Mobef Ransomware Encrypts With .KEYZ Extension and Uses DES and AES Ciphers - How to, Technology and PC Security Forum |

Mobef Ransomware Encrypts With .KEYZ Extension and Uses DES and AES Ciphers

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

INFECTEDRansomware that uses different encryption techniques, named Mobef has been reported to ask ransom money to give infected users access to the files it encrypts on their computers. Unlike other ransomware infections, Mobef may employ the DES encryption algorithm, suggesting that the malware writers behind it wanted to create a virus that is different and less familiar to researchers and users. However, users should know that unlike AES, the DES algorithm is weaker against brute forcing attacks and file decryption may be possible.

Threat Summary

Short DescriptionThe ransomware encrypts files with the RSA algorithm and AES-128 ciphers and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Mobef


Malware Removal Tool

User ExperienceJoin our forum to Discuss Mobef Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Mobef Ransomware – Distribution

To spread across the web, Mobef is believed to utilize an exploit kit which is quite dangerous. Examples of different exploit kit attacks you may see by visiting the following article. This is why users with non regularly patched software and without experience in browsing and using e-mails safely may be the most likely victims. This may happen via a drive by download when the user has clicked on a malicious web link, such as the one on an example spam e-mail below:


Mobef Ransomware – The Threat In Detail

Once the ransomware has been executed on your computer, it may have the following executables:

  • 33.tmp.exe
  • Ransom.Mobef.A.exe
  • Tmp.exe

Those files may be the executables which encrypt the user data, and this very ransomware may create custom registry entries for them in the following Windows Registry Key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

After doing so, upon system boot, Mobef ransomware may begin to encrypt files that are most widely and commonly used. The encrypted data is with a strong AES and a bit outdated DES encryption algorithms. The ransomware is reported by Symantec Researchers to scan for and encrypt files with the following file extensions:

→ .3ds .4db .4dd .7z .7zip .accdb .accdt .aep .aes .ai .alk .arj .axx .bak .bpw .cdr .cer .crp .crt .csv .db .dbf .dbx .der .doc .docm .docx .dot .dotm .dotx .drc .dwfx .dwg .dwk .dxf .eml .enz .fdb .flk .flka .flkb .flkw .flwa .gdb .gho .gpg .gxk .hid .hid2 .idx .ifx .iso .k2p .kdb .kdbx .key .ksd .max .mdb .mdf .mpd .mpp .myo .nba .nbf .nsf .nv2 .odb .odp .ods .odt .ofx .ost .p12 .pdb .pdf .pfx .pgp .ppj .pps .ppsx .ppt .pptx .prproj .psd .pst .psw .qba .qbb .qbo .qbw .qfx .qif .rar .raw .rfp .rpt .rsa .rtf .saj .sdc .sdf .sef .sko .sql .sqlite .sxc .tar .tax .tbl .tc .tib .txt .wdb .xbrl .xls .xlsm .xlsx .xml .zip

Furthermore, Mobef uses a text file to notify the user and may drop it on the user’s desktop. The text file name contains the date of the infection after which the ”-INFECTION” part is added to the name of the file. It contains the following ransom instructions:

encrypted-files-ransom-note-mobef-sensorstechforum“YourID: {CUSTOM NUMERICAL USER ID}
Your files are now encrypted. I have the key to decrypt them back. I will give you a decrypter if you pay me. Email me at: [email protected] or [email protected]
If you don’t get a reply or if both emails die, then contact me using a guaranteed, foolproof
Bitmessage: download it form here
Run it, click New Identity and then send me a message at {BITMESSAGE BITCOIN ADDRESS}
Cheers”Source:Bleeping Computer

Not only this, but the ransomware may change the wallpaper of the infected user with the very same ransom message:


Users who have had their files encrypted report seeing two types of files in the folders where their files were encrypted:

  • The ransom note text file.
  • A .key file which most likely contains either the public or the private key for the files.

Remove Mobef Ransomware and Restore the Encrypted Files

The removal of Mobef may be rather simple if done via an anti-malware software which will automatically discover the malicious files and remove them. There is also the manual option of finding the malicious .tmp, .exe and other files and deleting them permanently. But then again, you should also make sure to clean up your registry entries.

The decryption of files encoded with DES and AES algorithms is almost impossible, not before a flaw in the code is found. This is why we advise you to follow the step-by-step restoration instructions below that contain alternative methods which go around the direct decryption. In the meantime, you can follow our security forum or updates on our blog in case a free decryption method surfaces.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share