Moscovium ransomware is a malicious program that locks files on a victim’s computer by encrypting them, then demands a ransom, usually in Bitcoin, to unlock them. In this post, we will take a closer look at this threat, its origin and how to remove it from the system.
Moscovium Ransomware Overview
Moscovium (.m0sC0v1um) ransomware is a type of malware designed to encrypt files on a victim’s computer, rendering them inaccessible until a ransom is paid. This ransomware appends the “.m0sC0v1um” extension to encrypted files, a distinctive marker of its activity. The name “Moscovium” is likely derived from the chemical element named after the Moscow region, suggesting a possible connection to Russian cybercriminal operations.
While there is no clear evidence of this at the time of writing this post, given the current geopolitical situation and Russia’s propensity to spawn malware, it would be expected. The ransomware’s emergence is noted in recent cybersecurity discussions, with sources indicating it targets individuals and organizations, exploiting the lucrative nature of data encryption for extortion.
The association of this ransomware with Moscow is inferred from the naming convention, aligning with reports of Russian-linked ransomware activities. On the other hand, this could be a very obvious attempt to make everyone think that Moscovium ransomware came from Russia, I have the least faith in that theory.
How Does It Work?
Moscovium ransomware’s infection and operation follow a typical ransomware lifecycle. It primarily spreads through deceptive tactics such as phishing emails, where attackers craft messages that appear legitimate, often impersonating trusted organizations or contacts. These emails contain malicious attachments or links that, when opened, activate the ransomware. Social engineering plays a key role, tricking users into downloading the malware, which can also spread through compromised websites, drive-by downloads, or bundled software from untrustworthy sources.
Once inside the system, Moscovium exploits vulnerabilities in outdated software or operating systems to gain access. It then encrypts files, using a combination of symmetric and asymmetric encryption, appending the “.m0sC0v1um” extension to each file, making them inaccessible. The encryption process targets common file types like documents, photos, and databases, disrupting normal operations. After encryption, it displays the ransom note, demanding payment for the decryption key, thereby causing significant data loss and operational disruption.
Ransom Note Overview
The ransom note for moscovium ransomware, contained in a file named “!!!DECRYPT_INSTRUCTIONS!!!.txt,” directly communicates the attackers’ demands to the victim. The note states:
This message informs victims that their files are locked, specifies a ransom of 0.1 Bitcoin (BTC) to be sent to a provided wallet address, and instructs them to email proof of payment to an address hosted on Tutanota, an encrypted email service. The warning against self-decryption suggests that unauthorized attempts could render files permanently unrecoverable, a common scare tactic to pressure compliance.
How to Remove Virus?
Removing Moscovium ransomware requires a systematic approach to eliminate the malware and prevent further damage. The recommended method is to use a trusted anti-malware solution capable of detecting and removing all components of the ransomware. Specifically, GridinSoft Anti-Malware is an incredibly effective tool for this purpose, capable of identifying and deleting all files, folders, and registry keys associated with Moscovium.
Additionally, users should be cautious with email attachments and links, avoiding suspicious downloads, and enabling firewall protections. Regular system updates and security patches are essential preventive measures, as highlighted in broader cybersecurity guidance.
Can I Recover Encrypted Files?
Recovering files encrypted by Moscovium ransomware is challenging due to the lack of public decryption tools. As of March 2025, research indicates no known methods exist to decrypt files without the attacker’s key. Paying the ransom does not guarantee file recovery, as attackers may not provide the decryption key, and it supports criminal activities.
The most reliable recovery option is to have regular backups stored on external drives or cloud services, ensuring they are not connected to the infected system during the attack to avoid encryption. If backups are available, restoring files post-removal is feasible. Without backups, the likelihood of recovering files is low, potentially leading to permanent data loss.
