What is .Mkos file
.Mkos file extension is an extension that is associated with a new variant of dangerous ransomware called STOP (Djvu). Although ‘Mkos’ variant was released recently, many users have already encountered a result of its malicious activity. It encrypts files located on the computer, and renames them adding .Mkos extension to their name. All encrypted files become useless, their contents cannot be read without decryption. The criminals behind this virus demand a ransom in exchange for a unique key and decryptor, which can decrypt the files and restore access to their contents. Fortunately for all victims, a free decryptor is available that can decrypt .mkos files. Scroll down to learn more about this decryptor and all ways to recover encrypted files.
Mkos virus encrypts files using a strong encryption algorithm. The virus uses a long key to encrypt files. This key is unique for each victim, therefore it excludes the possibility of using the same key to decrypt files on different computers. In some cases, when the virus cannot establish a connection to its command server (C&C), it uses the so-called ‘offline key’. This key is the same for all victims. And most importantly, the security researchers have found a way to determine this key.
Mkos does not encrypt absolutely all files, as it will cause the computer to stop working. Therefore, it skips and does not encrypt Windows system files as well as files with the name ‘_readme.txt’. All other files on the victim’s computer will be encrypted. It makes no difference where the files are located, on a hard drive or cloud storage. If at the time of the ransomware attack a disk was connected to the computer, then all the files on it can be encrypted. In addition to the fact that Mkos virus does not matter where the files are located, it also does not matter what type of files they are. Files of all common types can be encrypted, including the following:
.webp, wallet, .ibank, .hkx, .2bp, .3fr, .sum, .vpk, .pem, .mddata, .1st, .cdr, .xyp, .xdb, .xlsx, .xy3, .das, .mef, .kdc, .asset, .t12, .x3d, .raw, .itm, .rofl, .pptm, .vtf, .kdb, .mov, .odm, .xar, .7z, .js, .litemod, .ysp, .pfx, .p12, .xls, .accdb, .dcr, .wire, .eps, .tor, .sie, .tax, .wbz, .ptx, .srf, .yal, .kf, .bkp, .mrwref, .rar, .pkpass, .bkf, .vfs0, .rgss3a, .dng, .dba, .vpp_pc, .vcf, .p7b, .cfr, .lvl, .xbdoc, .3ds, .z, .sr2, .dwg, .0, .srw, .cr2, .ztmp, .bay, .wma, .ws, .pdd, .wgz, .crt, .wot, .mp4, .qic, .fpk, .t13, .dmp, .mcmeta, .xwp, .big, .iwi, .zdc, .yml, .xpm, .hvpl, .wp, .rwl, .re4, .epk, .menu, .dbf, .d3dbsp, .lbf, .arw, .zif, .odc, .png, .z3d, .wpg, .y, .qdf, .gdb, .zip, .esm, .wp5, .p7c, .ncf, .rb, .xlgc, .apk, .dxg, .orf, .m2, .py, .xll, .wpb, .mdb, .erf, .itdb, .css, .bc7, .odb, .cer, .m3u, .mdf, .psd, .pptx, .pdf, .xdl, .bar, .xmmap, .xmind, .wpt, .bik, .3dm, .vdf, .rw2, .sql, .raf, .zi, .odp, .mdbackup, .xls, .svg, .docm, .zabw, .1, .docx, .ybk, .wmo, .ppt, .wps, .nrw, .avi, .w3x, .rtf, .sav, .mpqge, .wsh, .wdb, .x3f, .wmv, .wmf, .wbc, .xbplate, .dazip, .fsh, .wp6, .ai, .map, .jpeg, .wcf, .wav, .zip, .zdb, .wsd, .pak, .fos, .csv, .xml, .layout, .wp7, .ff, .wp4, .wotreplay, .db0, .wpd, .xld, .wsc, .wbmp, .jpg, .wps, .sid, .wpe, .hplg, .txt, .pef, .psk, .xlk, .icxs, .xlsm, .sb, .webdoc, .zw, .xlsb, .wn, .crw, .rim, .sidd
When the process of encrypting the victim’s files is completed, all documents, databases, pictures and other files will be encrypted and thus the contents of these files will be locked. All encrypted files will receive a new name, which consists of their old name and the extension ‘.Mkos’ added to the right. This means literally the following, if the non-encrypted file had the name ‘document.docx’, then after encryption it will be called ‘document.docx.mkos’. Mkos virus places files called ‘_readme.txt’ in each folder where there is at least one encrypted file. The contents of such a file are shown in the image below.
This file contains a message from Mkos authors. They inform the victim that the files on the computer were encrypted and offer him to buy a unique key and decryptor. According to them, this is the only way to decrypt files encrypted by the ransomware and thus restore access to their contents. The criminals demand $980 from the victim, but agree to take half the amount if the victim transfers it within 72 hours. Since the attackers understand that no one trusts their words, they offer the victim to decrypt one file for free. The main requirement for this file, it should be small and not contain important information. Nevertheless, all security experts warn victims of Mkos virus; successful decryption of one file does not guarantee anything at all. There is no guarantee that payment of the ransom will become a way to decrypt the files encrypted by the ransomware.
Threat Summary
Name | Mkos |
Type | File locker, Ransomware, Crypto virus, Crypto malware, Filecoder |
Encrypted files extension | .mkos |
Ransom note | _readme.txt |
Contact | datarestorehelp@firemail.cc, datahelp@iran.ir |
Ransom amount | $980/$4900 in Bitcoins |
Detection Names | UDS:Dangerous.ObjectMulti.Generic, TrojanWin32:Kryptik, FileRep.Malware, TRCrypt:Agent, MalwareWin32Nemty.Ransom, TrojanEncoder, TrojanRansom/Crypted |
Symptoms | Files are encrypted with a .mkos file extension. Files called such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. |
Distribution methods | Torrents websites. Spam mails that contain malicious links. Drive-by downloads (crypto virus has the ability to infect the PC simply by visiting a web site that is running malicious code). Cracked games. Social media posts (they can be used to force users to download malware with a built-in ransomware downloader or click a malicious link). Malicious web pages. |
Removal | Mkos virus removal guide |
Decryption | Free Mkos Decryptor |
Criminals do not lie, claiming that encrypted files cannot be decrypted without a key and decryptor. Security researchers confirm the words of the attackers said in the ransom demand message. The contents of the affected files are encrypted. But the files are not fully encrypted, but only the first 154kb of their contents. This can help the victims almost nothing, the only thing, since the files are not fully encrypted, the victim can restore files from large archives. It is enough to simply rename the encrypted file by removing the .mkos extension and open this file in the archiver, after which simply extract the desired file from the archive.
Fortunately, there is a free decryptor that can decrypt .mkos files. This decryptor has one limitation; it can decrypt files encrypted with an offline key. If files are encrypted with an online key, then they cannot be decrypted yet, since there is no way to determine this key. In the case when files are encrypted with an online key, the victim can use alternative methods that do not involve the use of a key and a decryptor. These methods for recovering encrypted files are described in section ‘How to restore .mkos files’ below.
How to remove Mkos ransomware virus
Attention, the first thing you should do is scan the infected computer for malware, find and remove all Mkos ransomware components. Do not try to immediately start decrypting files, skipping the first step, you risk losing all your files. To remove Mkos ransomware virus, we recommend using free malware removal tools. Some of them, with brief instructions, are given below. If you have an antivirus, then perform a full scan using it, then use the tools listed below. Each of these tools can detect and remove various malware, including ransomware, but these tools cannot recover and decrypt files. To decrypt .mkos files, you need to complete this step, and then go to step 2.
How to remove Mkos ransomware virus with Zemana Anti-Malware (ZAM)
Zemana Anti-Malware (ZAM) highly recommended, because it can scan for security threats such Mkos virus, other malware and trojans that most ‘classic’ antivirus apps fail to pick up on. Moreover, if you have any Mkos removal problems which cannot be fixed by this tool automatically, then Zemana provides 24X7 online assistance from the highly experienced support staff.
- Visit the page linked below to download Zemana install package.
Zemana AntiMalware
164112 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Run the installation package and then follow the prompts.
- When installation is done, this malware removal utility will automatically start and update itself.
- Click the “Scan” button to scan the system for Mkos ransomware related folders,files and registry keys.
- As the scanning ends, click “Next” button.
Run MalwareBytes AntiMalware to remove Mkos ransomware
If you are having issues with Mkos virus removal, then use MalwareBytes AntiMalware (MBAM). It is free for home use, and identifies and removes various malware that attacks your PC. MalwareBytes Free can remove ransomware, adware, spyware, PUPs, trojans, worms and other malware.
- Visit the page linked below to download the latest version of MalwareBytes for Windows.
Malwarebytes Anti-malware
326462 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- Double-click on the downloaded file and follow the prompts.
- Once installation is done, click the “Scan Now” button. MalwareBytes will start scanning the whole system to find out Mkos ransomware virus and other malware.
- When MalwareBytes AntiMalware is finished scanning your personal computer, click “Quarantine Selected” button.
The following video explains step-by-step guidance on how to remove malicious software with MalwareBytes Anti-Malware (MBAM).
Remove Mkos virus with Kaspersky virus removal tool
If MalwareBytes anti-malware or Zemana anti-malware cannot detect and remove Mkos virus, then we suggests to use Kaspersky virus removal tool (KVRT). It is a free removal tool for ransomware, adware, trojans, worms, PUPs and other malware.
- Download Kaspersky virus removal tool (KVRT) from the link below.
Kaspersky virus removal tool
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
- Run the downloaded file.
- Click Start scan to find and remove Mkos virus.
- When the computer scan is completed, click on the Continue button.
To learn more about How to use Kaspersky virus removal tool to remove Mkos virus, we recommend that you read the following guide: How to use Kaspersky virus removal tool.
How to decrypt .mkos files
Files with the extension ‘mkos’ are encrypted files. To decrypt them, you need to use the decryptor and a unique key. Fortunately, there is a free decryptor that can decrypt .mkos files. This decryptor is compatible with all modern versions of the Windows OS and can decrypt files regardless of their size and type.
To decrypt .mkos files, use free STOP (mkos) decryptor
- Download STOP (mkos) decryptor from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
As we said above, Mkos virus can use two types of keys to encrypt files: online keys and offline keys. Emsisoft company found a way to determine offline keys, so at the moment this decryptor can only decrypt files encrypted with offline keys. If the files are encrypted with an online key, then they cannot be decrypted yet, since only the authors of the ransomware have the encryption key.
This does not mean that if your files are encrypted with an online key, then their contents are lost forever. Fortunately, there are several ways to recover encrypted files. These methods do not involve the use of decryption and therefore can be used in any case, regardless of what type of key the files were encrypted.
How to find out which key was used to encrypt files
It is not difficult to determine the type of key that was used to encrypt files; below we provide two methods. We recommend using the second one, it is more accurate.
First of all, you can look at the personal ID that is given in the ‘_readme.txt’ file (ransom note).
Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Mkos virus stores the Personal IDs used for encryption.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Mkos virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
If STOP (Mkos) decryptor displays message “Error: Unable to decrypt file with ID”, then two cases are possible why this happens:
- files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
How to restore .mkos files
Fortunately, there are some alternative ways to recover encrypted files. Each of them does not suggest the use of a decryptor and a key, so these methods will suit all victims regardless of which key Mkos virus used to encrypt files. In addition, the use of these methods will not affect in any way the decryption of files using a free decoder. The only thing is that before you proceed with file recovery, be sure to check your computer for malware, you need to be 100% sure that the ransomware has been completely removed.
Restore .mkos encrypted files using Shadow Explorer
A free utility called ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore photos, documents and music encrypted by Mkos crypto malware from Shadow Copies for free.
- Download the latest version of ShadowExplorer from the following link:
ShadowExplorer
438819 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
- Extract the saved file to a folder on your computer.
- Run ShadowExplorerPortable.
- Select the date and the drive.
- On right panel navigate to the file (folder) you wish to restore.
- Right-click to the file or folder and press the Export button.
To learn more about how to use ShadowExplorer to recover .mkos files, read the guide linked below.
How to Recover encrypted files from Volume shadow copies
Recover .mkos files with PhotoRec
The last chance to restore encrypted files to their original state is using data recovery tools. We recommend a free tool called PhotoRec. It has all the necessary functions to restore the contents of encrypted files. It helped many victims recover data when it seemed like there was no more hope.
- Download PhotoRec by clicking on the following link.
- Extract the downloaded file.
- Double click on qphotorec_win to run PhotoRec.
- Choose a drive.
- Choose a partition that holds encrypted files.
- Click File Formats to specify file types to restore. When this is done, click OK button.
- Click Browse button to choose where restored files should be written and press Search button.
To learn more about how to use PhotoRec to recover .mkos files, read the guide linked below.
How to Recover encrypted files using PhotoRec
How to protect your computer from ransomware
Most antivirus applications already have built-in protection system against ransomware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
- Installing the HitmanPro.Alert is simple. First you’ll need to download HitmanPro.Alert on your machine by clicking on the link below.
- Run the downloaded file.
- Choose a level of protection.
- Click the Install button to activate the protection.
To sum up
This guide was created to help all victims of Mkos ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .mkos files; how to recover files, if STOP (Mkos) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Mkos related issues, go to here.