MotoxLocker Virus – Remove and Restore Your Files - How to, Technology and PC Security Forum |

MotoxLocker Virus – Remove and Restore Your Files


A ransomware crypto-virus that goes by the name of MotoxLocker was discovered by researchers from the MalwareHunterTeam. They claim that the virus is a new variant of the DetoxCrypto ransomware and that it uses the AES algorithm for encryption. Locked files do not get a new extension, and the ransom note is written in Croatian. To see how to remove this ransomware and how you can try to decrypt your files, read the article to the end.

Threat Summary

TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware will encrypt your files with AES encryption, without adding new extensions to them.
SymptomsThe ransomware will display a ransom note in Croatian and ask around 50 euros for decryption.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by MotoxLocker


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MotoxLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

MotoxLocker Virus – Infection

MotoxLocker ransomware probably uses similar ways of spreading itself like its past variants, such as the DetoxCrypto virus. Spam email campaigns are distributing the payload file of the ransomware. Such an email will try to convince you that an important message is conveyed in the attached file that comes with the email. In fact, the attached file will look like a normal document, but the malicious payload of the virus will be contained inside the very same file. If you open the contents, deem your computer machine infected and your data encrypted.

For this variant, one of the payload droppers is an executable file, named “Document.pdf.exe”. You can see its detections on VirusTotal here:


Other infection methods for MotoxLocker could be set in motion, which utilize social media networks or file sharing services. The malware creator could have put the malicious files on any such platform, as an additional way for infection. Be careful when browsing the Web and avoid dubious e-mails, files or links. Perform checks of any file you have downloaded for its signatures, size, and perform a scan with security software. You should read more ransomware prevention tips in that forum thread.

MotoxLocker Virus – Inspection

The MotoxLocker cryptovirus is a variant of the DetoxCrypto ransomware and discovered by the MalwareHunterTeam. Interestingly enough, this variant tries to trick people that it is a security application, developed by TrendMicro:


Image Source: @MalwareHunterTeam

When the MotoxLocker ransomware virus drops its payload file, it probably creates entries in the Windows Registry, for retaining persistence. Those entries will set the malware to launch automatically with every boot of the Windows Operating System. From then on your files get encrypted. After all of your files become encrypted, the virus creates the file which contains the ransom message. The ransom note is written entirely in Croatian and describes the payment instructions.


The original text reads:

Svi važni fajlovi na vašem kompjuteru su zaključani i nemoguće je razbiti enkripciju. NEMOGUĆE JE RAZBITI CryptoLocker. Ako želite fajlove natrag javite se na mail:
NAPOMENA: Nemojte brisati ovaj program jer će biti potreban da bi vratili fajlove. Dobit ćete na mail upute i ključ koji ćete unijeti i svi fajlovi će biti vraćeni. Vrlo jednostavno, samo se javite na mail i dogovorimo se oko povratka fajlove.
Ako pokušate očistit ovaj program ili sami nešto popraviti moguće je da zauvijek oštetite i izgubite podatke zato je najbolje rješenje da se javite.

A very rough translation of the ransom message in English would be the following:

All important files on your computer are locked and it is impossible to break the encryption. It is impossible to to break this CryptoLocker. If you want the files back to contact us at mail:
NOTE: Do not delete this program because it will be needed to restore the files. You will receive instructions in the mail and the key you enter all the files will be restored. Very simple, just contact us at mail and arrange for the return of files.
If you attempt to clean this program or yourself something to fix it is possible for all damage and loss of data because it is the best solution to contact.
RANSOM FOR ALL YOUR FILES and permanent protection of a similar break-in was only 50 €. CONTACT THE EMAIL.

The MotoxLocker ransomware sets a decryption price of 50 euros, which is not a lot, but you shouldn’t be tempted to pay under any circumstances. No guarantee exists that you will recover your files. The cybercriminals will just use the money to make a new ransomware and possibly put some of the money aside for other criminal activities. The email used as a contact is ProtonMail is an encrypted electronic mailing service that is used by other ransomware viruses, such as the new variant of Fantom ransomware, which does not seem related to this cryptovirus.

However, the MotoxLocker virus is part of the DetoxCrypto ransomware family and is by definition related to the following variants:

The encrypted files will not have any new extensions, prefixes or name changes, whatsoever. The ransomware uses the military AES encryption algorithm and encrypted files will have a bigger size. The malware researcher Michael Gillespie has stated that the ransomware is decryptable. Check below for a possible decryption of your data.

The MotoxLocker ransomware is highly likely to erase all Shadow Volume Copies from the Windows Operating System. Continue to read and see how you can try to decrypt some of not all of your files and turn them back to normal.

Remove MotoxLocker Virus and Restore Your Files

If your computer got infected with the MotoxLocker ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by MotoxLocker.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share