Moqs Ransomware removal

Moqs Ransomware is file-encrypting malware that comes from the Djvu/STOP ransomware family. The gang has released hundreds of versions in the past, and this one can be identified by the .moqs file extension added to encrypted files. Once files are encrypted, you will not be able to open them unless you first decrypt them using a special program the ransomware operators will try to sell you. It will be explained in the _readme.txt ransom note the ransomware drops.

 

Moqs Ransomware is the newest version released by the notorious Djvu/STOP ransomware gang. We have previously written about another version known as Gujd ransomware. All versions are more or less identical, with the obvious difference being the name. The versions can be identified by the file extensions they add to encrypted files. This ransomware adds .moqs, which is why it’s known as Moqs Ransomware.

The moment the malware is initiated, it will start encrypting your photos, videos, documents, images, etc. During the encryption process, the malware will show a fake Windows Update window to distract victims.

You will know which files have been affected by the .moqs extension added to encrypted files. For example, image.jpg would become image.jpg.moqs. You will not be able to open these files unless you run them through a decryptor. Unfortunately, the ones with the decryptor are the cybercriminals operating this ransomware and they will not just give it to you. As explained in the _readme.txt ransom note that’s dropped in folders containing encrypted files, the decryptor costs $980. Though the cyber crooks offer a 50% discount if contact is made within the first 72 hours. manager@mailtemp.ch and helpmanager@airmail.cc are the contact email addresses provided in the ransom note. The same, practically identical note is dropped by other versions of this ransomware.

While paying the ransom may seem like the best option, we caution against that. Keep in mind that you are dealing with cybercriminals, and there’s nothing stopping them from taking the money and not sending anything in return. It has happened many times in the past so you should be aware of the risks if you are considering paying. Furthermore, the more victims pay the ransom, the more money these cybercriminals make, encouraging them to continue their malicious activities.

If you have a backup of your files, you can start recovering them as soon as you remove Moqs Ransomware from your computer. Do not access your backup while the ransomware is still present because it will encrypt the files in backup as well.

If you do not have a backup, your only option may be to wait for malware researchers to develop a free decryptor, though that may be difficult at this moment. Software company Emsisoft did release a free decryptor for older Djvu/STOP ransomware versions, but it’s unlikely to work with Moqs Ransomware. The free decryptor works for older versions that used offline keys to encrypt users’ files, meaning they were the same for all victims. If one victim paid the ransom and got the decryptor, it would work for everyone. However, new versions like Moqs Ransomware use online keys for encrypting files, meaning the keys are different for each victim. It’s not possible to develop a universal decryptor without those keys. However, it’s not impossible that they will be released by the cybercrooks themselves or by law enforcement sometime in the future. So if you are out of options, back up encrypted files and wait for a decryptor.

Ransomware distribution methods

In most cases, individual users who are not targeted specifically become victims of ransomware and other malware infections because of their bad browsing habits. That includes opening unknown email attachments, interacting with ads on high-risk websites, downloading fake updates, pirating via torrents, etc. Developing better habits can make a significant difference when it comes to malware prevention.

Spam email attachments, or malspam, are arguably the most common way users pick up malware infections. Malicious actors buy thousands of email addresses from hacker forums, write a semi-convincing email, attach a malicious file, and send it off to potential victims. If users open those attachments, they allow the malware to initiate. These emails are mostly quite generic, which means users should be able to identify them if they are aware of the signs. Though it should be mentioned that if someone is targeted specifically, the emails may be much more sophisticated, as personal information would likely be used to make them seem more legitimate. But for regular users who are targeted on a massive scale, the emails will be sent from random and very unconvincing email addresses, be full of grammar and spelling mistakes, claim that the email attachment must be opened immediately because it’s an important document, and address you using Member/User/Customer and other generic words instead of your name. In general, it’s not a good idea to open unsolicited email attachments before making sure they are safe. Scan them using your anti-virus software or VirusTotal before opening them.

You are likely already aware of this but torrent websites are also full of malware. That is one of the reasons why pirating is so discouraged, the other reason is that it’s essentially stealing content. Torrent sites are quite badly moderated, which means that cybercriminals can easily upload malicious content disguised as a movie, episode of a TV show, a video game, software, etc. Malware is particularly common in torrents for content that’s particularly popular, such as an episode for Game of Thrones. So if you want to avoid serious malware infections, we suggest you avoid pirating.

Moqs Ransomware removal

Considering that ransomware is a very complex malware infection, we strongly recommend that you use anti-virus software to remove Moqs Ransomware. If you try to do it manually, you may end up causing even more damage. Or you may miss something, which could later allow the ransomware to recover. This could allow the ransomware to encrypt files in your backup if it’s accessed when the ransomware is not fully removed. It would be best to leave Moqs Ransomware removal to tools specifically designed to deal with such infections.

Once you’re sure the ransomware is no longer present, you can access backup to start file recovery. Unfortunately, removing the ransomware will not automatically decrypt files, a special decryptor is necessary for that. A free one may be released sometime in the future, so back up the encrypted files and wait for a decryptor to be released. NoMoreRansom is a good source for reliable and safe decryptors.