MOTD Virus Remove and Restore .enc Files - How to, Technology and PC Security Forum |

MOTD Virus Remove and Restore .enc Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article is created to help you remove MOTD ransomware and restore .enc files encrypted by the virus on your computer, if it is infected by this threat.

A ransomware virus using a combination of the AES and RSA ciphers has been detected to encode user files adding the .enc file extension to them and making them no longer openable. The ransomware infection also performs multiple other modification, such as dropping a ransom note, named motd.txt in which the cyber-criminals demand users to send unique ID to their e-mail Then, the victim is demanded to pay the sum of 2 BTC to get the encrypted files back. In case your computer has been infected by MOTD ransomware, we advise you to focus on reading this article thoroughly.

Threat Summary



Short DescriptionThis ransomware encrypts files based on RSA and AES ciphers. After this demands a hefty ransom payoff.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .enc has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by MOTD


Malware Removal Tool

User ExperienceJoin our forum to Discuss MOTD.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

MOTD Ransomware – How Does It Spread

For the infection process, this virus may use different distribution techniques. The primary version on which experts are working is spam messages sent out via various e-mail addresses used by spammers. These accounts and e-mail spam are the most effective method of infection with ransomware viruses. They usually either contain a malicious web link, causing the infection via a browser redirect or the most often met case, a malicious archive with the infection file inside, like the example below displays:

As seen above, most of the spammed messages are usually spread along with different deceitful messages that trick inexperienced users to open the attachments which are either executable files or documents with malicious macros enabled.

Other forms of replication also include using malicious downloads, fake update setups and other game cracks, patches and fixes, uploaded on suspicious websites.

MOTD Ransomware – Infection Process

After the user opens a malicious file by MOTD ransomware, the inevitable happens. The virus connects to the following remote host:


After already connected to it, the malware begins to download the payload, which consists of malicious executable and may have multiple other files alongside it. The files may be under different names, for example “motd” and be located in the usually targeted Windows folders:

After this has been done, the ransomware may delete any shadow copies or other backups on the encrypted machine. This is usually achievable by executing the vssadmin command in Windows administrative mode.

After this has been performed, MOTD ransomware may also perform other modifications on the affected computer, such as modify the Windows Registry Entries, by adding values with custom data in them. The most often attacked registry entries are the ones which contain the function to run malicious files on system start-up:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

MOTD Ransomware – Encryption Process

The encryption process of MOTD is conducted with the assistance of two primary encryption algorithms:

  • Advanced Encryption Standard (AES)
  • Rivest Shamir Adleman (RSA)

The purpose of the encryption algorithms is to replace data of the original files, more specifically chunks of it with data from the encryption algorithm. The data which is replaced renders the files no longer openable. The encrypted files look like the following:

After encryption is complete, the following ransom message is added to notify the user of the situation:

All your data of all your users, all your databases and all your Websites are encrypted
Send your UID to e-mail:

Remove MOTD Ransomware and Restore Encrypted .enc Files

For the removal of MOTD ransomware, we recommend following the removal instructions at the bottom of this article. For maximum effectiveness the malware researching experts recommend using an advanced anti-malware tool which will automatically delete this threat.

For the file restoration, it is advisable to focus on trying out alternative methods, like the ones mentioned in step “2. Restore files encrypted by MOTD” below, since at this point there is no official decryption. We will continue to track the threat and update this article if there is a free decryptor released in the meantime.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share