.MMM Files Virus (TripleM Ransomware v1) - Remove and Restore Files

.MMM Files Virus (TripleM Ransomware v1) – Remove and Restore Files

This article has been created in order to help you by explaining how to remove the TripleM Ransomware virus from your computer and how to restore files that have been encrypted with the .MMM file extension on your PC.

A new ransomware virus, calling itself TripleM ransomware has been detected by security researchers. The infection’s primary purpose is to get users to perform multiple different activities on the victims’ computers, which end up with their important documents, videos annd other files to become no longer able to be able to be opened. In addition to this, the ransomware also adds the .MMM file suffix to the encrypted files. The TripleM ransomware has an end goal to get the victims to read it’s ransom note file, named GET_YOUR_FILES_BACK.html and then get them to pay a hefty ransom fee in order to get their encrypted files restored back to normal.

Threat Summary

NameTripleM Ransomware
TypeRansomware Virus
Short DescriptionSimilar to its older variant, the TripleM Ransomware v1 aims to encrypt the files on your computer and then asks you to pay ransom in BitCoin in order to get the encrypted files recovered back to their normal state.
SymptomsFiles are encrypted with an added .MMM file extension. A ransom note, called GET_YOUR_FILES_BACK.html is dropped on the victim’s computer.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by TripleM Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss TripleM Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.MMM Files Virus – How Does It Infect

The .MMM file ransomware may use different reasons as a pretext to get you to open a malicious file via e-mail. Such pretexts often pretend that they come from big companies, for instance:

  • DHL.
  • FedEx.
  • eBay.
  • Amazon.
  • LinkedIn.
  • Facebook.
  • PayPal.

In addition to this, the spam messages may pretend that the malware is a legitimate document, like an invoice or other type of seemingly legitimate file. The file may even be a Microsoft Word document which could contain malicious Macros embedded within it. These are activated once you open the Word file and click on “Enable Editing” to turn on macros.

Another often used method for replication that may be utilized by the ones behind the TripleM ransomware virus may be directly uploading the malicious files on the computer of the victim. These malicious files may exist in different third-party software providing websites, like torrent sited or download web pages. Usually the cyber-criminals make it as if the malicious files appear like:

  • Installers for software or games.
  • Key generators.
  • Software License activators.
  • Cracks.
  • Patches.

TripleM Ransomware – How Does it Work?

Once the TripleM ransomware has infected your computer, it’s malicious payload may be dropped in different Windows system folders, most often targeted of which are believed to be the following:

  • %Roaming%
  • %AppData%
  • %Temp%
  • %LocalLow%
  • %Local%

Once the TripleM virus has dropped it’s files, they may be of different file types, for instance:

→.exe; .htm; .hta; .vbs; .dll; .tmp;

The TripleM ransomware is a cryptovirus, meaning that it’s main purpose is to encrypt the files on your computer and render them no longer able to be opened. To reach it’s end goal, the TripleM ransomware may start different activities on your computer, like modify the Windows Registry Editor in order to get it’s malicious files to run when Windows has started. This happens by adding Windows registry strings in the sub-keys for auto-run, which are the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

In addition to doing this, the TripleM ransomware infection may also start to delete the files you have backed up on your computer. This activity may start with the malware running a script as administrator in the background which triggers Windows Command prompt to execute the following commands:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

Among the files that are dropped by the TripleM ransomware virus is it’s ransom note file, called GET_YOUR_FILES_BACK.html. It has the following message to the victims of the virus:

NOT YOUR LANGUAGE? Use Google Translate
What happened to your files?
All of your files were encrypted by a strong encryption with RSA2048
How did this happen?
Specially for your PC was generated personal RSA2048 Key, both public and private.
ALL YOUR FILES were encrypted with the public key, which has been transferred to your PC via the Internet.
Decryptlng of your files is only possible with the help of the private key and decrypt program, which is on our Server
What do I do?
So,there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW and restore your data easy way.
If you have really valuable data, your better not waste your time, because there is no other way to get your files, except payment.
Your personal ID:
Your personal wallet adress:

The ransom note appears like the following when opened:

.MMM Ransomware – How Does It Encrypt Files

The TripleM ransomware encrypts files on the computers infected by it via scanning for those files. This process results in the ransomware virus detecting specific files it wants to encrypt. These files are usually files that you use often, such as:

  • Images.
  • Archives.
  • Documents..
  • Audio files.
  • Others

Once the files are encrypted by TripleM ransowmare, they start to have the .MMM file extension and begin to appear like the following:

And the .MMM files virus is very careful not to encrypt those files on your computer that may pose a threat to it’s health, such as system files, belonging to Windows.

How to Remove TripleM Ransomware and Restore .MMM Encrypted Files

The TripleM ransomware, just like most malware should not be underestimated. This is why, to remove it, we advise you to follow the removal instructions underneath this article. They have been created to help you to delete the virus files of this PC either manually or automatically. If manual removal is not something you feel confident in, security experts strongly advise to remove TripleM ransomware automatically, preferably by downloading an advanced anti-malware software, that can help you delete the virus files from your computer completely by scanning for them and such tool will also ensure that future protection in real-time is ensured.

If you are looking for ways to restore the files that have been encrypted by this ransomware infection, we advise you to check the alternative methods for file recovery underneath in step “2.Restore files, encrypted by TripleM Ransomware”. They have been created to help you to restore as many files as possible without having to pay ransom to the cyber-crooks, which is strongly inadvisable, because you cannot trust them with recovering your files and in addition to this you help support cyber-criminal activity by doing so.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share