MOOL Ransomware Removal Guide

Do you know what MOOL Ransomware is?

MOOL Ransomware is a threat that can ruin lots of valuable or precious files. Its creators designed it to encrypt pictures, photos, various documents, and data alike with a robust encryption algorithm. As a result, files become unreadable and impossible to open. They can still be restored with the right decryption tools, but hackers behind this threat might be the only ones who could have such tools, and, sadly, they demand a ransom in exchange. The sum is not that significant compared to the amounts of money asked by other ransomware creators, but it is still huge. Therefore, before deciding what to do, you should think about whether you would be okay with losing the asked sum in vain. As you see, there are no guarantees that hackers will hold on to their end of the bargain. If you want to learn more, we encourage you to read our full report. Also, we can offer our removal guide placed below that shows how to delete MOOL Ransomware manually.

Users might receive this malware while interacting with unreliable data downloaded from spam emails or untrustworthy file-sharing websites. Our cybersecurity specialists say that the malicious application's installers could have random names. Thus, if your device gets infected with it, you should search for some recently obtained file that you opened before it happened. To settle in, MOOL Ransomware should create a couple of folders with long random titles, for example, 2a9ea166-82c4-499d-9f16-9e28ac1b8ef4. Such folders should appear in the %USERPROFILE%\Local Settings\Application Data and %LOCALAPPDATA% directories.MOOL Ransomware Removal GuideMOOL Ransomware screenshot
Scroll down for full removal instructions

Furthermore, the malware ought to create a scheduled task in the %WINDIR%\System32\Tasks location and a Registry entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run path. Both the mentioned task and the Registry entry should ensure that the infected device will relaunch the threat after system restart and so on. Next, MOOL Ransomware should start encrypting files that victims might be unable to replace, such as photos or any other data that does not belong to the operating system and other software as it can be reinstalled. As the targeted files are being encrypted, they should receive the threat’s extension called .mool, for example, sunrise.jpg.mool. By the time the encryption process is finished, MOOL Ransomware should create a text document called _readme.txt that should contain a ransom note.

As mentioned earlier, MOOL Ransomware’s ransom note should list hackers’ demands. To be more precise, they ask victims to contact them via email and pay a ransom of 980 US dollars. Users who contact the threat’s developers within 72 hours get a 50 percent discount, and the sum becomes 490 US dollars. Given that hackers could be lying about their intentions and they could scam you, we believe that paying a ransom would be risky. If you think so too and do not want to risk losing your money, we advise not to make any deals with cybercriminals.

Lastly, our researchers recommend deleting MOOL Ransomware because if you let it stay on your system, it could encrypt more files later on. The malware can be erased manually, and you can learn how to do it while following our removal guide available below. The other option is to get a legitimate antimalware tool that would eliminate MOOL Ransomware and other possible threats for you.

Erase MOOL Ransomware

  1. Restart your computer in Safe Mode with Networking.
  2. Click Windows Key+E.
  3. Navigate to the suggested paths:
    %TEMP%
    %USERPROFILE%Desktop
    %USERPROFILE%Downloads
  4. Find a file opened when the device got infected, right-click the malicious file, and select Delete.
  5. Find these paths:
    %USERPROFILE%\Local Settings\Application Data
    %LOCALAPPDATA%
  6. See if you can find the listed data in both mentioned folders:
    {random name}.exe
    script.ps1
  7. If you do find these files, right-click them, and choose Delete.
  8. Navigate to the same locations again:
    %USERPROFILE%\Local Settings\Application Data
    %LOCALAPPDATA%
  9. Look for folders with long random names, for example, dfebd084-11fb-41be-bfb2-da7e291a4873; right-click them, and choose Delete.
  10. Locate this particular path: %WINDIR%\System32\Tasks
  11. Search for a file called Time Trigger Task, right-click it, and choose Delete.
  12. Exit File Explorer.
  13. Press Windows Key+R, type Regedit, and choose OK.
  14. Navigate to this path: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  15. Look for a value name that could be related to the malicious application, for example, SysHelper.
  16. Right-click this value name and press Delete.
  17. Close the Registry Editor.
  18. Empty Recycle bin.
  19. Restart the computer.

In non-techie terms:

MOOL Ransomware belongs to the STOP Ransomware family. Thus, like most of the malicious applications that belong to it, the malware encrypts files and displays a note that asks to pay 980 US dollars or 490 US dollars for special decryption tools. The half-price discount is offered to users who contact the threat’s creators within 72 hours. Thus, there is plenty of time to think if you are considering the hacker’s offer. In this case, you should decide if 490 US dollars is a sum that you could risk losing. There is a chance that it might be lost for nothing because there is no way to know if the malware’s developers will deliver the promised decryption tools. If it is a considerable amount of money to you and you do not want to take any chances, we advise against paying the ransom. Instead, we recommend checking if you have any backup copies that you could use to replace encrypted files. Of course, first, you should erase MOOL Ransomware to avoid getting your backup files or any new data encrypted too.