Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove M0on/Crypute Ransomware and Restore .m0on Encrypted Files

blackmoon-trojan-main-sensorstechforumA ransomware virus using the .m0on file extension to encrypt files has been reported to cause havoc on user PC’s. The virus is also known as Crypute and uses the Advanced Encryption Standard(AES) algorithm to encrypt videos, pictures, audio files and documents of importance to the computers it infects. At the moment there are several methods by which the .m0on ransomware may spread and users are warned not to open various e-mail attachments as well as perform checks on any URLs they deem suspicious. In case of infection with this ransomware, experts advise victims to focus on removing the ransomware and restoring the files yourself instead of making the ransom payoff.

Threat Summary

Name

M0on

TypeRansomware
Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions”. Changed file names and the file-extension .m0on has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by M0on

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss M0on.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

M0on Ransomware – Further Information

How Does M0on Spread?

To cause an infection, M0on may use two primary types of techniques – via URLs or files. In case the virus uses files to infect users, it is widely believed to take advantage of e-mail spam and use it against the interests of the user. The spammers may send an e-mail pretending to be of utmost importance for the user in order to convince him to open the e-mail attachment which may usually pretend to be an executable concealed behind a fake document.

But this does not mean that URL infections are not also present in phishing mails. We have even had cases where the e-mails have malicious URLs that are modified so that they resemble fake LinkedIn or PayPal buttons, just like an original e-mail.

What Does M0on Ransowmare Do After Infection

After the user has clicked on the malicious URL or downloaded and executed the fake malicious file, infection Is commenced and the malware connects to the remote host of the cyber-criminals and downloads the payload if the malicious executable is not the actual payload which is less likely.

Then, the .m0on file extension ransomware uses a very particular trick up it’s sleeve. It may delete the shadow copies on the infected computer to eliminate any chance of backup on the compromised computer:

dharma-ransomware-shadow-command-sensorstechforum-3

Not only this, but the .m0on variant of CryPute can support most of the commonly used file extensions to encrypt user files, for example:

  • Video files.
  • Files associated with Microsoft Office.
  • Adobe files (Reader, Photoshop, Illustrator, Elements, etc.)
  • Audio file formats.
  • Database files.
  • Virtual machine files.

→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .arw, .as, .as3, .asf, .asp, .asp, .aspx, .asx, .avi, .bat, .bay, .bmp, .cc, .cdr, .cer, .class, .class, .cpp, .cr2, .crt, .crw, .cs, .csv, .dat, .db, .dbf, .dcr, .der, .dll, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxg, .efx, .eps, .erf, .exe, .fla, .flv, .htm, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .jsp, .kdc, .lnk, .m3u, .m3u8, .m4u, .max, .mdb, .mdf, .mef, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .mrw, .msg, .nef, .nes, .nrw, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdb, .pdf, .pef, .pem, .pfx, .php, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .pst, .ptx, .qq, .r3d, .ra, .raf, .rar, .raw, .rb, .rcb, .rtf, .rw2, .rwl, .sdf, .sldm, .sldx, .sql, .sr2, .srf, .srw, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wb2, .wma, .wmv, .wpd, .wps, .x3f, .xla, .xlam, .xlk, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .zip

After encryption the files have their names changed to completely randomly written “n”, “m”, “o” and “0” letter in between the “%” symbol sign. The encrypted files also have the .m0on file extension added as a suffix after them, for example:

m0on-encrypted-file-sensorstechforum

After encryption, the virus is reported to drop a ransom note to notify the victim of the situation.

Remove M0on Ransomware and Restore Encrypted Files

In order to remove M0on ransomware we advise you to follow our removal instructions posted below. In case you are having issues on performing the removal manually, we urge you to try the automatic removal manual which will not only remove the main executable of moon ransomware, located in the %Temp% folder, but also take care of other sub-files and objects that are malware-related.

After removing the virus, we advise you to make copies of the encrypted files and try to restore those files with alternative methods, like the ones we suggested in step “2. Restore files encrypted by M0on” below.

Manually delete M0on from your computer

Note! Substantial notification about the M0on threat: Manual removal of M0on requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove M0on files and objects
2.Find malicious files created by M0on on your PC

Automatically remove M0on by downloading an advanced anti-malware program

1. Remove M0on with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by M0on
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.