Remove Moth Ransomware (.m0th) from Your Computer

New cyber threat named Moth has been reported to infect online users. The Moth is a ransomware attack and uses AES-256 cipher to encrypt the data. It adds the .m0th extension to the encrypted files. A ransom in BitCoin currency is demanded.
Read on our detailed information on Moth ransomware and avoid the risk of infection. In a case of infection keep reading the article to the end where you can find removal instructions for Moth ransomware.

Moth Ransomware

File Extensions


Solution #1
Moth ransomware can be removed easily with the help of an anti-malware tool, a program that will clean your computer from the virus, remove any additional cyber-security threats, and protect you in the future.

Solution #2
Moth Ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below.

The most common used technique is through spammed emails that contain malicious attachments.

What Exactly is Moth Ransomware?

Moth is a cyber threat that infiltrates the system, encrypts files and demands a ransom that’s why it belongs to ransomware attacks. Once Moth ransomware infiltrates the PC it may create its malicious files in some basic Windows folders. The folders %AppData%, %Temp%, %LocalRow%, %Local%, %User’s Profile% may be ransomware’s target location. Other possible modifications that Moth ransomware may do concern changes in the Windows Registry. Values in Run key may be changed or added. Thus may cause automatic load of Moth ransomware with each start of the Windows operation system. In case of infection check and clean the irregular values in following key location.


The Moth ransomware scans the computer Disk drives for different file types including documents, audio files, videos, music, etc. Here is a list of all file extensions that are encrypted by Moth ransomware:


Moth Ransomware-aes-256-bestsecuritysearch

The encryption algorithm used by Moth ransomware is AES-256. AES stands for Advanced Encryption Standard and it is symmetric encryption algorithm which means that one key is used for encryption and decryption. The encryption process ends with appending .m0th extension to all corrupted files. The .m0th files are unable to be accessed or used. Cyber criminals allege that there is no other way to encrypt the data unless contacting them and paying the ransom. However, don’t make a deal with them. On one hand there is no guarantee your files will be restored even after sending the money to them. On the other hand contacting them may expose to risk your personal identifiable information that can grant access to your bank and other accounts.

After the end of the encryption stage Moth ransomware creates a text document named READMEPLEASE.TXT that contains explanation of what has just happened with your files and how you can contact cyber criminals to pay the ransom and get the decryption key. Here you can read what exactly the ransom message states:

All your files have been encrypted using our extremely strong private key. There is no way to recover them without our assistance. If you want to get your files back, you must be ready to pay for them. If you are broke and poor, sorry, we cannot help you. If you are ready to pay, then get in touch with us using a secure and anonymous p2p messenger. We have to use a messenger because standard emails get blocked quickly and if our email gets blocked your files will be lost forever.
Go to, download and run Bitmessage. Click Your Identities tab > then click New > then click OK (this will generate your personal address, you need to do this just once). Then click Send tab.
TO:{Cyber-criminals’ BitCoin address}
Subject: name of your PC or your IP address or both.
Message: Hi, I am ready to pay.
Click Send button.
You are done.
To get the fastest reply from us with all further instructions, please keep your Bitmessage running on the computer at all times, if possible, or as often as you can because Bitmessage is a bit slow and it takes the time to send and get messages. If you cooperate and follow the instructions, you will get all your files back intact and very, very soon. Thank you.”

Spread Techniques of Moth Ransomware

Different persuasive techniques aim to drop the ransomware’s payload on the system. The most common used technique is through spammed emails that contain malicious attachments. The malicious attachments may contain exploit kits, Trojans or malicious macros hidden in a document. Download of such attachment will automatically inject malware inside your PC. Sometimes the threat is hidden in the text of the e-mail thereby Moth ransomware may infect the computer only by opening the e-mail. Be mindful of any sources that send you the emails because cyber crooks may try to mislead you by setting the name of a familiar sender. Other practices for distribution of Moth ransomware may be fake notifications for software updates, malicious redirect links in compromised websites, malicious JavaScript code injected in legit web pages or bad links shared on social media sites.

Remove Moth Ransomware from the Computer

Moth ransomware is a serious threat for your computer, and it’s best to remove it instantly from the system. You could follow our manual removal instructions below. They will help you to remove Moth ransomware from the computer. You could also use an advanced anti-malware and remove it automatically. In case you face difficulties during the removal process and need further help leave us a comment under the article and we will try to help you.
VirusTotal may be a good prevention tip against ransomware attacks. You could upload all links and files that seem suspicious. The results will help you to understand if the uploaded information hides any danger for the security of your computer.

Restore .m0th Files

Even though cyber-criminals are trying to convince you that the only way to recover .m0th files is to contact them and pay the ransom, contacting them is always to be avoided. It may expose your computer and you to other risks. It is better to invest the ransom amount in security and data recovery measures.
There is no information that Moth ransomware deletes the shadow volume copies from the system. Utilizing Shadow Explorer may help you to recover some files. Another approach that may help you to restore files is reliable data recovery software. In conclusion, don’t forget that security researchers do their best at reverse engineering and are looking for a solution. Hopefully, there will be an available decrypter for Moth ransomware soon.

Since malware attacks are increasing and users suffer from daily attacks, we have decided to make a tutorial which will help you delete malware, try and restore files in case they are encoded by crypto-viruses and protect yourself in the future as well.

Try to Load Your PC in Safe Mode

For various Windows OS’s:
1) Hit WIN Key + R
2) A Run window will appear. In it, write “msconfig” and then press Enter.
3) A Configuration box shall appear. In it Choose the menu named “Boot”.
4) Choose the Safe Boot preference and then go to Network under it to tick it.

Eliminate the malicious processes

1) hit the following key combination: CTRL+ESC+SHIFT
2) Get over to Processes.
3) Choose the suspicious process if you have found it and then right click it after which click on “Open File Location”.
4) End the malicious process by again right-clicking and choosing “End Process”.

Delete registry objects created by malware.

For all Windows versions:
1) Again type simultaneously the Windows Button + R. key combination.
2) In the type box, write “regedit”(without the inverted comas) and hit Enter.
3) Type the CTRL+F key combination and then write the malicious name in the search type field to locate the malicious executable.
4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys.

Recover files encrypted by ransomware.

If you want to try recovering files yourself, you have several options:
Option One: By using Windows’s System Restore
1) Hit the Windows Button + R. key combination.
2) After the “Run” Window pops up, write “rstrui” and hit on the Enter button.
3) Choose a restore point and continue.

IMPORTANT: If you want to be more effective, we strongly suggest booting in safe mode if you are to do this!

Option Two: By using Windows’s Shadow Volume Copies

To access shadow volume copies you may require a program, like Shadow Explorer. Install it open it and make it scan for shadow copies. If you have them enabled, this method will work, in case the crypto-virus has not deleted them.

Option Three: By using various Recovery Software

This option will not ensure maximum effectiveness and recovery rate but still, you may restore several files. Most data recovery programs are available for free online, simply Google “Data Recovery Software”.

Prevent viruses from damaging your files in the future.

To protect your important data we suggest that you store it in the cloud. Programs that makes online backup possible also enable you to schedule auto backup on different time periods and this way, even if you lose your data, you can find it uploaded in securely encrypted account, access to which only you have.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Joseph Steinberg

Joseph Steinberg is the editor-in-chief, lead content creator, and local father figure of Best Security Search. He enjoys hiking and rock climbing and hates the 12345678 and qwerty passwords.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *