Sunday 4 February 2018

Decryptor for MoneroPay Ransomware

After analysis of the MoneroPay ransomware (MD5: 14ea53020b4d0cb5acbea0bf2207f3f6), we managed to patch the binary to turn it into a decryptor.

The ransomware and password stealer in one application detected as 'MoneroPay' impersonates itself as the SpriteCoin cryptocurrency. The fraud was discovered by MalwareHunterTeam on January 13, 2018.

The ransomware uses the Salsa20 crypto algorithm to encrypt files. The MoneroPay generates 128-bit key based on C&C address ‘jmqapf3nflatei35.onion’, %COMPUTERNAME%, %USERNAME%, and %USERPROFILE%  strings. Therefore, it is essential to run the MoneroPay decryptor on the same computer from where the files have been encrypted.

To decrypt the files encrypted by MoneroPay ransomware:

Caution: Use the decryptor at your own risk. We are not responsible for any damage that it may cause.
  1. Backup the encrypted files that have the extension ‘.encrypted’ before decryption.

  2. Download the archive that contains the decryptor from the GitHub repository: 

  3. Unpack the archive using the password ‘infected’.

    • Note: The decryptor is the patched version of the cryptolocker and can be still detected as the MoneroPay ransomware by your antivirus.

  4. Run the decryptor ‘spritecoind_decryptor.exe’ (MD5: 3749d56abd58dff3d248b91b24da76d7) on an infected computer.

    1. Once executed, the decryptor shows the message to notify you about starting the decryption process.

      1. After successful decryption, it shows the message with the status ‘Done’.

    To clean up the computer that was previously infected by the MoneroPay ransomware:
    1. Delete the ‘MoneroPay’ autorun reference in the Windows System Registry:

    2. 'MoneroPay' = 'C:\Users\<USER>\AppData\Roaming\MoneroPayAgent.exe'

    3. Delete the ransomware file:


    Should you have any questions, please email to: ada (at)



    1. Replace please the link with _ on the end with the correct link