MMLocker Ransomware - How To Remove?


MMLocker (or MM Locker) ransomware first appeared in March of 2016, though, it is still ravaging the data of the victims chosen. Sadly, though, cyber security researchers have not come up with any solution yet. However, there is means to be taken to try and get your precious data back.

About MMLocker Ransomware

MMLocker ransomware is named after a directory path of one of its samples: C:\mm\mm\obj\Release\mm.pdb. It uses asymmetric cipher, encompassing AES and RSA keys. The data on HDD, SSD and USB drives is damaged. This file-encrypting virus encrypts over 60 different file types, among them:

.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp.

The file types having the above extensions are added another extension – ‘‘.locked’’. For example, Essay.doc is turned into Essay.doc.locked. Exactly the same extension, appended to the filename extensions of each encrypted file, was also observed in the cases of Uyari and VirLock ransomwares.

After the encryption is over, your desktop wallpaper is replaced with an image ransom.jpg. The text in red in the middle of the image, which resembles that image of changing numbers used in the Matrix movie, directs the user to access the READ_IT.txt file on the desktop.

The ransom note is named READ_IT.txt and it is quite extensive, to say the least. You are given 3 days to pay the ransom which is 0.501049 BTC (bitcoins) which, in turn, amounts to 298.07 USD. The lyrical deviation composes the other part of the message. The hacker goes on telling you that even the police will not help you. He even makes excuses and gives the reasons for such a barbaric act. At the end of the note, the cyber criminal even gives you pieces of advice on how you could have escaped the infection of his developed ransomware and, on top of all this, he wishes you good luck. The ransom message reads as follows:

Uh oh. It looks like your data has been the victim of the encryption thief. Your files have been encrypted with AES: search your drive for “locked” if you don’t believe me . Unfortunately, you’re going to have to pay some money to get your files back, and your fee is approximately $200 in US Dollars. I’ll get right to the ugly details for that:

* You have 72 hours to make this happen as of 12/03/2016 21:03:16. Otherwise, your files are lost for good. I will delete the necessary code for all time and I don’t even have to revisit your machine to do it.
* You will be paying by Bitcoin. Don’t worry, it is easy to figure out. Your fee is 0.501049 BTC. Pay this amount precisely, or I might not know who it was that paid in order to rescue them.
* Use It isn’t hard to use, there are numerous ways to pay for my bitcoins on there, and most importantly, it is fast. Did I mention you have 72 hours?
* The address you will be sending the bitcoins to is [Bitcoin address].
* Then you will wait for me to get the unlock code for you. Your code will be shown here, [link to a compromised site], under the amount you paid. This may take a day or so: you are on my schedule now
* Once you have the code, you can unlock your files as follows:
*** First you must download my decrypter: [link made via]. You may get various warnings that this is a Trojan or some other nonsense. Don’t believe it: if I needed to cause more damage I would have done so already. The file is marked as such because the antivirus people are lazy SOBs and just mark everything they can.
*** Go to your Start Menu
*** In the search field, type “cmd”.
*** Double click the cmd program.
*** Type “cd C:\Users\xxx\Downloads”
*** Type “Decrypter.exe ”
*** Other people’s codes will not work for you, obviously.

That is basically it. The rest of this document is a further description about your situation.

* You’ll never be able to find me. Police will never be able to find me. Go ahead and try them if you like, but don’t expect your data back. They will be concerned about helping the community, not with helping you meet your deadline. If they say they need to keep your desktop for a few days, well lol, you probably won’t be seeing your machine again soon, let alone your data. I’ve been doing this for five years now and haven’t been caught yet.
* Best Buy will have no ability to undo the encryption. Hell, even the NSA probably couldn’t undo it. Well maybe they could, but I suspect you won’t be a high priority for their computation clusters for at least a couple of years.
* In 72 hours, you will never be able to get these files open. I don’t much like people struggling against the powerful, and there is no way for you to argue for an extension. Just make it happen.

So just be thankful that it wasn’t worse. I could have asked for more money. I could have been working for ISIS and saving that money to behead children. I could have been a mean SOB and just destroyed your data outright. Am I those things? No. I just need the money to live off of (true story) and don’t care at all about the hacker “community”. So there isn’t anyone you will be protecting by sacrificing yourself. I’ll just encrypt more people’s data to make up for the loss.

So you have your instructions. I’ll even tell you how you could have prevented this:

* Install a good antivirus and keep it up to date. This is basically where you fell down.
* Don’t click on any file from the internet that isn’t a piece of data like (jpg, txt, doc) or you better really know where that file came from.
* Back up your files in case the encryption thief visits you.

Better luck to you in the future.

No matter how heartbreaking the story of this cyber crook behind MMLocker crypto malware may seem to you at first sight, chase such silly thoughts away. This is not a proper way to ask for alms.

How is MMLocker Ransomware Distributed?

MMLocker ransomware is a typical trojan since it harnesses spam e-mails to reach the computers’ systems of the victims. These e-mails usually take the form of notices from legal bodies (e.g. customs) or international companies (e.g. DHL) or they can hit the spam folder of your e-mail box having no sender at all. Links on social networking websites such as Facebook and Twitter can also be very dangerous as they can redirect you to malicious domains, which have exploits injected. These malignant programs can download the payload of MMLocker virus on your operating system, after its vulnerabilities have been detected and analyzed. On an interesting note, this file encoder has its special way of entering your machine. MMLocker is also distributed by the cracked executable of the newest edition of the game Far Cry. This latest edition is called ‘‘Primal’’, and the executable is named FCPrimal.exe. The executable is promoted on Youtube.

How to Decrypt Files Encrypted by MMLocker Ransomware?

Unfortunately, there are still no decryptors available for the data corrupted by MMLocker file encrypter. The first option is to use the backed up copies. The second alternative is to check Shadow Volume Copies. The last opportunity for you to retrieve your files is to try professional data recovery tools such as Recuva, PhotoRec, the software by Kaspersky Lab, R-Studio, etc. Data recovery is not the most important work you need to do at the moment. It is highly important not to hesitate and to remove the malware from the computer’s system, after the imaging of the infected drive has taken place (needed for the future decryptor). To accomplish this serious task you have to invoke powerful tools such as Reimage, Spyhunter or Malwarebytes automatic malware removal software. It is highly recommended to rely upon professional automatic tools when facing such elaborate malware threats as ransomwares are. The manual removal instructions for MMLocker ransomware are provided below.

How to recover MMLocker Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before MM Locker Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of MMLocker Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to MM Locker Ransomware. You can check other tools here.

Step 3. Restore MMLocker Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually MM Locker Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover MMLocker Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.


About the author

 - Main Editor
I have started in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
August 11, 2016 07:40, October 12, 2017 03:57

Leave a Reply

Your email address will not be published. Required fields are marked *