Banji

STOP Ransomware infected my PC

Recommended Posts

Hello,

 


My PC is infected with STOP ransomware with extension .moka on all my files. This occurred when I wanted to install an application on my laptop and I temporary uninstalled my Bitdefender antivirus on the PC. Kindly help!!!.

 

 

Regards.

 

Banji Agboola

 

Share this post


Link to post
Share on other sites

Hello @Banji

This is the result of the STOP-Djvu Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

Extension .moka, .peta and others - this is new variant of STOP Ransomware. Until recently, it was possible to collect some information and add it to STOP-Decrypter. Now this does not help. We expect changes in the decryption method. But so far there is no such news and the victims remain with encrypted files.

I repeat, there is no way to decrypt files yet. Any site that offers decryption for this variant may be a scam site. Be careful.

Share this post


Link to post
Share on other sites

Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. 

It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ 

 

Share this post


Link to post
Share on other sites

In addition, the STOP-Djvu Ransomware does the following:
1) leaves behind a software module that steals personal information from browsers and other programs;
2) modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

For these targets:
1) after checking and cleaning the PC, when it is be confirmed that there are no other malicious modules, you need to replace the passwords for all sites with more complex ones (at least 12-16 characters, including A-a, Z-z, 0-9, @ # $).
2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you.

The path to this file is: C:\Windows\System32\drivers\etc\

h.jpg.399261a04288db830d6a76357a448996.jpg
Download Image

Share this post


Link to post
Share on other sites

.gero
.hese 
.seto
.peta
.moka

With these extensions the situation is the analogical. Free STOP-Decryptor does not work with them. 

 

Share this post


Link to post
Share on other sites

I was informed that Drweb can decrypt some files that STOP-Decrypter cannot decrypt, only in another way. Only .pdf encrypted files and all the Office documents .doc, xls, docx, xlsx, ppt, pps, etc … 
Unfortunatly with this way can't will decrypt photo, video, audio and many files with other extensions.
If free test decrypt these files will successful, the fees requested by Dr.Web experts 150 EUR for Rescue Pack (Personal decryptor + 2-year DrWeb Security Space protection). There is no alternative to receiving this service. If the test-decrypt will fails, no payment will be required. 

Tell me, if this way suits you, I will let you know what files you need to collect for this. 

I do not participate in this process and do not provide any help except this information. I not having any financial benefit and is not involved in this decryption service at all.

Share this post


Link to post
Share on other sites
On 9/9/2019 at 5:34 AM, Banji said:

Hello,

 

Thanks for this information. The files that were infected are in .moka extension not .peta extension.

My computer has been infected with the same virus 6 days ago. .moka virus.

 

Please let me know if you find the solution.

email me if you happen to know the solution on below email.

Edited by GT500
Removed e-mail address.

Share this post


Link to post
Share on other sites
8 hours ago, Asif Ali said:

email me if you happen to know the solution on below email.

We highly recommend that you don't share your e-mail address publicly. Criminals will contact you and attempt to extort money from you.

Share this post


Link to post
Share on other sites

Hello @Asif Ali

Please read my height above. At this point in time, this is the only chance to return some of their files.

This is not a simple job that can be done as 1-2 min. It takes time, the work of analysts and the computing power of PC's of specialists.

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

We highly recommend that you don't share your e-mail address publicly. Criminals will contact you and attempt to extort money from you.

Thank you very much for your guidance.

Share this post


Link to post
Share on other sites

Hello @SYED

Please read my height above. At this point in time, this is the only chance to return some of their files.

This is not a simple job that can be done as 1-2 min. It takes time, the work of analysts and the computing power of PC's of specialists.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.