Mordor ransomware virus (also known as Milene or SuperCow ransomware) has been labeled as a variant based on an over-utilized, open-source code project called HiddenTear. These samples apply AES file-encoding ciphers to turn Word documents, pdf files, music records, video material and basically any other type of file into useless executable. Surprisingly, this Mordor virus also functions as a RaaS, meaning that it offers ransomware as a service. What does this mean? Basically, it offers an opportunity for people with little skills in programming to purchase a crypto-virus. Also, once ransomware manages to encrypt files, it will insert a Read_Me.html file which will present text both in Russian and English languages.
Details about Mordor ransomware
Mordor crypto-virus, before successfully concluding the process of file-encoding, has to prepare an operating system for it. First of all, Windows Registry keys are expected to be modified to automatically run the payload of this infection. Security researchers have determined that this malicious executable is called NOTHERSPACE_USE.exe. After getting a persistent position, it will scan devices for files and gradually encrypt them with AES algorithm. However, this is not a sophisticated version as creating Mordor RaaS and the infection itself must have been quite easy. Since it is based on HiddenTear project, its base is not complicated to recognize. For some unknown reason, creators believe that their product is extremely elaborate and require a steep sum to purchase it.
Security researchers have already identified the possible creators of Mordor virus. It might be that crooks from German are responsible for this variant, but there is not enough evidence to completely support this idea. .mordor extension has been identified as the extension that all Mordor variants should append to the encrypted data. Individual victims will receive different ID numbers which will give them access to a website, controlled by hackers. Trustmordor.pw is left in the Read_Me.html file. The domain opens up in mostly all browsers, requires users to select their preferred language and enter an ID number to get permission to enter further.
Separate victims can be required different sums for the file decryption software or code. It might be that the requested fee is 1 BTC which is currently about 1457.29 US Dollars. For others, if the number of encrypted files is smaller, the ransom could be around 0.8 (approximately 1165.83 US Dollars). Both of these prices are steep and we discourage victims from paying it no matter the circumstances.
Mordor ransomware: possible methods for decryption
For now, there is no way of restoring files that have been appended with .mordor extension. However, given the circumstances and the amount of infections that get released every day, we would not be too concerned. Security researchers will find the time to analyze this variant and determine the best way to help users: possibly with a free file-decryption tool. For now, we advise you check whether Mordor ransomware deleted Shadow Volume Copies. In fact, if you have stored your files in an additional location or back upped it, file-recovery is a very easy process. All you have to do is retrieve files from a backup storage or another device which was used as storage.
Mordor ransomware: how do people become infected?
Ransomware infections are known to use a couple of strategies for distribution. For instance, their creators can add payloads as attachments in spam letters and send around such messages to thousands of recipients. If you are not careful while opening letters that you find in your email account, we advise you start treating them with more caution. Unknown sources very seldom send messages to wrong emails: it might be that you are targeted. Also, do not follow links that are indicated in such messages. Lastly, vulnerable websites could also participate in the distribution of ransomware; be careful which domains you end up in.
Spyhunter, Malwarebytes and Hitman are here to help you with the removal of Mordor ransomware virus. Before you attempt to restore files that the infection corrupted, we encourage to eliminate malicious executables first.
Mordor Ransomware quicklinks
- Details about Mordor ransomware
- Mordor ransomware: possible methods for decryption
- Mordor ransomware: how do people become infected?
- Automatic Malware removal tools
- How to recover Mordor ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Mordor ransomware encrypted files
Automatic Malware removal tools
How to recover Mordor ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Milene ransomware virus has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of SuperCow ransomware virusAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Mordor ransomware. You can check other tools here.
Step 3. Restore Milene ransomware virus affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually SuperCow ransomware virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Mordor ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.