This week, cyber security professionals has received reports of yet another ransomware called ‘Moresa ransomware‘. This ransomware spreads via spam emails and malware files and appends the .moresa file extension to encrypted files. Read below a brief summary of information related to this ransomware and how to restore or decrypt .moresa files for free.
‘Moresa ransomware’ – ransom note
The Moresa ransomware is a new variant of ‘Vengisto@firemail.cc‘ crypto virus. It affects all current versions of Windows OS like the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This ransomware uses a strong encryption method to eliminate the possibility of brute force a key that will allow to decrypt encrypted personal files. The .Moresa ransomware ransomware encrypts almost of files, including common as:
.wpb, .pak, .icxs, .jpg, .wmd, .rgss3a, .webdoc, .wpw, .xlsx, .0, .7z, .zdb, .png, .cas, .p12, .cfr, .1, .mef, .bay, .sb, .3dm, .cr2, .kdc, .xxx, .d3dbsp, .ptx, .wbmp, .upk, .layout, .bkf, .xlk, .rb, .zdc, .odm, .m4a, .mdf, .sis, .webp, .rw2, .zabw, .xld, .avi, .z3d, .mdb, .pst, .pef, .vcf, .m3u, .orf, .pptm, .crt, .txt, .menu, .syncdb, .indd, .py, .asset, .wsh, .r3d, .arw, .odb, .xwp, .cer, .wbz, .wcf, .kdb, .vpk, .xll, .srf, .lrf, .xpm, .t12, .js, .vfs0, .docx, .mcmeta, .das, .doc, .snx, .pfx, .hkx, .apk, .zip, .odp, .rtf, .wdp, .bc7, .fsh, .dcr, .mov, .wp6, .raf, .xdb, .lbf, .bsa, .dbf, .p7b, .pdd, .pem, .docm, .rim, .wpd, .wpa, .wpl, .hplg, .x3f, .epk, .sie, .odt, .xml, .ibank, .xls, .fos, .2bp, .eps, .rofl, .psk, .wmf, .hvpl, .csv, .tax, .psd, .ybk, .ff, .sidd, .xls, .rar, .dmp, .wmv, .3fr, .xy3, .mrwref, .wm, .pdf, .w3x, .bar, .wpt, .wbk, .arch00, .bik, .wps, .wp, .dxg, .lvl, .3ds, .wsd, .wbm, .itm, .odc, .xbdoc, .big, .xyp, .hkdb, .map, .x3d, .wmv, .dazip, .itdb, .wma, .wp5, wallet, .ztmp, .sid, .zif, .svg, .iwd, .ltx, .xbplate, .dwg, .sum, .crw, .tor, .iwi, .css, .mp4, .jpe, .der, .xlsb, .srw, .wp7, .yal, .xf, .ncf, .accdb, .mpqge, .xmind, .ysp, .wbd, .xmmap, .wgz, .blob, .wpe
Upon successful encryption, it appends the .moresa extension to the file name of its encrypted file. The ransomware also creates a text file called “_readme.txt” in each folder. This file is a ransom demanding message. The ransom note asks for money in the form of bitcoins. The content of the ransom note is below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-aSdhfTOs1G Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: vengisto@firemail.cc Reserve e-mail address to contact us: vengisto@india.com Support Telegram account: @datarestore Your personal ID:
Threat Summary
| Name | .Moresa ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Contacts | vengisto@firemail.cc, vengisto@india.com, Telegram @datarestore |
| Ransom note | _readme.txt |
| Symptoms |
|
| Removal | To remove .Moresa ransomware use the removal guide |
| Decryption | To decrypt .Moresa ransomware use the steps |
We advise you to remove .Moresa ransomware sooner, until the presence of the ransomware has not led to even worse consequences. You need to follow the steps below that will allow you to completely remove .Moresa ransomware from your PC system as well as recover encrypted photos, documents and music, using only few free utilities.
Quick links
- How to remove .Moresa ransomware virus
- How to decrypt .moresa files
- Use STOPDecrypter to decrypt .moresa files
- How to restore .moresa files
- How to protect your personal computer from .Moresa ransomware virus?
- To sum up
How to remove .Moresa ransomware virus
There are not many good free antimalware programs with high detection ratio. The effectiveness of malware removal tools depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malicious software. We suggest to use several programs, not just one. These programs that listed below will help you delete all components of the .Moresa ransomware from your disk and Windows registry.
Remove .Moresa ransomware with Zemana Anti-malware
We suggest you to use the Zemana Anti-malware which are completely clean your PC of this ransomware. Moreover, the utility will allow you to get rid of worms, malicious software, trojans and adware that your personal computer may be infected too.
Zemana Anti-Malware can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
164986 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the download is finished, launch it and follow the prompts. Once installed, the Zemana Anti Malware will try to update itself and when this procedure is complete, click the “Scan” button to start checking your computer for the .Moresa ransomware and other kinds of potential threats like malicious software and PUPs.
This process can take quite a while, so please be patient. Review the report and then click “Next” button.
The Zemana AntiMalware (ZAM) will remove .Moresa ransomware and other security threats and add items to the Quarantine.
Run MalwareBytes to remove Moresa ransomware virus
We recommend using the MalwareBytes Anti Malware (MBAM) that are fully clean your PC system of the ransomware. This free utility is an advanced malicious software removal program created by (c) Malwarebytes lab. This application uses the world’s most popular anti malware technology. It is able to help you remove ransomware, worms, malicious software, adware, trojans, and other security threats from your personal computer for free.
- MalwareBytes Anti Malware (MBAM) can be downloaded from the following link. Save it on your Windows desktop.
Malwarebytes Anti-malware
327224 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- When the download is done, close all applications and windows on your PC. Open a folder in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once installation is finished, click the “Scan Now” button . MalwareBytes application will scan through the whole computer for the Moresa ransomware virus and other malicious software. This procedure can take some time, so please be patient. While the MalwareBytes Free is scanning, you can see number of objects it has identified either as being malware.
- Once that process is finished, MalwareBytes Anti-Malware will open you the results. Next, you need to press “Quarantine Selected”. When disinfection is finished, you can be prompted to reboot your computer.
The following video offers a few simple steps on how to remove hijacker infections, adware and other malware with MalwareBytes.
Run KVRT to remove .Moresa ransomware virus
KVRT is a free portable program that scans your computer for adware, trojans and ransomware and helps delete them easily. Moreover, it’ll also help you remove any harmful internet browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop from the link below.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you’ll see the Kaspersky virus removal tool screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button for scanning your PC for the .Moresa ransomware virus . A system scan can take anywhere from 5 to 30 minutes, depending on your personal computer. While the KVRT utility is checking, you may see count of objects it has identified as being affected by malicious software.
Once finished, Kaspersky virus removal tool will show you the results as shown in the following example.
When you are ready, click on Continue to begin a cleaning procedure.
How to decrypt .moresa files
The .Moresa ransomware uses a strong encryption algorithm with long key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the .Moresa ransomware entire amount requested – the only way to try to get the decryption key and decrypt all your files.
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
Files encrypted by ‘Moresa ransomware’
With some variants of Moresa ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .moresa files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.moresa).
Please check the twitter post for more info.
How to restore .moresa files
In some cases, you can restore files encrypted by .Moresa ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.
Use shadow copies to recover .moresa files
An alternative is to restore your photos, documents and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing personal files that were damaged by .Moresa ransomware virus. The steps below will give you all the details.
Click the link below to download ShadowExplorer. Save it to your Desktop so that you can access the file easily.
439624 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is done, extract the downloaded file to a folder on your personal computer. This will create the necessary files as on the image below.
Start the ShadowExplorerPortable program. Now select the date (2) that you want to restore from and the drive (1) you want to recover files (folders) from like below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and press the Export button as on the image below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Restore .moresa files with PhotoRec
Before a file is encrypted, the .Moresa ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore applications such as PhotoRec.
Download PhotoRec by clicking on the following link.
When the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as displayed on the image below.
Select a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files like below.
Click File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, press Browse button to select where recovered photos, documents and music should be written, then press Search.
Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where restored files are stored. You will see a contents as on the image below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from .Moresa ransomware virus?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from .Moresa ransomware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows OS from Microsoft Windows XP to Windows 10.
Click the link below to download the latest version of HitmanPro.Alert for MS Windows. Save it to your Desktop so that you can access the file easily.
After the download is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is started, you will be shown a window where you can select a level of protection, as displayed on the screen below.
Now click the Install button to activate the protection.
To sum up
Once you’ve finished the step-by-step guide above, your computer should be clean from .Moresa ransomware and other malicious software. Your machine will no longer encrypt your personal files. Unfortunately, if the guidance does not help you, then you have caught a new ransomware, and then the best way – ask for help here.
