Moth Ransomware

The Moth Ransomware receives its name because it identifies files that the Moth Ransomware has encrypted using the file extension '.m0th.' The Moth Ransomware is an encryption ransomware Trojan, meaning that it encrypts the victim's files and then requests the payment of a ransom to provide the means to decrypt the affected files. Essentially, the Moth Ransomware takes the victim's files hostage. The Moth Ransomware drops ransom notes on the affected computer alerting the victims of the attack and instructing them on how to pay. Currently, it may not be viable to decrypt the files encrypted with the Moth Ransomware. However, malware analysts advise against paying the Moth Ransomware ransom, since there is no guarantee that the con artists will honor their word and return access to the files.

How the Moth Ransomware may Attack Your Computer

The Moth Ransomware uses AES-256 encryption to take over the victim's computer. The Moth Ransomware delivers its ransom message in a text file named 'READMEPLEASE.TXT,' dropped in directories where the Moth Ransomware encrypted files. In most cases, the Moth Ransomware is delivered using corrupted email attachments. However, the Moth Ransomware also may be distributed using other methods associated with threat delivery, such as corrupted macros, exploit kits and other threats. However, corrupted email attachments and embedded links are still the main distribution method associated with the Moth Ransomware.

When the Moth Ransomware enters the victim's computer, it will drop its harmful files in directories created in the following Windows directories:

%AppData%
%Temp%
%Local%
%LocalRow%
%User’s Profile%

After dropping its harmful files, the Moth Ransomware will change the affected computer's settings to ensure that the Moth Ransomware starts up automatically whenever Windows starts up. The following is the Registry key associated with the Moth Ransomware:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (the path to the Moth Ransomware's malicious file).

The Moth Ransomware scans the victim's computer for numerous file extensions. The following are examples of file types that will be targeted in the Moth Ransomware attack:

PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG.

After encrypting these types of files and sending a private key to its Command and Control server (and out of reach to the victim or the victim's security software), the Moth Ransomware will deliver the following ransom note inside text files dropped on the victim's computer:

'Hello.
All your files have been encrypted using our extremely strong private key. There is no way to recover them without our assistance. If you want to get your files back, you must be ready to pay for them. If you are broke and poor, sorry, we cannot help you. If you are ready to pay, then get in touch with us using a secure and anonymous p2p messenger. We have to use a messenger because standard emails get blocked quickly and if our email gets blocked your files will be lost forever.
Go to http://bitmessage.org/, download and run Bitmessage. Click Your Identities tab > then click New > then click OK (this will generate your personal address, you need to do this just once). Then click Send tab.
TO:{Cyber-criminals’ BitCoin address}
Subject: name of your PC or your IP address or both.
Message: Hi, I am ready to pay.
Click Send button.
You are done.
To get the fastest reply from us with all further instructions, please keep your Bitmessage running on the computer at all times, if possible, or as often as you can because Bitmessage is a bit slow and it takes the time to send and get messages. If you cooperate and follow the instructions, you will get all your files back intact and very, very soon. Thank you.'