new extensions to them.
Symptoms The ransomware will display a ransom note in Croatian and ask around 50 euros for decryption.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by MotoxLocker

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss MotoxLocker.

MotoxLocker Virus – Infection

MotoxLocker ransomware probably uses similar ways of spreading itself like its past variants, such as the DetoxCrypto virus. Spam email campaigns are distributing the payload file of the ransomware. Such an email will try to convince you that an important message is conveyed in the attached file that comes with the email. In fact, the attached file will look like a normal document, but the malicious payload of the virus will be contained inside the very same file. If you open the contents, deem your computer machine infected and your data encrypted.

For this variant, one of the payload droppers is an executable file, named “Document.pdf.exe”. You can see its detections on VirusTotal here:

stf-motoxlocker-motox-locker-detoxcrypto-ransomware-variant-detox-crypto-virus-croatian-detections-virustotal-site-virus-total

Other infection methods for MotoxLocker could be set in motion, which utilize social media networks or file sharing services. The malware creator could have put the malicious files on any such platform, as an additional way for infection. Be careful when browsing the Web and avoid dubious e-mails, files or links. Perform checks of any file you have downloaded for its signatures, size, and perform a scan with security software. You should read more ransomware prevention tips in that forum thread.

MotoxLocker Virus – Inspection

The MotoxLocker cryptovirus is a variant of the DetoxCrypto ransomware and discovered by the MalwareHunterTeam. Interestingly enough, this variant tries to trick people that it is a security application, developed by TrendMicro:

stf-motoxlocker-motox-locker-detoxcrypto-ransomware-variant-detox-crypto-virus-croatian-code-trendmicro

Image Source: @MalwareHunterTeam

When the MotoxLocker ransomware virus drops its payload file, it probably creates entries in the Windows Registry, for retaining persistence. Those entries will set the malware to launch automatically with every boot of the Windows Operating System. From then on your files get encrypted. After all of your files become encrypted, the virus creates the file which contains the ransom message. The ransom note is written entirely in Croatian and describes the payment instructions.

stf-motoxlocker-motox-locker-detoxcrypto-ransomware-variant-detox-crypto-virus-croation-ransom-note-message

The original text reads:

Svi važni fajlovi na vašem kompjuteru su zaključani i nemoguće je razbiti enkripciju. NEMOGUĆE JE RAZBITI CryptoLocker. Ako želite fajlove natrag javite se na mail: motox2016@mail2tor.com
NAPOMENA: Nemojte brisati ovaj program jer će biti potreban da bi vratili fajlove. Dobit ćete na mail upute i ključ koji ćete unijeti i svi fajlovi će biti vraćeni. Vrlo jednostavno, samo se javite na mail i dogovorimo se oko povratka fajlove.
Ako pokušate očistit ovaj program ili sami nešto popraviti moguće je da zauvijek oštetite i izgubite podatke zato je najbolje rješenje da se javite.
OTKUPNINA ZA SVE VAŠE FAJLOVE I TRAJNU ZAŠTITU OD SLIČNIH PROVALA JE SAMO 50€. JAVITE SE NA MAIL.

A very rough translation of the ransom message in English would be the following:

All important files on your computer are locked and it is impossible to break the encryption. It is impossible to to break this CryptoLocker. If you want the files back to contact us at mail: motox2016@mail2tor.com
NOTE: Do not delete this program because it will be needed to restore the files. You will receive instructions in the mail and the key you enter all the files will be restored. Very simple, just contact us at mail and arrange for the return of files.
If you attempt to clean this program or yourself something to fix it is possible for all damage and loss of data because it is the best solution to contact.
RANSOM FOR ALL YOUR FILES and permanent protection of a similar break-in was only 50 €. CONTACT THE EMAIL.

The MotoxLocker ransomware sets a decryption price of 50 euros, which is not a lot, but you shouldn’t be tempted to pay under any circumstances. No guarantee exists that you will recover your files. The cybercriminals will just use the money to make a new ransomware and possibly put some of the money aside for other criminal activities. The email used as a contact is motox2016@protonmail.com. ProtonMail is an encrypted electronic mailing service that is used by other ransomware viruses, such as the new variant of Fantom ransomware, which does not seem related to this cryptovirus.

However, the MotoxLocker virus is part of the DetoxCrypto ransomware family and is by definition related to the following variants:

The encrypted files will not have any new extensions, prefixes or name changes, whatsoever. The ransomware uses the military AES encryption algorithm and encrypted files will have a bigger size. The malware researcher Michael Gillespie has stated that the ransomware is decryptable. Check below for a possible decryption of your data.

The MotoxLocker ransomware is highly likely to erase all Shadow Volume Copies from the Windows Operating System. Continue to read and see how you can try to decrypt some of not all of your files and turn them back to normal.

Remove MotoxLocker Virus and Restore Your Files

If your computer got infected with the MotoxLocker ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by MotoxLocker.

Manually delete MotoxLocker from your computer

Note! Substantial notification about the MotoxLocker threat: Manual removal of MotoxLocker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove MotoxLocker files and objects
2.Find malicious files created by MotoxLocker on your PC

Automatically remove MotoxLocker by downloading an advanced anti-malware program

1. Remove MotoxLocker with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by MotoxLocker
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.