Remove M0on/Crypute Ransomware and Restore .m0on Encrypted Files - How to, Technology and PC Security Forum |

Remove M0on/Crypute Ransomware and Restore .m0on Encrypted Files

blackmoon-trojan-main-sensorstechforumA ransomware virus using the .m0on file extension to encrypt files has been reported to cause havoc on user PC’s. The virus is also known as Crypute and uses the Advanced Encryption Standard(AES) algorithm to encrypt videos, pictures, audio files and documents of importance to the computers it infects. At the moment there are several methods by which the .m0on ransomware may spread and users are warned not to open various e-mail attachments as well as perform checks on any URLs they deem suspicious. In case of infection with this ransomware, experts advise victims to focus on removing the ransomware and restoring the files yourself instead of making the ransom payoff.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions”. Changed file names and the file-extension .m0on has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by M0on


Malware Removal Tool

User ExperienceJoin our forum to Discuss M0on.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

M0on Ransomware – Further Information

How Does M0on Spread?

To cause an infection, M0on may use two primary types of techniques – via URLs or files. In case the virus uses files to infect users, it is widely believed to take advantage of e-mail spam and use it against the interests of the user. The spammers may send an e-mail pretending to be of utmost importance for the user in order to convince him to open the e-mail attachment which may usually pretend to be an executable concealed behind a fake document.

But this does not mean that URL infections are not also present in phishing mails. We have even had cases where the e-mails have malicious URLs that are modified so that they resemble fake LinkedIn or PayPal buttons, just like an original e-mail.

What Does M0on Ransowmare Do After Infection

After the user has clicked on the malicious URL or downloaded and executed the fake malicious file, infection Is commenced and the malware connects to the remote host of the cyber-criminals and downloads the payload if the malicious executable is not the actual payload which is less likely.

Then, the .m0on file extension ransomware uses a very particular trick up it’s sleeve. It may delete the shadow copies on the infected computer to eliminate any chance of backup on the compromised computer:


Not only this, but the .m0on variant of CryPute can support most of the commonly used file extensions to encrypt user files, for example:

  • Video files.
  • Files associated with Microsoft Office.
  • Adobe files (Reader, Photoshop, Illustrator, Elements, etc.)
  • Audio file formats.
  • Database files.
  • Virtual machine files.

→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .arw, .as, .as3, .asf, .asp, .asp, .aspx, .asx, .avi, .bat, .bay, .bmp, .cc, .cdr, .cer, .class, .class, .cpp, .cr2, .crt, .crw, .cs, .csv, .dat, .db, .dbf, .dcr, .der, .dll, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxg, .efx, .eps, .erf, .exe, .fla, .flv, .htm, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .jsp, .kdc, .lnk, .m3u, .m3u8, .m4u, .max, .mdb, .mdf, .mef, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .mrw, .msg, .nef, .nes, .nrw, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdb, .pdf, .pef, .pem, .pfx, .php, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .pst, .ptx, .qq, .r3d, .ra, .raf, .rar, .raw, .rb, .rcb, .rtf, .rw2, .rwl, .sdf, .sldm, .sldx, .sql, .sr2, .srf, .srw, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wb2, .wma, .wmv, .wpd, .wps, .x3f, .xla, .xlam, .xlk, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .zip

After encryption the files have their names changed to completely randomly written “n”, “m”, “o” and “0” letter in between the “%” symbol sign. The encrypted files also have the .m0on file extension added as a suffix after them, for example:


After encryption, the virus is reported to drop a ransom note to notify the victim of the situation.

Remove M0on Ransomware and Restore Encrypted Files

In order to remove M0on ransomware we advise you to follow our removal instructions posted below. In case you are having issues on performing the removal manually, we urge you to try the automatic removal manual which will not only remove the main executable of moon ransomware, located in the %Temp% folder, but also take care of other sub-files and objects that are malware-related.

After removing the virus, we advise you to make copies of the encrypted files and try to restore those files with alternative methods, like the ones we suggested in step “2. Restore files encrypted by M0on” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share