.Mosk file extension is an extension that is used by the latest version of STOP (DJVU) ransomware. Ransomware is malware created by criminals to encrypt files on the victim’s computer. The contents of the encrypted files become locked and will remain so until the victim pays the ransom. Fortunately, there is a free Mosk Decryptor that allows everyone to decrypt files in some cases. For other cases, there are alternative ways to recover encrypted files. To learn more about decrypting and restoring files, scroll down this article to the ‘How to decrypt .mosk files‘ section.
Mosk virus is the 180th variant of STOP ransomware and is very similar to its previous versions such as Toec, Meka, Derp and so on. Like another malware from STOP family, it uses the same distribution methods (key generators, activators, adware, cracks, freeware and so on). Upon execution, Mosk creates a directory in the Windows system folder where it places a copy of itself and changes some Windows settings so that it starts up every time the computer is restarted or turned on. Before encrypting files, the ransomware tries to establish a connection with the command server (C&C). If this succeeds, then an online key is used, if not, then an offline key is used.
Having decided which key will be used to encrypt files on the victim’s computer, Mosk starts encryption. In the process of encryption, the ransomware tries to encrypt files that are on all drives connected to the computer. It doesn’t matter if it is an external disk, internal hard drive, cloud storage, all data will be encrypted. The ransomware does not encrypt files that have the extension: ‘.dll, .lnk, .ini, .bat, .sys’. Files with the filename ‘_readme.txt’ and files located in the Windows system folders are also skipped. All other files, regardless of their type, will be encrypted. The following is a list of file types that can be encrypted:
.3fr, .wot, .hvpl, .wbmp, .mef, .layout, .zw, .mp4, .sb, .docx, .m3u, .wmf, .epk, .bc7, .dazip, .slm, .xf, .qdf, .big, .1st, .zdb, .asset, .gho, .webdoc, .d3dbsp, .wdb, .itl, .crw, .x, .pptm, .hplg, .odb, .ff, .cas, .dcr, .z, .pdd, .upk, .wsh, .xxx, .wmv, .yal, .rofl, .bar, .m2, .pef, .wmd, .py, .webp, .wma, .hkx, .r3d, .itm, .mpqge, .jpeg, .x3d, .sis, .wmv, .xy3, .t13, .3ds, .png, .dmp, .der, .x3f, .wpl, .vcf, .x3f, .wpg, .gdb, .arch00, .vtf, .sidd, .wps, .7z, .xmind, .odp, .rgss3a, .dbf, .vdf, .css, .tax, .menu, .orf, .wbd, .wm, .mdbackup, .pem, .ysp, .0, .wpb, .flv, .srw, .mcmeta, .wp5, .xlsm, .cr2, .desc, .wsd, wallet, .ppt, .m4a, .zabw, .iwd, .xdb, .xpm, .xld, .p7b, .das, .wp6, .vpk, .fpk, .zi, .lvl, .doc, .wgz, .xx, .dxg, .db0, .indd, .wpd, .ncf, .z3d, .fsh, .xyw, .xlsb, .vpp_pc, .wbm, .js, .wpa, .sid, .wp7, .wcf, .2bp, .zip, .t12, .wbz, .svg, .raf, .xmmap, .wbk, .sql, .xls, .cer, .sie, .pkpass, .wpe, .1, .kdb, .jpe, .kdc, .rtf, .map, .xlsx, .xml, .mov, .rar, .ntl, .odt, .itdb, .wri, .ibank, .wps, .sr2, .ltx, .rwl, .rim, .wav, .mddata, .mdf, .wbc, .srf, .cdr, .wdp, .xwp, .re4, .esm, .wpd, .avi, .crt, .rw2, .ws, .p7c, .wpt, .w3x, .forge, .erf, .wb2, .pptx, .odm, .kf, .bkp, .arw, .zdc, .3dm, .xar, .eps, .docm, .iwi, .blob, .ztmp, .y, .wn, .syncdb, .mrwref, .wotreplay, .sum, .ptx, .yml, .wp, .icxs, .ybk, .dng, .lbf, .lrf, .xlgc, .snx, .txt, .mlx, .zip, .wp4, .dwg, .zif, .wsc, .litemod, .xlk, .wpw, .cfr, .accdb, .bkf, .xll, .xls, .wma, .psd, .xlsx, .bc6, .pak, .p12, .psk, .xdl, .bik, .xbdoc, .csv, .bsa, .xyp, .fos, .dba, .sav, .sidn, .hkdb, .qic, .jpg, .pfx, .nrw, .raw, .xlsm
Mosk encrypts file-by-file. Each file that has been encrypted will be renamed, the extension ‘.mosk’ will be added at the end of its name. Thus, the virus marks all encrypted files. In every directory where there is at least one encrypted file, the virus places a file named ‘_readme.txt’. The file contains a message from Mosk creators. An example of the contents of this file is given below.
Criminals report that the files on the victim’s computer are encrypted and the only way to decrypt them is to buy a unique key and a decryptor, that is, in other words, to pay a ransom. Attackers demand a ransom of $490, and if the victim does not pay within 72 hours, the ransom increases to $980. To confirm the possibility of decrypting files that were locked by the ransomware, the victim must send a letter to the addresses indicated in the ransom note. The email letter should contain a small file and the victim’s personal id. According to the attackers, this file will be decrypted for free. Of course, even if the criminals decrypt one file, there is no guarantee that by paying the ransom the victim will receive the files back.
|Type||Ransomware, Crypto malware, File locker, Filecoder, Crypto virus|
|Encrypted files extension||.mosk|
|Detection Names||Trojan.Ransom/Win32.Stop, Ransom: Win32.STOP, Trojan: TRCrypt, W32: Kryptik|
|Symptoms||Files encrypted with .mosk file extension. Unable to open personal files. Your files now have different extensions that end with something like .mosk. Files called such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file.|
|Distribution methods||Adware. Malicious email attachments. Torrents. Drive-by downloads from a compromised web page. Cracks. Social media. Activators and key generators.|
|Removal||Mosk virus removal guide|
|Decryption||Free Mosk Decryptor|
The message from Mosk authors, which is located in file ‘_readme.txt’, is mostly true. Files cannot be decrypted without a decryptor and a key. Fortunately, there is some good news. As we already reported above, this virus belongs to STOP ransomware family, which means that you can use the free decryptor created by Emsisoft to decrypt the encrypted files. Even if the decryptor does not help, there are some alternative methods that can help restore the contents of the encrypted files. To learn more about decrypting files, simply scroll down to section ‘How to decrypt .mosk files’.
- How to remove Mosk ransomware virus
- How to decrypt .mosk files
- How to restore .mosk files
- How to protect your PC system from Mosk ransomware
How to remove Mosk ransomware virus
Finding and removing ransomware components manually is very difficult, so we recommend using malware removal tools. Moreover, it is desirable to use not one, but several utilities. Even if it seems to you that there is no ransomware on the computer, it does not mean anything. The virus may start encrypting the files again the next time you turn on or restart the computer. You must be completely sure that Mosk has been removed, and also that there is no other malware on the computer. Below we provide a list of recommended utilities with brief instructions.
Remove Mosk ransomware with Zemana Anti-malware
In order to find and remove Mosk virus, we recommend using Zemana Anti-malware. It is a great malware removal tool from which you need to start removing the ransomware. Zemana has a simple interface, a powerful anti-malware engine that makes it easy to detect and remove malware of various kinds. This tool is suitable even for a user who has minimal knowledge of computers.
- Zemana can be downloaded from the following link. Save it on your MS Windows desktop or in any other place.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your internet browser will open the “Save as” prompt. Please save it onto your Windows desktop.
- Once the downloading process is complete, please close all applications and open windows on your PC system. Next, run a file named Zemana.AntiMalware.Setup.
- This will start the “Setup wizard” of Zemana Free onto your personal computer. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Anti Malware will launch and show the main window.
- Further, click the “Scan” button to find Mosk related folders,files and registry keys. A system scan can take anywhere from 5 to 30 minutes, depending on your system. While the Zemana AntiMalware program is checking, you may see how many objects it has identified as threat.
- After finished, a list of all threats detected is produced.
- All detected items will be marked. You can delete them all by simply press the “Next” button. The tool will begin to remove Mosk crypto virus and other security threats. After that process is done, you may be prompted to reboot the personal computer.
- Close the Zemana Free and continue with the next step.
Remove Mosk virus with Hitman Pro
HitmanPro is a malware removal tool that does not need to be installed on a computer. You just need to download and run it. HitmanProt has many more advantages, but the main thing is its anti-malware engine. It is able to detect and remove ransomware, trojans, worms, spyware, adware and other malware. Therefore, we strongly recommend using Hitman Pro to find and remove Mosk virus.
- Please go to the following link to download Hitman Pro. Save it on your MS Windows desktop.
Category: Security tools
Update: June 28, 2018
- After downloading is done, double click the Hitman Pro icon. Once this tool is launched, click “Next” button to perform a system scan with this utility for Mosk ransomware virus. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC system and the speed of your system. During the scan Hitman Pro will detect threats exist on your PC.
- Once the scan is done, HitmanPro will open you the results. Review the report and then click “Next” button. Now click the “Activate free license” button to start the free 30 days trial to get rid of all malicious software found.
Remove Mosk with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is free malware removal tool. It can scan and delete ransomware, malware, PUPs, trojans, spyware, adware. KVRT can restore system settings that were changed by malware to normal. KVRT is powerful enough to find and remove Mosk related registry entries and files that are hidden on the computer.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you’ll see the KVRT screen such as the one below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan with this utility for Mosk crypto virus. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour.
After KVRT completes the scan, Kaspersky virus removal tool will display a list of all threats found by the scan as shown on the screen below.
Review the report and then click on Continue to start a cleaning process.
How to decrypt .mosk files
Files with extension .mosk are encrypted, which means that their contents cannot be read without a unique key and decryptor. Until recently, there was no way to decrypt files without paying a ransom to criminals. Fortunately, a free decryptor was created that can be used by the victim of the ransomware attack to decrypt .mosk files.
To decrypt .mosk files, use the following steps:
- Please go to the following link to download STOP Djvu decryptor.
STOP Djvu decryptor
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
If during decryption of files, the decryptor reports that the files cannot be decrypted, then Mosk virus used an online key to encrypt them. Files encrypted with the online key cannot yet be decrypted. In this case, we recommend using the alternative methods listed below to restore the contents of encrypted files (see section ‘How to restore .mosk files’).
How to find out which key was used to encrypt files
Open the ransom note (‘_readme.txt’ file), scroll down to the end of the file. There you will see a line with the text ‘Your personal ID’. Below is a line of characters that starts with ‘0180’ – this is your personal id. There is another way to find out your personal id. This method is more accurate, since it shows all IDs that correspond to the keys used to encrypt your files. Look at the contents of a file named ‘PersonalID.txt’ that is located on drive ‘C’ in directory ‘SystemID’.
If your Personal ID ends with ‘t1’, then your files are encrypted using an offline key. As soon as security researchers determine this key, you can easily decrypt all encrypted files. Typically, a key search takes from a few days to several weeks. Therefore, if you determine that your files are encrypted with an offline key, but the decryptor does not decrypt them, then you just need to wait a while. Try decrypting your files every day. There is no need to update the decryptor, as it downloads keys automatically.
If your Personal ID does not end with ‘t1’, then Mosk ransomware used an online key. Even in this case, it is possible to restore the content of encrypted files. We will talk about this in the next section of this article.
How to restore .mosk files
As we have already reported several times, there are some alternative methods that give a chance to restore the contents of encrypted files. Each of these methods does not require a decryptor, a unique key, and generally does not use decryption to unlock encrypted files. We recommend everyone to try these methods to recover files that were not decrypted by a free decryptor. It is important that before proceeding with file recovery, make sure that Mosk virus is completely removed.
Restore .mosk files with ShadowExplorer
The Microsoft Windows has a feature called ‘Shadow Volume Copies’ that can help you to recover .mosk files encrypted by the ransomware. A small tool called ShadowExplorer will allow you to easily access the Shadow copies and restore the encrypted files to their original state. Unfortunately, the ransomware can delete these Shadow copies before it starts encrypting files. Therefore, if ShadowExplorer did not help you, then try another method, which is given below.
First, please go to the following link, then press the ‘Download’ button in order to download the latest version of ShadowExplorer.
Category: Security tools
Update: September 15, 2019
When the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.
Launch the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the Mosk ransomware as on the image below.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button as shown on the screen below.
Restore .mosk files with PhotoRec
The last chance to restore encrypted files to their original state is using data recovery tools. We recommend a program called PhotoRec. It has all the necessary functions to restore the contents of encrypted files. It helped many victims recover data when it seemed like there was no more hope.
Download PhotoRec from the link below.
Category: Security tools
Update: March 1, 2018
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as shown on the screen below.
Choose a drive to recover as shown in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted files as shown in the following example.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is done, press OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed in the following example.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC system from Mosk ransomware
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert that is a fantastic utility to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files.
Click the following link to download the latest version of HitmanPro.Alert for MS Windows. Save it on your Desktop.
Category: Security tools
Update: March 6, 2019
Once the downloading process is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the tool is started, you will be displayed a window where you can select a level of protection, as shown in the figure below.
Now press the Install button to activate the protection.
To sum up
This article was created to help all victims of Mosk ransomware. We tried to give answers to all basic questions, such as: how to remove ransomware; how to decrypt .mosk files; how to recover files, if the decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this article has helped you. If you have questions, then write to us, leaving a comment below. If you need more help with Mosk ransomware virus related issues, go to here.