A ransomware virus using the .m0on file extension to encrypt files has been reported to cause havoc on user PC’s. The virus is also known as Crypute and uses the Advanced Encryption Standard(AES) algorithm to encrypt videos, pictures, audio files and documents of importance to the computers it infects. At the moment there are several methods by which the .m0on ransomware may spread and users are warned not to open various e-mail attachments as well as perform checks on any URLs they deem suspicious. In case of infection with this ransomware, experts advise victims to focus on removing the ransomware and restoring the files yourself instead of making the ransom payoff.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions”. Changed file names and the file-extension .m0on has been used.|
|Detection Tool|| See If Your System Has Been Affected by M0on |
Malware Removal Tool
|User Experience||Join our forum to Discuss M0on.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
M0on Ransomware – Further Information
How Does M0on Spread?
To cause an infection, M0on may use two primary types of techniques – via URLs or files. In case the virus uses files to infect users, it is widely believed to take advantage of e-mail spam and use it against the interests of the user. The spammers may send an e-mail pretending to be of utmost importance for the user in order to convince him to open the e-mail attachment which may usually pretend to be an executable concealed behind a fake document.
But this does not mean that URL infections are not also present in phishing mails. We have even had cases where the e-mails have malicious URLs that are modified so that they resemble fake LinkedIn or PayPal buttons, just like an original e-mail.
What Does M0on Ransowmare Do After Infection
After the user has clicked on the malicious URL or downloaded and executed the fake malicious file, infection Is commenced and the malware connects to the remote host of the cyber-criminals and downloads the payload if the malicious executable is not the actual payload which is less likely.
Then, the .m0on file extension ransomware uses a very particular trick up it’s sleeve. It may delete the shadow copies on the infected computer to eliminate any chance of backup on the compromised computer:
Not only this, but the .m0on variant of CryPute can support most of the commonly used file extensions to encrypt user files, for example:
- Video files.
- Files associated with Microsoft Office.
- Adobe files (Reader, Photoshop, Illustrator, Elements, etc.)
- Audio file formats.
- Database files.
- Virtual machine files.
→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .arw, .as, .as3, .asf, .asp, .asp, .aspx, .asx, .avi, .bat, .bay, .bmp, .cc, .cdr, .cer, .class, .class, .cpp, .cr2, .crt, .crw, .cs, .csv, .dat, .db, .dbf, .dcr, .der, .dll, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxg, .efx, .eps, .erf, .exe, .fla, .flv, .htm, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .jsp, .kdc, .lnk, .m3u, .m3u8, .m4u, .max, .mdb, .mdf, .mef, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .mrw, .msg, .nef, .nes, .nrw, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdb, .pdf, .pef, .pem, .pfx, .php, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .pst, .ptx, .qq, .r3d, .ra, .raf, .rar, .raw, .rb, .rcb, .rtf, .rw2, .rwl, .sdf, .sldm, .sldx, .sql, .sr2, .srf, .srw, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wb2, .wma, .wmv, .wpd, .wps, .x3f, .xla, .xlam, .xlk, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .zip
After encryption the files have their names changed to completely randomly written “n”, “m”, “o” and “0” letter in between the “%” symbol sign. The encrypted files also have the .m0on file extension added as a suffix after them, for example:
After encryption, the virus is reported to drop a ransom note to notify the victim of the situation.
Remove M0on Ransomware and Restore Encrypted Files
In order to remove M0on ransomware we advise you to follow our removal instructions posted below. In case you are having issues on performing the removal manually, we urge you to try the automatic removal manual which will not only remove the main executable of moon ransomware, located in the %Temp% folder, but also take care of other sub-files and objects that are malware-related.
After removing the virus, we advise you to make copies of the encrypted files and try to restore those files with alternative methods, like the ones we suggested in step “2. Restore files encrypted by M0on” below.