Jump to content

STOP Ransomware infected my PC

Banji

By Banji,
in Help, my files are encrypted!

 Share Followers 1

Recommended Posts

Banji

Banji 0

Posted
Posted

Hello,

 


My PC is infected with STOP ransomware with extension .moka on all my files. This occurred when I wanted to install an application on my laptop and I temporary uninstalled my Bitdefender antivirus on the PC. Kindly help!!!.

 

 

Regards.

 

Banji Agboola

 

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

Hello @Banji

This is the result of the STOP-Djvu Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

Extension .moka, .peta and others - this is new variant of STOP Ransomware. Until recently, it was possible to collect some information and add it to STOP-Decrypter. Now this does not help. We expect changes in the decryption method. But so far there is no such news and the victims remain with encrypted files.

I repeat, there is no way to decrypt files yet. Any site that offers decryption for this variant may be a scam site. Be careful.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. 

It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ 

 

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

In addition, the STOP-Djvu Ransomware does the following:
1) leaves behind a software module that steals personal information from browsers and other programs;
2) modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

For these targets:
1) after checking and cleaning the PC, when it is be confirmed that there are no other malicious modules, you need to replace the passwords for all sites with more complex ones (at least 12-16 characters, including A-a, Z-z, 0-9, @ # $).
2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you.

The path to this file is: C:\Windows\System32\drivers\etc\

h.jpg.399261a04288db830d6a76357a448996.jpg

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

I was informed that Drweb can decrypt some files that STOP-Decrypter cannot decrypt, only in another way. Only .pdf encrypted files and all the Office documents .doc, xls, docx, xlsx, ppt, pps, etc … 
Unfortunatly with this way can't will decrypt photo, video, audio and many files with other extensions.
If free test decrypt these files will successful, the fees requested by Dr.Web experts 150 EUR for Rescue Pack (Personal decryptor + 2-year DrWeb Security Space protection). There is no alternative to receiving this service. If the test-decrypt will fails, no payment will be required. 

Tell me, if this way suits you, I will let you know what files you need to collect for this. 

I do not participate in this process and do not provide any help except this information. I not having any financial benefit and is not involved in this decryption service at all.

Link to post
Share on other sites
Asif Ali

Asif Ali 0

Posted
Posted (edited)
On 9/9/2019 at 5:34 AM, Banji said:

Hello,

 

Thanks for this information. The files that were infected are in .moka extension not .peta extension.

My computer has been infected with the same virus 6 days ago. .moka virus.

 

Please let me know if you find the solution.

email me if you happen to know the solution on below email.

Edited by GT500
Removed e-mail address.
Link to post
Share on other sites
GT500

GT500 872

Posted
Posted
8 hours ago, Asif Ali said:

email me if you happen to know the solution on below email.

We highly recommend that you don't share your e-mail address publicly. Criminals will contact you and attempt to extort money from you.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

Hello @SYED

Please read my height above. At this point in time, this is the only chance to return some of their files.

This is not a simple job that can be done as 1-2 min. It takes time, the work of analysts and the computing power of PC's of specialists.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Followers 1
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 02/26/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...