MOOL ransomware seeks to extort you by encrypting your files
Contents
MOOL ransomware is a file-encrypting malicious virus which infects victim’s computer to encrypt files stored on it. During the attack, the virus marks affected files with .mool extensions and leaves ransom-demanding notes called _readme.txt. The malware is the 209th version of STOP/DJVU ransomware group, and it is a new, undecryptable variant. The ransom note left by the malware informs that the victim can restore all files if he/she pays $490 or $980 in Bitcoin. The attackers leave two email addresses as the only channels of communication – helpdatarestore@firemail.cc or helpmanager@mail.ch. The described virus also drops AZORULT password-stealing Trojan on the system.
MOOL file extension virus uses AES/RSA encryption methods to convert all files on victim’s computer useless. Once affected by such cryptography algorithm, the file cannot be opened without a private decryption key. Unfortunately, only the STOP/DJVU creators have encryption/decryption key pairs.
The aim of MOOL ransomware is to prevent the victim from accessing personal files anymore. It causes shock for the user, as personal computers are typically used to store important data such as memories (photos, videos) or work/study files such as documents, spreadsheets, etc. At this point, the only message left for the victim is stored in _readme.txt files, which suggest paying a hefty ransom as soon as possible. If paid within 3 days, the price of MOOL decryption software is lower and costs $490. Later, it goes up to $980.
Online and Offline Encryption – what’s the difference?
The majority of victims are subject to online encryption, which describes a process when the virus connects to its Command&Control server to obtain online encryption key. If the malware fails to connect, it uses an offline encryption key, which is one and only for all computers on which the virus fails to connect to C2. Once someone with offline key encryption pays the ransom and shares it with cybersecurity experts, the STOP DJVU Decryptor by Emsisoft gets updated.
You can find out whether you files have been affected by the offline key by going to C:/SystemID/PersonalID.txt. Here, look at the end of IDs stored. In case one of them ends in t1, then you can hope to restore some data in the future. In ALL other cases, MOOL data decryption is impossible due to online key attack.
Threat Summary
| Name | MOOL ransomware virus |
| Type | Ransomware |
| Origins | New STOP/DJVU variant (207th version) |
| Targeted systems | Windows |
| Behavior | The virus uses AES/RSA encryption to lock personal files, marks them by adding new extensions, installs Azorult Trojan and leaves ransom-demanding messages in _readme.txt files |
| File extension | Uses .mmnn extension |
| Ransom note | _readme.txt |
| Contact Emails | helpdatarestore@firemail.cc or helpmanager@mail.ch |
| Ransom demand | $490-$980 |
| Distribution | Distributed via software cracks, keygens, KMSPico |
| Decryption tools | Offline key for this variant isn’t known yet. STOP Decryptor currently doesn’t support the 209th ransomware version. Victims affected by online key cannot restore their files at all. |
| Removal | Remove using antivirus while in Safe Mode with Networking (use instructions given below) |
Distribution vectors that STOP/DJVU variants rely on
Ransomware viruses such as MOOL, BBOO, ROOE, OOSS, or MMNN tend to await victims in a form of unsafe or illegal files available online. In most cases, victims download and infect their systems with DJVU variants after searching and opening malicious software cracks found online. It can also happen with keygens or tools like KMSPico. Finally, other ransomware variants might await in malspam email attachments or appended links.
To avoid such ransomware attacks, always rely on trustworthy online resources. Consider investing in legitimate software licenses, because they will never infect your PC with ransomware or other type of malware.
To eliminate and completely remove MOOL ransomware virus from your computer system, follow the steps provided below. We strongly suggest using a trusted software to delete the malware completely. If you attempt to search for virus’ components yourself, remember that it can hide its files and various configurations deeply in your system. Therefore, if you’re not a qualified cybersecurity expert, most likely you will fail to find and delete these items yourself.
MOOL ransomware removal should be done automatically while in Safe Mode with Networking. Only after successful elimination of it and AZORULT you can try to use your data backups. What is more, do not forget to change your passwords straight after cleansing your PC system.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
MOOL Ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove MOOL Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply