Cyber Security Center

Morseop ransomware removal


Morseop ransomware is file-locking malware that encrypts files, adds the .morseop-7j9wrqr to affected files and drops a ransom note “how restore hurt documents.inf”, which demands that victims pay money to get a decryptor for file recovery.

 

Morseop ransomware note

Discovered by GrujaRS, Morseop ransomware is file-encrypting malware that not only encrypts files but also threatens to sell data it has supposedly stolen from the computer. It’s a serious ransomware infection that can lead to permanent file loss if victims do not have backup. Once it gets inside, it will start encrypting files. Victims will be unable to open files with the extension .morseop-7j9wrqr as they will be encrypted. The only way to decrypt them is to use a special decryption tool, which will be offered to victims by cyber criminals responsible for this ransomware. However, the decryptor does not come for free, and users will first need to pay. The ransom sum is not specified in the “how restore hurt documents.inf” ransom note, but it will likely be somewhere between a couple of hundred and a couple of thousand dollars.

Paying the ransom, or even contacting cyber criminals is usually discouraged. While buying the decryption tool may seem like the best option, paying will not necessarily mean users will get a working decryptor. Or get one at all. It’s not uncommon for cyber criminals to not send a decryptor tool once the ransom has been paid, seeing as there is nothing stopping them from doing so.

If files have been backed up prior to infection, users can start file recovery as soon as they remove Morseop ransomware. It’s very important that users fully get rid of the ransomware before accessing backup because otherwise, files in the backup may become encrypted as well.

How do users pick up ransomware

In many cases, users infect their computers with ransomware because they have bad browsing habits and are unaware that something as simple as opening an email attachment could lead to a serious infection. If users develop good browsing habits and learn to be more cautious, they will be able to avoid the majority of malware infections.

Ransomware and other malware is often spread via torrents sites and forums. Torrent sites in particular are often unregulated which allows malware distributors to disguise malware as torrents for popular content, such as movies, TV shows, games, etc. Forums and sites promoting software cracks are similar. Users who download copyrighted content via these unsafe sources are putting their computers in danger.

Making sure the system has all important updates installed is very important. The WannaCry ransomware was able to infect so many computers because many did not install a important Windows update that patched a vulnerability which allowed the ransomware to enter. Installing updates is essential, and updating should be done on a regular basis. Whenever possible, users should enable automatic updates to make sure important ones are always installed.

The most common way users infect their computers with ransomware is by opening malicious email attachments. Cyber crooks launch spam email campaigns using email addresses purchased on hacking forums, and attach malicious files to those emails. They are usually more or less obvious, unless they target someone specific. The malicious emails often have loads of grammar and spelling mistakes, are sent from nonsense email addresses, and put strong pressure on the user to open the attachment. As a precaution, users should avoid opening unsolicited email attachments, unless they’ve been scanned with anti-malware software or VirusTotal first.

What does Morseop ransomware do

Once Morseop ransomware is inside the system, it will start encrypting files. It will primarily target documents, photos, videos, etc., essentially everything users would be most willing to pay for. Users will know which files have been encrypted because of the extension .morseop-7j9wrqr that will be added. The ransomware will then drop “how restore hurt documents.inf” ransom note, which will explain that files have been encrypted. It will also threaten victims to expose stolen files is they refuse to pay. Quite a few ransomware strains have switched from simply encrypting files to actually stealing them and threatening to publish them.

Here is the full ransom note:

Hello!

Files on your computers are encoded by a hard algorithm.

Your network has been penetrated.

All data on each machine in the network have been access denied with a intricate cryptoalgorithm.
reservation copies were either ciphered or deleted. Volume Shadow copies also erased.

DO NOT DELETE the encrypted and readme files.
This stuff I’m telling you could get to the impracticability of recovery your files
DO NOT RESET OR SHUTDOWN – files may be unrecoverable.
DO NOT DELETE *.morseop-[random_string] files.

To get information how to decrypt your files, write to us at the address below:

greemsy.jj@protonmail.ch
jj.greemsy@mailfence.com

We have downloaded your essential data. If you will not cooperate with us, your data will be sold on auction

To confirm our honest intentions we will decrypt few files for free.
Send one-two-three different protected docs with extension *.morseop-7j9wrqr. Documents must not hold essential information.
Files must be packed and sent to us (SUBJ : your domain name).
It can be from different machines on your infrastructure to be sure we decode everything.

The procedure to recovery is very simply:
After receiving bitcoins We will send you any you need to restore normal operation of your network.

Not lose time, send email with files bound quickly as possible.

If you will not co-operate with our service – for us, it’s doesnot matter. But you will lose your time and data, cause just we have the decoder.
if you exposure with the police forces, then they completely BLOCK any busyness (mainly financial) of the corporation until the end of the proceedings on their part.
If we do not do our works and commitments – nobody will not cooperate with us. It’s not in our interests.
It’s just a job. We absolutely do not care about you and your deals, except getting benefits.

The ransom note does not specify how much victims would need to pay, though it will likely depend on how important the encrypted files are. The note also mentions that they will decrypt 3 files for free, as proof that they can. However, trusting cyber criminals to keep their word and help with file recovery is risky, as there are guarantees that they will actually help.

Unfortunately, currently the only way to recover files is via backup. But backup should only be accessed once users fully remove Morseop ransomware.

Morseop ransomware removal

It is necessary to use anti-malware software to delete Morseop ransomware because it’s a dangerous malware infection, and manual removal may lead to even more damage. Once users remove Morseop ransomware, they can start file recovery from backup.

For users who have no backup, there aren’t many options. It is possible that malware researchers will release a free decryptor, so victims should back up encrypted files and store them somewhere safe for when a decryptor becomes available. However, users should be very careful about where they download decryptors from, as cyber criminals have started disguising malware as decryptors. Victims can find decryptors on NoMoreRansom or by checking Twitter accounts of security researchers, such as Michael Gillespie, who regularly help victims of ransomware. However, victims should keep in mind that at the time of writing, a decryptor is not available.

Morseop ransomware is detected as:

  • Ransom:Win32/Morsp.ST!MTB by Microsoft
  • Ransom.FileCryptor by Malwarebytes
  • TROJ_GEN.R002C0RHJ20 by TrendMicro
  • A Variant Of Win32/Filecoder.OBU by ESET
  • Gen:Variant.Razy.647127 by BitDefender