MoneroPay Ransomware

MoneroPay Ransomware is a very tricky threat. It is concealed as a SpriteCoin, which is introduced to users as a cryptocurrency miner. At the time of research, it was offered to users via a page on the pagebin.com domain. If the user is tricked into downloading the so-called “starter kit,” a ZIP file named “spritecoin.zip” is downloaded. The file is unlikely to be downloaded without the user’s permission, and it relies on the user for execution. Unfortunately, the victim might be tricked into believing that they will be earning a lot of money using the tool, which is why they are likely to execute the threat without even suspecting a problem. Once the threat is in, it silently encrypts files, after which, a ransom note is presented to deliver the demands. If you have been tricked into letting this devious ransomware in, you need to continue reading this report to learn all about it. At the bottom, you will find tips that will help you delete the infection. You will also find MoneroPay Ransomware removal instructions.

Once the malicious spritecoin.zip file is opened, the victim finds four new files: spritecoinwallet.exe, spritecoind.exe, cryptonight.dll, and boost.dll. It is crucial that these MoneroPay Ransomware files are removed right away, but, of course, the victim will, most likely, open them instead. When the first .exe file is launched, the victim sets up a wallet and creates a password for it. It all looks legitimate, which is why the user is unlikely to suspect anything bad. After this, the blockchain download is started, and the user is tricked into thinking that it is real. In reality, the “downloading” conceals the act of encryption. Once files are encrypted, all of them have the “.encrypted” extension attached to their names. The second .exe file (spritecoind.exe), according to our research team, shows the ransom note, and it should be launched automatically. Unfortunately, even if you delete MoneroPay Ransomware with all of its malicious components at this point, your files will remain encrypted. You will not be able to check which files were encrypted unless you close the window representing the ransom note.

The malicious MoneroPay Ransomware launches a window named “MoneroPay,” which is why the threat is named the way it is. According to the message, the victim must pay 0.3 monero (~100 USD) to retrieve files. The window message includes an address to which the transaction must be made. A unique ID number is added as well, and you are meant to send it along with the ransom so that the attacker could be able to identify you. Although it might seem as if the creator of MoneroPay Ransomware is capable of decrypting your files, the reality is that they are unlikely to bother with it. At the end of the day, they care only about money. Hopefully, you can fall back onto a file backup to access personal files, and the corrupted files can be deleted along with the ransomware. First, of course, you need to regain access to your computer. If you restart it, the screen-locker will remain because the ransomware creates a point of execution, and the copy of the ransomware is launched with every start. The good news is that you can close the window by terminating a malicious process via Task Manager.

If you decide to delete MoneroPay Ransomware from your Windows operating system manually, you can follow the steps shown below. The most important step, however, is to scan your system afterward to check if other threats or ransomware leftovers persist. If any threats are found, you need to remove them as soon as possible. Of course, if you are not experienced or you do not have time, you do not need to remove MoneroPay Ransomware manually. Instead, you can install an automated anti-malware tool that will immediately inspect your system and delete the files that are classified as malicious. In this case, you still need to unlock your system using the first steps. It is strongly recommended that you keep the anti-malware tool installed and regularly updated so that you would not need to face other threats in the future. Another thing you can do is to figure out how to back up your personal files because that is how you can avoid the loss of your files.

MoneroPay Ransomware Removal

1. Simultaneously tap Ctrl+Alt+delete and then select Start Task Manager.
2. Click the Processes tab and right-click the malicious {unknown name} process.
3. Select Open File Location and then End process and close Task Manager.
4. Delete the malicious .exe file opened in the file location.
5. Delete all recently downloaded suspicious files.
6. Delete these ransomware files: pritecoinwallet.exe, spritecoind.exe, cryptonight.dll, boost.dll.
7. Launch RUN (tap Win+R keys) and then enter regedit.exe to launch Registry Editor.
8. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
9. Find the value named MoneroPay and copy the file location in the value data.
10. Delete the value and then exist Registry Editor.
11. Launch Explorer (tap Win+E keys) and paste the file location in the bar at the top.
12. You should find the copy of ransomware named MoneroPayAgent.exe. If you find it, Delete it.
13. Empty Recycle Bin to eliminate the malicious components.
14. Install a legitimate malware scanner and then perform a full system scan.