Banji 0 Report post Posted September 8, 2019 Hello, My PC is infected with STOP ransomware with extension .moka on all my files. This occurred when I wanted to install an application on my laptop and I temporary uninstalled my Bitdefender antivirus on the PC. Kindly help!!!. Regards. Banji Agboola Quote Share this post Link to post Share on other sites
Amigo-A 60 Report post Posted September 8, 2019 Hello @Banji This is the result of the STOP-Djvu Ransomware attack. I have been tracking the malicious work of this program since December 2017. Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. Extension .moka, .peta and others - this is new variant of STOP Ransomware. Until recently, it was possible to collect some information and add it to STOP-Decrypter. Now this does not help. We expect changes in the decryption method. But so far there is no such news and the victims remain with encrypted files. I repeat, there is no way to decrypt files yet. Any site that offers decryption for this variant may be a scam site. Be careful. Quote Share this post Link to post Share on other sites
Amigo-A 60 Report post Posted September 8, 2019 Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Quote Share this post Link to post Share on other sites
Amigo-A 60 Report post Posted September 8, 2019 In addition, the STOP-Djvu Ransomware does the following: 1) leaves behind a software module that steals personal information from browsers and other programs; 2) modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims. For these targets: 1) after checking and cleaning the PC, when it is be confirmed that there are no other malicious modules, you need to replace the passwords for all sites with more complex ones (at least 12-16 characters, including A-a, Z-z, 0-9, @ # $). 2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you. The path to this file is: C:\Windows\System32\drivers\etc\ Download Image Quote Share this post Link to post Share on other sites
Banji 0 Report post Posted September 9, 2019 Hello, Thanks for this information. The files that were infected are in .moka extension not .peta extension. Quote Share this post Link to post Share on other sites
Amigo-A 60 Report post Posted September 9, 2019 .gero .hese .seto .peta .moka With these extensions the situation is the analogical. Free STOP-Decryptor does not work with them. Quote Share this post Link to post Share on other sites
Amigo-A 60 Report post Posted September 9, 2019 I was informed that Drweb can decrypt some files that STOP-Decrypter cannot decrypt, only in another way. Only .pdf encrypted files and all the Office documents .doc, xls, docx, xlsx, ppt, pps, etc … Unfortunatly with this way can't will decrypt photo, video, audio and many files with other extensions. If free test decrypt these files will successful, the fees requested by Dr.Web experts 150 EUR for Rescue Pack (Personal decryptor + 2-year DrWeb Security Space protection). There is no alternative to receiving this service. If the test-decrypt will fails, no payment will be required. Tell me, if this way suits you, I will let you know what files you need to collect for this. I do not participate in this process and do not provide any help except this information. I not having any financial benefit and is not involved in this decryption service at all. Quote Share this post Link to post Share on other sites
Asif Ali 0 Report post Posted September 13, 2019 (edited) On 9/9/2019 at 5:34 AM, Banji said: Hello, Thanks for this information. The files that were infected are in .moka extension not .peta extension. My computer has been infected with the same virus 6 days ago. .moka virus. Please let me know if you find the solution. email me if you happen to know the solution on below email. Edited September 14, 2019 by GT500 Removed e-mail address. Quote Share this post Link to post Share on other sites
GT500 626 Report post Posted September 14, 2019 8 hours ago, Asif Ali said: email me if you happen to know the solution on below email. We highly recommend that you don't share your e-mail address publicly. Criminals will contact you and attempt to extort money from you. Quote Share this post Link to post Share on other sites
Amigo-A 60 Report post Posted September 14, 2019 Hello @Asif Ali Please read my height above. At this point in time, this is the only chance to return some of their files. This is not a simple job that can be done as 1-2 min. It takes time, the work of analysts and the computing power of PC's of specialists. Quote Share this post Link to post Share on other sites
Asif Ali 0 Report post Posted September 14, 2019 3 hours ago, GT500 said: We highly recommend that you don't share your e-mail address publicly. Criminals will contact you and attempt to extort money from you. Thank you very much for your guidance. Quote Share this post Link to post Share on other sites
SYED 0 Report post Posted September 15, 2019 HELLO ALL I am also infected by STOP DJVU .PETA i got my file with shadow files. Quote Share this post Link to post Share on other sites
Amigo-A 60 Report post Posted September 16, 2019 Hello @SYED Please read my height above. At this point in time, this is the only chance to return some of their files. This is not a simple job that can be done as 1-2 min. It takes time, the work of analysts and the computing power of PC's of specialists. Quote Share this post Link to post Share on other sites
