This week, computer security specialists has received reports of yet another cryptovirus called ‘Mogera ransomware‘. This ransomware virus spreads via spam emails and malware files and appends the .mogera file extension to encrypted files. Here’s everything you need to know about this ransomware, how to remove .Mogera ransomware and how to restore (decrypt) encrypted documents, photos and music for free.
Files encrypted by “.mogera ransomware”
Immediately after the launch, the .Mogera ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.wpa, .xxx, .wp6, .bsa, .bar, .das, .kf, .pdd, .xx, .crt, .pkpass, .bkf, .p12, .csv, wallet, .wpb, .wpg, .dbf, .zw, .xdl, .xlsm, .pptm, .odp, .zdc, .desc, .xbplate, .itm, .sum, .dazip, .rb, .bay, .wbc, .wbd, .wmv, .rofl, .odb, .tax, .ltx, .psd, .xlgc, .psk, .rwl, .py, .ai, .litemod, .pfx, .apk, .layout, .zdb, .jpg, .srw, .wcf, .iwd, .odc, .iwi, .wdp, .dmp, .slm, .pef, .hkdb, .sidd, .sie, .wpt, .d3dbsp, .wgz, .wbm, .rtf, .zip, .tor, .bkp, .mcmeta, .mov, .menu, .pem, .wbk, .yml, .webdoc, .sr2, .sis, .xls, .epk, .xlsx, .webp, .wps, .mdbackup, .dba, .gdb, .mdf, .cer, .r3d, .2bp, .odm, .syncdb, .x, .wma, .cr2, .xy3, .x3d, .docm, .xf, .icxs, .raw, .mddata, .fsh, .wp, .rgss3a, .vdf, .sql, .zip, .wot, .pst, .p7b, .css, .wma, .db0, .xyp, .ncf, .bc6, .xmmap, .pptx, .3ds, .wav, .snx, .wmf, .wpd, .esm, .xld, .kdc, .wpd, .fpk, .mdb, .m4a, .lrf, .xls, .lvl, .ptx, .js, .1st, .fos, .3fr, .bc7, .wmd, .3dm, .vpk, .flv, .wp7, .png, .avi, .wri, .xlsb, .srf, .ods, .x3f, .ztmp, .wdb, .y, .wp5, .t12, .wp4, .big, .wpe, .m2, .wpw, .orf, .wbmp, .7z, .vtf, .itdb, .1, .kdb, .0, .wm, .arw, .sidn, .re4, .rim, .accdb, .mef, .zi, .dcr, .wotreplay, .t13, .ysp, .eps, .xyw, .wn, .wmo, .indd, .xlsm, .yal, .zif, .xml, .upk, .xbdoc, .hvpl, .asset, .wsh, .wsc, .rar, .wbz, .ntl, .jpeg, .zabw, .xpm, .odt, .sid, .xlk, .p7c, .rw2, .mpqge, .pdf, .m3u, .xll, .x3f, .map, .ws, .wps
Upon successful encryption, it appends the .mogera extension to the file name of its encrypted file. The ransomware also creates a text file named “_readme.txt” in each folder. This file is a ransom demanding message. The ransom demanding message asks for money in the form of bitcoins. The content of the ransomnote is below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-tK15NNEcw6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | .Mogera ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .mogera |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, @datarestore (telegram), bufalo@firemail.cc |
| Ransom amount | $490, $980 in Bitcoins |
| Detection Names | Win32:Malware-gen (Avast), TR/AD.InstaBot.vgssx (Avira), not-a-virus:HEUR:Downloader.Win32.AdLoad.gen (Kaspersky), GCrab-FNZ!D5995275A4D9 (McAfee), ML.Attribute.HighConfidence (Symantec) |
| Symptoms |
|
| Removal | To remove .Mogera ransomware use the removal guide |
| Decryption | To decrypt .Mogera ransomware use the steps |
Instructions that is shown below, will help you to remove .Mogera ransomware as well as recover (decrypt) encrypted personal files stored on your PC system drives.
Quick links
- How to remove .Mogera ransomware virus
- How to decrypt .mogera files
- Use STOPDecrypter to decrypt .skymap files
- How to restore .mogera files
- How to protect your PC system from .Mogera ransomware?
- Finish words
How to remove .Mogera ransomware virus
Using a malware removal tool to locate and delete ransomware hiding on your PC is probably the simplest way to remove the .Mogera ransomware virus. We suggests the Zemana AntiMalware (ZAM) program for Microsoft Windows PCs. MalwareBytes and KVRT are other anti malware tools for Windows that offers a free malicious software removal.
Automatically remove .Mogera ransomware virus with Zemana Anti-malware
Zemana can find all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the .Mogera ransomware, you can easily and quickly get rid of it.
- Visit the following page to download the latest version of Zemana Free for Microsoft Windows. Save it to your Desktop.
Zemana AntiMalware
164979 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once downloading is finished, close all software and windows on your system. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once installation is done, click the “Scan” button . Zemana Anti Malware tool will start scanning the whole machine to find out .Mogera ransomware related files, folders and registry keys. This procedure may take quite a while, so please be patient. While the Zemana Free program is scanning, you can see count of objects it has identified as threat.
- Once finished, Zemana Free will display a scan report. All found items will be marked. You can delete them all by simply click “Next”. After that process is complete, you can be prompted to reboot your computer.
Remove .Mogera ransomware virus with MalwareBytes Free
If you’re having issues with the .Mogera ransomware removal, then download MalwareBytes. It is free for home use, and finds and removes various unwanted software that attacks your computer or degrades computer performance. MalwareBytes can remove adware, PUPs as well as malware, including ransomware and trojans.
Installing the MalwareBytes Free is simple. First you’ll need to download MalwareBytes Anti Malware (MBAM) on your machine from the link below.
327223 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is finished, close all apps and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as on the image below.
When the installation begins, you’ll see the “Setup wizard” which will help you set up Malwarebytes on your personal computer.
Once setup is complete, you will see window as displayed in the figure below.
Now click the “Scan Now” button for checking your machine for the .Mogera ransomware and other security threats. This task can take some time, so please be patient. During the scan MalwareBytes Anti-Malware will detect threats exist on your machine.
When the scan get completed, MalwareBytes AntiMalware (MBAM) will display a scan report. All found items will be marked. You can remove them all by simply click “Quarantine Selected” button.
The Malwarebytes will now begin to remove .Mogera ransomware virus related files, folders and registry keys. Once the procedure is done, you may be prompted to restart your machine.
The following video explains instructions on how to get rid of browser hijacker, adware and other malware with MalwareBytes.
Scan and clean your system of ransomware virus with KVRT
KVRT is a free portable program that scans your system for trojans, worms and ransomware viruses such as the .Mogera ransomware and helps remove them easily. Moreover, it’ll also help you remove any harmful web-browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your PC system from the following link.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is finished, double-click on the KVRT icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as displayed below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to perform a system scan for the .Mogera ransomware virus and other known infections. A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your personal computer and the speed of your computer. When a threat is found, the count of the security threats will change accordingly.
When Kaspersky virus removal tool has completed scanning, KVRT will open you the results as displayed below.
Make sure all items have ‘checkmark’ and click on Continue to begin a cleaning task.
How to decrypt .mogera files
The .Mogera ransomware uses a hybrid encryption mode. The encryption mode is so strong that it is practically impossible to decrypt .mogera files without the actual encryption key.
There is absolutely no guarantee that after pay a ransom to the makers of ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
Files encrypted by “.mogera ransomware”
With some variants of the Mogera ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .mogera files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.mogera).
Please check the twitter post for more info.
How to restore .mogera files
In some cases, you can restore files encrypted by .Mogera ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Use shadow copies to recover .mogera files
In order to restore .mogera documents, photos and music encrypted by the .Mogera ransomware virus from Shadow Volume Copies you can run a utility named ShadowExplorer. We recommend to use this method as it is easier to find and recover the previous versions of the encrypted files you need in an easy-to-use interface.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer on your personal computer by clicking on the following link.
439621 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the downloading process is finished, extract the downloaded file to a folder on your computer. This will create the necessary files as displayed on the image below.
Start the ShadowExplorerPortable program. Now choose the date (2) that you wish to recover from and the drive (1) you want to restore files (folders) from as displayed in the figure below.
On right panel navigate to the file (folder) you wish to restore. Right-click to the file or folder and click the Export button as shown below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Run PhotoRec to recover .mogera files
Before a file is encrypted, the .Mogera ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file restore applications like PhotoRec.
Download PhotoRec on your Microsoft Windows Desktop from the link below.
When the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as displayed below.
Choose a drive to recover as shown in the following example.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as shown on the screen below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed in the figure below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC system from .Mogera ransomware?
Most antivirus apps already have built-in protection system against the ransomware virus. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your PC from .Mogera ransomware
All-in-all, HitmanPro.Alert is a fantastic utility to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows OS from Microsoft Windows XP to Windows 10.
Visit the following page to download HitmanPro Alert. Save it to your Desktop.
When the downloading process is finished, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is started, you’ll be displayed a window where you can choose a level of protection, as shown in the following example.
Now click the Install button to activate the protection.
Finish words
Once you have complete the few simple steps shown above, your PC should be clean from .Mogera ransomware and other malicious software. Your system will no longer encrypt your files. Unfortunately, if the steps does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help here.
