Remove MongoLock Ransomware

Remove MongoLock Ransomware

mongolock ransomware virus mongoDB logo

This article will aid you to remove MongoLock Ransomware. Follow the ransomware removal instructions given at the end of the article.

MongoLock Ransomware will encrypt your data and demands money as a ransom to get it restored. MongoDB databases will get deleted and wiped as a result of the malicious activity of this ransomware. The MongoLock Ransomware will leave ransomware instructions inside a text file. Keep on reading the article and see how you could try to potentially recover some of your locked files and data.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware will wipe whole MongoDB databases and demand a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will delete your files and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by MongoLock


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MongoLock.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

MongoLock Ransomware – January 2019 Update

In January 2019 security reports reveal that a new attack campaign has been run. It is very possible that a slightly updated version of the code is used as well. The attack is not run against a specific country or region: more than 200 samples of the MongoLock ransomware attributed to this campaign have been registered. The highest number of infections have been reported in the following countries: South Korea, Great Britain, the United States, Argentina, Canada, Germany, Taiwan and Hong Kong.

The attacks were not only using phishing scams, sites and the other popular distribution methods, but also targeting poorly secured online databases. The ransomware itself was found as an online hosted instance on Python Anywhere, a popular cloud IDE (integrated development environment) and hosting service. Accessing certain sections of the infected site will download an executable file which will lead to the dangerous infection. Another method is to be redirected from the site to a landing page which will in-turn display malicious elements.

The new MongoLock ransomware variant not only encrypts user data according to the typical behavior exhibited by this type of threats, but also deletes important system data found on the main hard drive partitions. Specific folders which are scanned include the following:

  • Documents
  • Desktop
  • Recent
  • Favorites
  • Music
  • Videos
  • Recycle Bin

Backup drives are also affected. It has been found that the MongoLock ransomware establishes a secure connection to a hacker-controlled server to which the user data is uploaded (before it is encrypted by the ransomware module). The distinct characteristic of this malware is that it has placed the server on the TOR anonymous network.

MongoLock Ransomware – Distribution

The MongoLock ransomware might distribute itself via different tactics. A payload dropper which initiates the malicious script for this ransomware is being spread around the World Wide Web, and researchers have gotten their hands on a malware sample. If that file lands on your computer system and you somehow execute it – your computer device will become infected. Below, you can see the payload file of the cryptovirus being detected by the VirusTotal service:

mongolock ransomware virus virustotal detections

Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary. You should read the tips for preventing ransomware located at the corresponding forum thread.

MongoLock Ransomware – In Depth

MongoLock Ransomware is not new. However, this is a newer version of

Mongo Lock Ransomware that Deletes Vulnerable MongoDB Databases. Files along with the whole compromised database will get deleted. A ransom note will be left by the virus, with instructions inside it. The extortionists want you to pay a ransom fee for the alleged restoration of your data.

MongoLock Ransomware might make entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to start the virus automatically with each boot of the Windows Operating System.

After encryption the MongoLock Ransomware creates a ransom note inside a text file. The note is named Warning.txt as you can see from the below screenshot:

mongolock ransomware virus ransom note

The note reads the following:

Your File and DataBase is downloaded and backed up on our secured servers. To recover your lost data : Send 0.1 BTC to our BitCoin Address and Contact us by eMail with your server IP Address and a Proof of Payment. Any eMail without your server IP Address and a Proof of Payment together will be ignored. We will drop the backup after 24 hours. You are welcome!

Even if a note is shown, you should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that. Adding to that, giving money to cybercriminals will most likely motivate them to create more ransomware viruses or commit different criminal activities. That may even result to you getting your files encrypted all over again after payment.

MongoLock Ransomware – Encryption Process

The encryption process of the MongoLock ransomware rather simple – every file and database that get infected will be deleted. Files will become simply unreachable. The ransomware is not known to encrypt files in any capacity.

However, vulnerable MongoDB databases that get infected will have the following file types wiped:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

The MongoLock cryptovirus could be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

In case the above-stated command is executed that will make the effects of the encryption process more efficient. That is due to the fact that the command eliminates one of the prominent ways to restore your data. If a computer device was infected with this ransomware and your files are deleted, there is little that you can do to bring them back, unless a data recovery software restores some of your files.

Remove MongoLock Ransomware and Try to Restore Data

If your computer system got infected with the MongoLock ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Tsetso Mihailov

Tsetso Mihailov

Tsetso Mihailov is a tech-geek and loves everything that is tech-related, while observing the latest news surrounding technologies. He has worked in IT before, as a system administrator and a computer repair technician. Dealing with malware since his teens, he is determined to spread word about the latest threats revolving around computer security.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share