What is MoonCryptor ransomware? And how does it function?
MoonCryptor is a ransomware Trojan infection developed using the HiddenTear open source platform. This is a new file-encrypting threat discovered on August 17, 2017. This shouldn’t be mistaken for the M0on ransomware released way back in November 2016. You can get infected by this malware by opening attachments from spam emails and clicking links from corrupted websites. So if you made the mistake of opening the infected file, MoonCryptor takes advantage of it by infiltrating your computer and connecting to its Command and Control server to send information such as your IP address, OS version, keyboard configuration and active account name to start its attack. Its malicious components may be installed on the Temp and AppData directories where it creates some sort of temporary file structures.
During the ransomware’s attack, it scans your directories for different data containers associated with software like Microsoft Office, Windows Media Player, Groove Music, Windows Photo and other database managers. The threat is designed to append .fmoon extension on its targeted files using a custom combination of AES 256 and RSA 1024 ciphers to hold your files hostage. After its encryption, it opens a program window named MOON DECRYPTOR with the following message:
“WHAT HAPPENED ???
Oops all your data are encrypted !!
This is a ransomware AES 256 + RS A 1024!! Look at Wikipedia for morę informations
Please pay before 20 minutes oryour datalll be lost forever. I’ll delete a file per minutę after!
Copy and past this link in Internet Explorer or Firefox :
hxxp://10.10.3.1/panel/decipher.php
and enter your informations :
Your UUID : [RANDOM CHARCTERS]
Encrypted key [RANDOM CHARCTERS]
If you obtain your passord, take it here and click on RECOVER
[TEXT BOX] [RECOVER|button]”
Researchers advise you against following the instructions given or even paying the ransom. You’ll just be lead to open a site on the TOR Network and urges you to pay hundreds of dollars for the password used to activate the supposed decryptor, MOOD DECRYTOR app. It’s crystal clear that MoonCryptor ransomware’s goal is to lure you into paying the ransom in exchange for the restoration of your files and you shouldn’t fall for its trick because obviously, it does not provide you any assurances at all. For all you know, you might end up being ignored by these crooks once they get your money. The best thing you could do is to recover your files by loading your backups or use copies from services like Google Drive, Dropbox, OneDrive and archived versions of your documents.
How does MoonCryptor circulate online?
As mentioned earlier, MoonCryptor ransomware spreads through spam emails containing malicious attachments. These emails are often disguised as something that would trigger your curiosity to make you open the email and download the attachment. You can also get infected by this malware by downloading fake software and fake software updates, or by clicking on a corrupted link.
There are many distribution and social engineering techniques being used these days to infect many users. Therefore, keeping both your operating system and antivirus programs updated is a must. That way, you can increase your protection from the likes of MoonCryptor ransomware.
Terminate MoonCryptor ransomware and its malicious components by following the removal guide below.
Step 1: Close the program window MOON DECRYPTOR.
Step 2: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for suspicious processes that can be related to the MoonCryptor Ransomware.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 3: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Step 4: Look for MoonCryptor ransomware or any peculiar program and then Uninstall it.
Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Go to the directories listed below and look for MoonCryptor.exe and other malicious files created by the ransomware.
- %AppData%
- %Temp%.
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that MoonCryptor ransomware created. So if you are not familiar with the Windows Registry skip to Step 11 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 7.
Step 7: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 8: Navigate to the path below:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Step 9: Delete the any suspicious registry value.
Step 10: Close the Registry Editor.
Step 11: Empty the Recycle Bin.
Follow the continued advanced steps below to ensure the removal of the MoonCryptor ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK. - A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- Click OK to launch SpyRemover Pro.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register SpyRemover Pro to protect your computer from future threats.