Mmnn ransomware – file locking malware that encrypts documents and other files on the system with RSA cipher

Mmnn ransomware is a type of malware that locks pictures, documents, databases, PDF, and other files on the host system. Being a variant of the prolific family Djvu, this virus follows similar behavioral pattern as its predecessors – it locks data with the help of a strong encryption algorithm RSA,[1] appends an extension to each of the files (in this case, .mmnn is added), and then drops a ransom note _readme.txt.
Inside the ransom note, users can find a message from Mmnn virus authors. It claims that, in order to regain access to data, they need to send an email via helpdatarestore@firemail.cc or helpmanager@mail.ch, and then pay the ransom – $490 in Bitcoins. If the requirement is not fulfilled within 72 hours, the Mmnn ransomware decryptor price increases to $980. However, paying criminals is risky, as they might never send the required tool after the money transfer. Instead, there are other recovery methods that might work, such as Emsisoft's decryption tool that is continuously being updated, or third-party recovery software might also be useful in some cases.
| Name | Mmnn ransomware |
| Type | File locking virus, cryptomalware |
| Family | Djvu ransomware family |
| File extension | The virus locks all user files and appends .mmnn extension; example of encrypted file picture.jpg -> picture.jpg.mmnn |
| Cipher | A sophisticated asymmetric RSA encryption algorithm is used for file locking process |
| Ransom note | _readme.txt is dropped on the desktop, as well as all the folders where locked data is located |
| Contact details | Contact emails vary from version to version; this time, crooks ask to contact them via helpdatarestore@firemail.cc or helpmanager@mail.ch for the negotiation purposes |
| Ransom size | The attackers ask to pay $490 in Bitcoin for the decryption software; this sum doubles if the demands are not fulfilled within 72 hours post-infection |
| Traits |
|
| File recovery | Without backups, file recovery might be difficult. Emsisoft's decryptor might be helpful if the malware has used an offline ID to lock files. Additionally, third-party recovery tools may sometimes be successful when trying to regain access to .mmnn locked files – you can find download links and usage instructions below |
| Malware removal | It is vital to get rid of ransomware before proceeding with file recovery, but only after making copies of locked files. Termination can only be achieved with reputable anti-malware tools, such as SpyHunterCombo Cleaner or MalwarebytesMalwarebytes |
| System fix | In case your computer is crashing or is not working as prior to ransomware infection, you can fix virus damage with repair software FortectIntego – it could help you avoid the lengthy process of the OS reinstallation |
It is important to remove Mmnn ransomware from the system as soon as possible because variants of this malware family were previously spotted inserting a data-stealing module into Google Chrome, Mozilla Firefox, and other popular browsers. As a result, users who enter their sensitive data, such as banking details, may deliver this information to malicious actors without realizing it.
Besides, the Mmnn file virus modifies Windows “hosts” file – it appends the IP address of websites that focus on Mmnn ransomware removal instructions. As a result, users will be unable to contact them. To stop this from happening, users should go to the following location on their Windows machines and delete the “hosts” file:
C:\Windows\System32\drivers\etc\
It is important to note that Mmnn ransomware can employ various tactics and methods in order to operate on the system without interruptions. For example, before proceeding with data encryption, the malware modifies the Windows registry to establish persistence, deletes Shadow Volume Copies to prevent data recovery, disables Windows Repair, and performs many more system modifications. As a result, Windows may get corrupted, and victims will be forced to reinstall it after malware termination. If that is the case, we recommend using FortectIntego repair tool, as it can fix Mmnn virus damage.
After the preparations are complete, Mmnn ransomware will begin the encryption process. It targets most common used file types, such as .pdf, .doc, .zip, .txt, .mp4, .jpg, .dat, .xml, etc., although it skips system files, as well as most executables. During this time, the malware will show a fake Windows update Window that is designed to mask the original purpose of the data encryption task. After that, users will quickly notice that all their personal files are marked with .mmnn extension, their icons are blank, and that they can no longer access them.
Note: malware infection and data encryption are two separate processes – many users confuse these two. What it means is that even if you get rid of Mmnn ransomware infection (termination of malicious settings and files imported by malware), it will not transform your data back to the original state.

Mmnn ransomware decryption options
Djvu ransomware, otherwise known as STOP ransomware, was first spotted in the wild back in December 2017, and since then, more than 200 variants were released. Currently, malicious actors deliver new versions regularly – most recent ones append .rooe, .bboo, .alka, .repp, and .btos file extensions. Since then, security researchers tried to battle this prolific family and were sometimes successful with tools like STOPDecrypter, which worked in particular situations.
In October 2019, security researchers from Emsisoft managed to create a decryption tool that could help victims to recover files for free, although it only worked for versions released before August that year. Unfortunately, Mmnn ransomware belongs to the new surge of variants that apply an improved encryption algorithm RSA, so data can no longer be decrypted.
Nevertheless, at that time, researchers also delivered a decryption tool that could also sometimes help victims even with the newest variants – and it is used to this day. Unfortunately, the decryptor is only viable when the encryption process of Mmnn ransomware (or another new version) was performed when the malware could not contact its Command & Control servers, i.e., it used an offline ID to lock data.
Hackers behind Mmnn ransomware virus deliver the following message to victims:
ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-onB03STxUy
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:
helpdatarestore@firemail.ccReserve e-mail address to contact us:
helpmanager@mail.chYour personal ID:
Providing a test decryption option now became a common practice among cybercriminals, as they try to establish a false sense of security. In other words, they are trying to convince victims that decryption software for Mmnn ransomware will follow as soon as they pay the ransom in Bitcoin.
Unfortunately, that is not entirely true – at least not always. There have been plenty of documented cases where ransomware developers did not respond and did not provide the tool after the payment. Therefore, if you decide to pay for Mmnn ransomware decryptor, keep in mind that you might lose not only your files but also the money.
Therefore, rather refer to the data recovery section below – we provide download links and usage instructions of some third-party tools that may help you recover at least some of Mmnn ransomware-encrypted files.

Protect your computer from ransomware infections
Most users who get infected with ransomware never had to deal with it before. Therefore, they do not immediately understand the implications of the infection; i.e., it usually results in permanent data loss. Luckily, there are some options that might help for some users, although it is not a rule.
According to security researchers, about 99% of infections of Djvu occur when users download pirated application installers or software cracks/loaders/keygens from various insecure websites. Additionally, ransomware may also be delivered directly via adware bundles (as it happened with .rumba variant).[2] Therefore, it is vital staying away from such dangerous sites and either opt for free alternatives of the program or buying or buying it from the official sources.
Nevertheless, many users are still willing to risk it – those who visit pirated software sites are usually aware that they are filled with malware. Remember that ransom demands reach as high as $980 – a far larger sum than a paid version of most applications.
Additionally, security experts[3] also advise practice the following safety measures:
- Backup your personal files regularly;
- Employ reputable anti-malware software and keep it updated;
- Apple security updates as soon as they are released;
- Use strong passwords for all your accounts;
- Do not use a default port (3389) for your Remote Desktop connections;
- Do not open spam email attachments or click on links inside;
- Employ additional tools for security, such as ad-block, Firewall, VPN, etc.
Terminate Mmnn ransomware the correct way
Those who never had to deal with a ransomware infection may be baffled of what to do next. It is important not to start from the wrong action, such as immediately using anti-malware to remove Mmnn ransomware or attempt to use backups for file recovery.
Recovery tools or Mmnn ransomware removal may corrupt encrypted data, and even a working decryptor would not be able to save it anymore. Therefore, the first step should be backup of already encrypted files – you can either copy them to an external drive or place them on a remote server, like Google Drive. Once you complete this, you can then proceed with the Mmnn virus termination process.
The only way to get rid of malware is to employ a powerful anti-malware tool that can recognize the threat.[4] perform a full system scan – this will guarantee that all the malicious files are deleted. Only then you may attempt the file recovery process, which also depends on your particular case.
Was this guide helpful?
Be the first to comment