.Meka file extension is an extension that is added by the newest version of STOP ransomware to the names of files encrypted with it. Ransomware is malware that locks up a victim’s files by encrypting them. The contents of the encrypted file become inaccessible. Renaming encrypted files or changing their extension will not be able to unlock them.
Files encrypted with .Meka file extension
Meka is a ransomware, which is a new version of the long-known ransomware called STOP (DJVU) ransomware. Like its previous variants, the ransomware uses the same methods of distribution, such as torrents, adware, key generators and cracked software. Upon execution, Meka creates a folder in the Windows system directory and copies itself there. Then the ransomware changes some Windows OS settings so that it starts automatically every time the computer is turned on. Meka tries to contact a command and control server (C&C). If the connection is successful, the ransomware receives a key from the C&C (the so-called ‘online key’). This key will be used to encrypt the victim’s files. If it was not possible to establish a connection with the C&C, then the so-called ‘offline key’ is used to encrypt the files.
After Meka has determined the key that it will use to encrypt files, it proceeds to the encryption process. The ransomware does not encrypt files that have the following extension: .sys, .bat, .dll, .lnk, .ini. Files with the name ‘_readme.txt’ are also skipped. All other user data will be encrypted. For example, files with the following extensions can also be encrypted:
.mpqge, .p12, .ncf, .gdb, .xls, .p7b, .sie, .rw2, .1st, .kdb, .xml, .doc, .cer, .wpd, .sql, .xmind, .7z, .xyp, .wav, .xlsx, .wma, .zip, .wp4, .blob, .wmv, .tax, .cdr, .bkp, .wpl, .re4, .mcmeta, .qic, .qdf, .vtf, .db0, .docm, .t13, .psk, .sidn, .sav, .xf, .kdc, .xll, .d3dbsp, .vpk, .vpp_pc, .3ds, .xlgc, .ntl, .eps, .wp6, .xpm, .wbm, .mp4, .pdd, .cfr, .pak, .wma, .ods, .r3d, .zdb, .epk, .yal, .mlx, .jpeg, .ff, .txt, .raw, .erf, .crw, .desc, .z, .wpa, .wire, .wps, wallet, .jpe, .srf, .tor, .wdp, .hplg, .esm, .wmd, .wot, .syncdb, .jpg, .xlsm, .vcf, .layout, .crt, .iwi, .rofl, .wbd, .pptm, .wps, .ppt, .wsh, .bik, .webp, .zabw, .csv, .png, .xx, .mdf, .ltx, .rim, .sidd, .zdc, .3fr, .arw, .m3u, .zi, .dcr, .dba, .kf, .wmv, .y, .pptx, .1, .x3d, .pkpass, .wbz, .wsd, .wri, .mef, .odc, .icxs, .wp7, .xdb, .cas, .mddata, .wpt, .xlsm, .iwd, .sid, .xmmap, .m2, .ysp, .css, .wmf, .xdl, .pem, .t12, .snx, .dxg, .fos, .xbdoc, .x3f, .wpb, .sr2, .apk, .wn, .docx, .vdf, .forge, .big, .vfs0, .xbplate, .wbc, .zip, .wp, .3dm, .lbf, .pef, .xar, .arch00, .bsa, .zw, .mdbackup, .2bp, .cr2, .bc6, .hvpl, .odb, .odp, .ai, .xwp, .ztmp, .gho, .wotreplay, .odm, .ybk, .pst, .wb2, .lrf, .wmo, .pfx, .rar, .x3f, .dwg, .xy3, .mov, .bar, .py, .rgss3a, .bay, .wgz, .zif, .wsc, .wdb
Each encrypted file will be renamed, the virus will append ‘.meka’ at the end of its name. Thus, a file named ‘prices.xls’, after it is encrypted, will receive the name ‘prices.xls.meka’. Meka encrypts files on all drives that are connected to the computer, including network disks and cloud storage. Files are encrypted sequentially, file by file, directory by directory, disk by disk. When all the files in the directory are encrypted, the ransomware creates a new file in it with the name ‘_readme.txt’. The following is an example of the contents of such a file.
Meka ransom note
This file is a ransom note. The ransom note is a message from Meka creators, in which they report that the user’s files are encrypted and the only way to decrypt them is to buy a unique key and decryptor. Criminals demand a ransom in the amount of $490, and if it is not paid within 72 hours, the ransom is doubled. To confirm that it is possible to decrypt encrypted files, attackers offer the victim to send them a Personal ID and one small file. They will decrypt this file for free. It is obvious that even if this file is decrypted successfully, then there is no guarantee that after paying the ransom the victim will receive the key necessary to decrypt the locked data.
Threat Summary
| Name | Meka |
| Type | Ransomware, Crypto malware, File locker, Filecoder, Crypto virus |
| Encrypted files extension | .meka |
| Ransom note | _readme.txt |
| Contact | salesrestoresoftware@firemail.cc, salesrestoresoftware@gmail.com |
| Ransom amount | $490;$980, if the ransom is not paid within 72 hours |
| Detection Names | TrojanTR/Crypt, W32.Kryptik, TrojanRansom/Win32.Stop, Ransom.Win32-STOP |
| Symptoms | Files encrypted with .meka extension. All files fail to open. Your photos, documents and music have new extension appended at the end of the file name. Files named like ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file. You have received instructions for paying the ransom. |
| Distribution ways | Malicious spam. Torrents. Drive-by downloading. Adware. Social media posts. Key generators. Cracks. |
| Removal | Meka ransomware removal guide |
| Decryption | Free Meka Decryptor |
The message from the criminals, which is located in file ‘_readme.txt’, is mostly true. Encrypted files cannot be decrypted without a key. Fortunately, the situation has changed with the advent of Free Meka Decryptor (linked above). Now, in some cases, when the files are encrypted using an offline key, everyone can decrypt the files. If the files were encrypted using an online key, then the files cannot yet be decrypted. In this case, you can use several alternative methods to restore the contents of encrypted files. The next part of the article will give a detailed description of Free Meka Decryptor, how to remove the ransomware and describe alternative methods for recovering encrypted files.
Quick links
- How to remove Meka ransomware
- How to decrypt .meka files
- How to restore .meka files
- How to protect your PC system from Meka ransomware
How to remove Meka ransomware
Before you start decrypting files, you need to make sure that Meka is no longer active, as well as find all files related to the ransomware and delete them. If you do not delete the ransomware, then it can again encrypt the recovered files. In order to identify all the components of the ransomware, and then remove them, you need to scan the computer using malware removal tools. We recommend using several utilities, each of which is based on a different anti-virus (anti-malware) engine. This will ensure that Meka ransomware is completely removed. Below you can find some of the free malware removal tools.
Remove Meka ransomware with Zemana Anti-Malware
We recommend using a malware removal tool called Zemana AntiMalware because it can find and remove Meka ransomware, other malware, trojans and worms. If you have any Meka removal problems, which cannot be fixed by this tool automatically, then Zemana provides 24X7 online assistance from the highly experienced support staff. Visit the page linked below to download Zemana setup file called Zemana.AntiMalware.Setup on your system. Save it on your Windows desktop.
164976 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Launch the installer after it has been downloaded successfully and then follow the prompts to install this utility on your computer.
During install you can change certain settings, but we recommend you don’t make any changes to default settings.
When install is complete, this malware removal tool will automatically launch and update itself. You will see its main window as displayed on the image below.
Now press the “Scan” button . Zemana Anti Malware (ZAM) utility will start scanning the whole PC system to find out Meka related folders,files and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your personal computer. While the utility is checking, you can see number of objects and files has already scanned.
When the scanning is done, Zemana Free will display you the results. Review the results once the utility has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana will start to remove Meka related folders,files and registry keys. After that process is complete, you can be prompted to restart your personal computer to make the change take effect.
Remove Meka ransomware with HitmanPro
HitmanPro is a malware removal utility. It is created to search for and remove various security threats including ransomware, malware, trojans, worms, adware and so on. HitmanPro is a portable program that can be run instantly from Flash Drive. Hitman Pro have an advanced system monitoring tool that uses a white-list database to stop suspicious processes and programs.
- First, visit the following page, then press the ‘Download’ button in order to download the latest version of HitmanPro.
- When the downloading process is finished, start the HitmanPro, double-click the HitmanPro.exe file.
- If the “User Account Control” prompts, click Yes to continue.
- In the Hitman Pro window, click the “Next” to perform a system scan for Meka ransomware. This process can take some time, so please be patient. While the tool is scanning, you can see count of objects and files has already scanned.
- As the scanning ends, the results are displayed in the scan report. Review the results once the utility has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press “Next”. Now, click the “Activate free license” button to begin the free 30 days trial to remove all malicious software found.
Remove Meka ransomware virus with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is a free malware removal utility that uses the anti-virus engine from Kaspersky antivirus. It can remove ransomware, adware, trojans, worms and other malicious software from your computer for free. You can use this utility to locate and remove security threats even if you have an antivirus or any other security software. Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it directly to the Desktop.
129277 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is finished, double-click on the KVRT icon. Once initialization procedure is complete, you will see the Kaspersky virus removal tool screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to begin checking your system for Meka crypto malware . A system scan can take anywhere from 5 to 30 minutes, depending on your personal computer. During the scan KVRT will find threats exist on your PC.
When the system scan is complete, KVRT will open a list of all items detected by the scan as on the image below.
Review the results once the utility has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to begin a cleaning procedure.
How to decrypt .meka files
As we already reported above, all files that have the extension .meka are encrypted and cannot be decrypted without a unique key and decryptor. It is not possible to read the contents of encrypted files simply by changing their name or extension. Fortunately, Emsisoft created a free decryptor that can decrypt .meka files.
STOP Djvu decryptor
To decrypt .meka files, use the following steps:
- Open the STOP Djvu decryptor page in a new tab/window.
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
Unfortunately, at the moment, the decryptor can only decrypt files that were encrypted with an offline key. If your files are encrypted with an online key, then you cannot decrypt them yet. In this case, we recommend that you use alternative methods for recovering encrypted files, which are listed below.
How to determine which key was used to encrypt files
First of all, you can look at the Personal ID that is given in the ‘_readme.txt’ file (ransom note). Another method is to look at the contents of the file located on drive ‘C’ in directory ‘SystemID’ and named ‘PersonalID.txt’. This is a file in which Meka ransomware stores the Personal IDs used for encryption.
Personal ID is highlighted here
If there is an ID ending in ‘t1’, then you are lucky, your files are encrypted using an offline key, and when researchers find this key, you can decrypt your files. In this case, to decrypt the files, you need to use the STOP Djvu Decryptor linked above. If your Personal ID does not end with ‘t1’, then the ransomware used an online key. Even so, there is little chance of recovering encrypted files. This method will be discussed in the next part of the article.
How to restore .meka files
If the free decryptor did not help you, or your files are encrypted using an online key, then there is no need to panic! There are several other alternative methods that may allow you to restore the contents of encrypted files. Be sure to check your computer for malware before starting to recover encrypted files. You must be sure that Meka ransomware has been removed. Each of the methods presented below uses a different mechanism for recovering encrypted files. So try each one. It often happens that if the first method did not help, then the second helped.
Recover .meka files with ShadowExplorer
First of all, try to recover encrypted files from their Shadow Volume Copies, which are automatically created by Windows OS. In order to recover photos, documents and music encrypted by Meka ransomware from Shadow Volume Copies you can use a tool called ShadowExplorer. We recommend using this free utility because it is small in size, has a simple interface and does not require installation on a computer. Unfortunately, ransomware often removes all Shadow copies. Therefore, if this program cannot help you, then immediately proceed to the second method, which is given below.
Visit the following page to download ShadowExplorer.
439618 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like the one below.
Double click ShadowExplorerPortable to launch it. You will see the a window like the one below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as displayed on the screen below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as shown on the screen below.
Use PhotoRec to recover .meka files
Another alternative way to recover encrypted files is to use data recovery programs. This method requires a lot of time, but in most cases it allows you to recover part, and sometimes all, encrypted files. To restore .meka files, use a free tool called PhotoRec. It has a simple interface and does not require installation. Download PhotoRec on your Desktop by clicking on the link below.
After the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as on the image below.
Select a drive to recover as displayed below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as on the image below.
Click File Formats button and select file types to restore. You can to enable or disable the restore of certain file types. When this is complete, press OK button.
Next, press Browse button to choose where recovered personal files should be written (we recommend using an external drive to write all recovered data), then click Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as shown in the following example.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC system from Meka ransomware
Most antivirus software already have built-in protection system against ransomware. Therefore, if your personal computer does not have an antivirus software, make sure you install it. As an extra protection, use the HitmanPro.Alert. It is a fantastic tool to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files.
First, click the link below, then press the ‘Download’ button in order to download the latest version of HitmanPro.Alert.
After the download is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the utility is launched, you’ll be displayed a window where you can choose a level of protection, as shown in the figure below.
Now press the Install button to activate the protection.
To sum up
This article was created to help all victims of Meka ransomware. We tried to tell in detail about how to remove ransomware, how to decrypt .meka files and what to do if decryption of files was unsuccessful. If you have any questions, you need help, then write to us.
Waiting for second part as my pc got online key only and the data recovery brings back .meka file only.
Hi, the files can be decrypt if I restore my pc?
(Sorry for my english im Peruvian)
If you reinstall the Windows OS, it will not help you unlock files. Moreover, in this way you will lose the opportunity to use alternative methods of recovering encrypted files. Therefore, if there are important files that have been encrypted, copy them to an external drive, and then proceed to the steps described above.
All the anti malware softwares I have installed say that the system is not infected any more. Of course, all my files are still .meka as the key used seems to be an online key. I do have a back up for everything. Maybe I should try deleting all the .meka files and replace everything with my backup from a flash drive. BTW do you know where the EMSISoft decryptor retrieves the unique key from?
Hi, I appreciate the good work. I’m at a loss on how to know the exact partition when using photorec. Could you explain further please
Shaik, you have two variants for further action:
1. reinstall Windows, and then copy your files from backup
2. if all anti-malware tools show that the computer is clean, you do not see any signs of ransomware, then simply delete all files with the extension .meka, then copy your files from the backup
Rancho, if you don’t know which partition to choose, then focus on its size. You can find the size of the disk you need using Explorer. Open My computer (My PC) in Explorer, and then pay attention to the ‘Devices and Drives’ section.
@Shaik
it is obvious that you are one of the developers of this ransomware, in your comments, you are trying to give us an idea to delete the encrypted files (WITHOUT FORMATTING THE DRIVE TO CLEAN THE RANSOMWARE) and copy out BACK UP FILES WITH FLASH DRIVE knowing that once that you connect/insert disk/drive ‘ the existing ransomware will automatically encrypt our files in the usb/disk drives once it is connected so our backup will be also encrypt,
you know where i get the clue? in your sentence “BTW do you know where the EMSISoft decryptor retrieves the unique key from?”
trying to counter the EMSISoft decryptor? so you can update your ransom so the EMSISoft cannot decrypt?
nice try
don’t trust anyone in the internet now, some people here is not a victim, but the developers of ransomware, trying to leech information about the decryptors so the can bypass it with their new ransomware, always remember, they are the smartest criminal, it is obvious you can observe them, then once you tell them the decryptor app/link they will download in and they study the process of it and they will make another ransomware the cannot detect by this decryptor. goodluck