Cyber Security Center

Moss ransomware removal


Moss ransomware is malware from Djvu/STOP ransomware family. It’s yet another version from this notorious group, and it’s practically identical to all other versions, like Lyli, Kolz, and Npph. Adds the .moss file extension to encrypted files, and drops the _readme.txt ransom note.

 

Moss ransomware note

If users find that the .moss extension has been added to their files, they have been infected with Moss ransomware, yet another version from the Djvu/STOP ransomware family which already has more than 200 versions. This version can differentiated from the other ones by the .moss extension that gets added to encrypted files. Files with that extension will not be openable, unless they are first decrypted. The cyber criminals behind this ransomware will attempt to sell the decryption tool to victims, though buying it is not recommended.

The ransom note, which is identical to the ones dropped by other ransomware from this family, claims that a decryptor would be sent to victims who are willing to pay the ransom. The ransom is $980 but those who make contact within the first 72 hours would receive a 50% discount, thus would need to pay $490. However, paying is not recommended because it simply does not mean that a decryptor would be sent to all those who pay. Users should keep in mind that it’s cyber criminals they are dealing with, and there really is nothing stopping them from taking the money without sending a decryptor. After all, it has happened in the past.

Unfortunately, this means that currently the only sure way to recover files is via backup. Ransomware is one of the main reasons why backing up files is critical to anyone who does not want to lose them. If backup is available, users can access it to recover files once they delete Moss ransomware. The ransomware needs to be removed fully because otherwise it may encrypt backed up files as well.

There is a small chance that a free decryptor will be released by malware researchers. Older versions of Djvu are decryptable with Emsisoft’s Djvu/STOP decryptor, but it does not work on newer versions, which includes Moss. Nonetheless, users who are out of options should back up encrypted files, store them somewhere safe and hope for a free decryptor to be released. However, we should warn that there are fake decryptors that are actually malware. Legitimate decryptors will come from Emsisoft, NoMoreRansom, other anti-virus vendors and malware researchers.

Users’ bad browsing habits often lead to their computers getting infected

Users who have not developed good browsing habits often end up infecting their computers with malware. That is because they open unsolicited email attachments, download torrents, click on suspicious ads and visit high-risk websites.

Opening unsolicited email attachments is one of the most careless things users can do. Malicious actors buy email addresses from hacker forums and then use them to launch a malicious email campaign that carry malware. The emails carry malware disguised as important documents, which the emails pressure users to open. The malicious email is often a poor imitation of an email sent by a service provider, a bank, goverment agency/organization, etc. The emails are also often full of grammar and spelling mistakes, so attentive users should be able to easily spot a potentially malicious email. But just as a precaution, users should scan all unsolicited email attachments with their anti-virus programs or VirusTotal before opening them.

Torrents are also huge ransomware distributors. Because torrent sites and forums are not strictly regulated, it’s easy to upload anything on them, including malware disguised as popular content such as movies, TV shows, games, etc. Thus, users who pirate via torrents have an increased risk of getting ransomware.

What does Moss ransomware do?

Ransomware’s presence is immediately noticeable because it encrypts files. It will encrypt all personal files, including photos, videos, and documents. All encrypted files will have the .moss file extension, which will help them determine which ransomware they’re dealing with. For example, image.jpg would become image.jpg.moss. All files with that extension will be unopenable until they are decrypted. A ransom note _readme.txt will be dropped, and it will contain information about how users can buy a decryptor.

Here is the full ransom note:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-7596obcC8h
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

In order to get the decryptor, users need to send an email to helpmanager@mail.ch or restoremanager@airmail.cc with their personal IDs, which are shown at the end of the ransom note. Victims are required to pay $980, or $490 if they send the email within 72 hours. But whether it’s the full, or the discounted ransom sum, it’s not recommended to pay. There really are no guarantees that a working decryptor would be sent. Furthermore, the ransom payments only support future criminal activities and make ransomware profitable for cyber criminals.

How to remove Moss ransomware

Users should use anti-virus software to delete Moss ransomware, and plenty of them detect it. Manual Moss ransomware removal should not be done unless users know exactly what they’re doing, as it could cause even more damage. Once the ransomware is gone, users can open backup and start recovering files.

Moss ransomware is detected as:

  • A Variant Of Win32/Kryptik.HGNO by ESET
  • HEUR:Trojan-Ransom.Win32.Stop.gen by Kaspersky
  • Trojan.MalPack.GS by Malwarebytes
  • Trojan:Win32/CryptInject!ml by Microsoft
  • ML.Attribute.HighConfidence by Symantec