Remove MMM Ransomware and Restore .0x009d8a Files - How to, Technology and PC Security Forum |

Remove MMM Ransomware and Restore .0x009d8a Files

This article aims to show you how to remove MMM ransomware from your computer and how to restore .0x009d8a encrypted files.

A new ransomware virus, going by the name MMM ransowmare has been reported to use a combination of not two, but three encryption modes to render the files on the computers affected by it no longer able to be opened – RSA, AES and HMAC ciphers. After the MMM ransomware attacks your computer, the virus immediately begins to demand money to get them back by dropping a ransom note, named RESTORE_0x009d8a_FILES.html. In it, 1.2 BTC is requested from the victims to be sent over in order to get the encrypted files restored back to normal.

Threat Summary

NameMMM Ransomware
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the compromised computer and then asks victims to pay a hefty ransom fee of 1.2 BTC in order to get them decrypted and working.
SymptomsThe files are encrypted with an extension, like .0x009d8a. A ransom note, named RESTORE_0x009d8a_FILES.html is dropped with further demands and instructions how to make a ransom payoff.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by MMM Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MMM Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update May 2018: Triple M ransomware has come out in a newer variant, using the .MMM file extension and asking to pay ransom in BitCoin.

Distribution of MMM Ransomware

Similar to over 80% of the newer ransomware viruses out there, the MMM ransomware infection may be widespread via multiple different types of methods, primary associated with malicious e-mail spam, also known as malspam. Such messages often portray the malicious file carrying the payload of MMM ransomware as a legitimate type of file. Such as:

  • Receipt.
  • Invoice.
  • Letter of complaint.
  • Letter of confirmation.
  • Suscpicious bank activity report.
  • Other urgent matters.

If the victim is tricked into actually opening the malicious file, he or she immediately becomes infected with MMM ransomware.

Besides via torrents, the malicious files of MMM ransomware may also exist as fake setups of software, fake key generators, game patches, cracks or other type of seemingly legitimate executable files.

MMM Ransomware – More Information

Once MMM ransowmare has already infected your computer system, the virus’s first signs of presence begin to show. It may temporarily freeze your computer during which it performs numerous activities on it. The first of those is to drop it’s malicious file which is a .exe file with a random A-Z and 0-9 name on your computer. The file may be accompanied by other malicious files that may be of the following types;

→ .tmp, .exe, .dll, .bat, .vbs, .cmd

These files may be scattered across different parts of your Windows, but they are primarily dropped in the following locations:

  • %AppData%
  • %Windows%
  • %Local%
  • %LocalLow%
  • %Temp%
  • %Roaming%

As soon as MMM ransomware drops it’s malicious files, it also creates it’s ransom note. The note is created so that the ransomware makes it’s presence known and motivates victims into contacting the e-mail and pay the sum of 1.2 BTC to the address 151F8ufANwCohXzteZ2mauvHLvkS8WmEFT. The ransom note is named similar to RESTORE_0x009d8a_FILES.html and has the following message for the victims:

What happend with my files?
All your databases corrupted. All your files has been locked ( encrypted) with Ransomware
 For encrypting we using strong cryptographic algorithm AES256+RSA-2048 .Do not attempt to recover the files yourself.
 You might corrupt your files. We also rewrite all old blocks on HDD and you don`t recover your files with Recuva and other… 
 It is not advised to use third party tools to decrypt,if we find them you ,you will forever lose your files. 
How i can restore my files?
Go to BTC exchange services and buy 1,2 Bitcoin 3) Send it to address 151F8ufANwCohXzteZ2mauvHLvkS8WmEFT and write us email to address for giving your key and decryption tool. In subject write your Unique ID 
BTC Guide:
Top BTC exchange sites: LocalBitcoins (We recomend), Coinbase, BTC-E, 
Online wallets: BlockchainInfo, 

In addition to making sure it is noticed, the MMM ransomware virus may also delete the shadow volume copies on the computers it infects. This is achieved by executing the vssadmin and bcedit commands in a hidden manner, without the victim noticing them:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to this, the MMM ransomware virus may also heavily modify the Windows Registry Editor, creating various registry entries in the following sub-keys:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\

MMM Ransomware The Encryption Process

The MMM ransowmare virus uses three types of encryption algorithms. The first one is called AES cipher (Advanced Encryption Algorithm) and it encrypts portion of the files themselves to generate unique asymmetric decryption key. Then, the virus uses the RSA (Rivest-Shamir Adleman) encryption to generate unique keys for each infection. And the HMAC is used to generate a unique hash and make decyrption even more confusing. The files targeted by MMM ransomware are reported to be the following:


After the encryption process by this virus has completed, the files encrypted by MMM ransomware may appear like the following:

Remove MMM Ransomware and Restore Encrypted Files

For the removal process of this ransomware virus, we advise you to follow the instructions below. They are specifically created to help you remove MMM ransowmare either manually or automatically. According to security experts the best and most secure method to remove MMM ransomware from your computer is to use a ransomware removal software in order to automatically scan for every object, created by this virus and then remove it and protect your PC against future threats.

If you want to restore files encrypted by this ransomware, you can go ahead and try out the alternative methods from step “2. Restore files encrypted by MMM Ransomware” below. They are in no way fully effective, but they may help restore several important files without you having to pay the ransom.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share