Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jun 2020

How to remove Mosk ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Jake Doevan · Computer technology expert

Mosk is ransomware that restricts access to personal files and then demands around $1000 ransom for their redemption

Mosk ransomware

Mosk is a cryptovirus that belongs to the infamous malware family DjvuStop. It is the 181st version that showed up in early November 2019. The main purpose of this ransomware[1] is to hold pictures, videos, and other files hostage, and only release the decryption software if victims agree to pay either $980 or $490 in Bitcoin. Users infected with Most ransomware find out about the demands in a ransom note which is called _readme.txt. The file is dropped into every single folder where the encrypted data (marked with .mosk appendix) is located.

According to research, Mosk ransomware encrypts data with Salsa20 or another strong cipher, preventing users from accessing it. While there is no guaranteed way to decrypt encrypted files without paying, experts advise staying away from criminals and not contacting them via salesrestoresoftware@firemail.cc or salesrestoresoftware@gmail.com emails. Make sure you check updates for StopDecrypter. Also, Emsisoft Decryptor should also be checked if dealing with this ransomware virus. 

Name Mosk ransomware 
Type Cyprovirus
First spotted  Early November 2019 
Ransomware family  Mosk is a variant of Djvu/STOP ransomware strain
File extension  All personal files on a local hard drive and all connected networks/external drives are appended with .mosk extension 
Ransom note  _readme.txt is placed into each of the infected files' folders and includes all the information about how victims should proceed next in order to recover the encrypted data
Contact Hackers use salesrestoresoftware@firemail.cc or salesrestoresoftware@gmail.com – new email addresses that were not used in previous versions of Djvu
Ransom size Ransomware authors ask for $980 in Bitcoin for file redemption. Users are also offered a 50% discount if the contact is made within 72 hours of the infection
File decryption  There are several ways that might be effecting when trying to decrypt .mosk encrypted files. Emsisoft Decryptor for STOP Djvu is one of the tools that can be used for offline encrypted files, although there are other methods available too – please check our recovery section for more details
Malware removal  Rely on anti-malware software to terminate the infection (entering Safe Mode might be necessary in some cases) 
System recovery  Ransomware might render your Windows OS unstable. After removal, we recommend scanning your machine with FortectIntego to fix various corrupted system files to prevent Windows from crashing or other issues 

The ransomware family that Mosk virus belongs to became one of the most prominent ones in the past year, and new versions are being released by cybercriminals on a regular basis. Most recently, security experts from Emsisoft released a decryptor that worked for 148 variants, and users who are affected by those (older versions, such as Peta, Hese, Nasoh, etc.) could get their data for free.[2]

Unfortunately, Mosk ransomware is one of the newer variants of the malware, so its decryption might not be currently possible. Nevertheless, malware researchers also created an alternative tool that might work for victims whose data was encrypted with offline keys. Additionally, if you refer to the recovery section of this article, you will find other methods that might be helpful to decrypt Mosk ransomware files.

Nevertheless, before you proceed, you should remove Mosk ransomware from your machine. For that, you should rely on reputable anti-malware for the process, such as SpyHunterCombo Cleaner, MalwarebytesMalwarebytes, although you can pick other removal software of your choice and perform a full system scan in Safe Mode. To resume normal operations with your Windows computer post-infection and prevent system crashes due to corrupted or broken system files, try using FortectIntego.

Note that the malware might load secondary modules or payloads in order to perform malicious activities like keystroke logging and data harvesting. Therefore, Mosk ransomware removal should be performed as soon as possible.

Mosk ransomware virus

The operation of Mosk ransomware and file encryption process

Ransomware is a type of malware that is usually designed for Windows operating systems, and Mosk ransomware is not an exception – it affects Windows 10, 8, 7, and older versions of the OS. Additionally, unlike most other malware, cryptoviruses do not try to hide from victims after the infection process is initiated.

Before encrypting data, however, the Mosk virus makes several changes to the host system. Once the malicious executable (the name of which is randomly generated) is downloaded, it is placed into one of the following locations:

  • %Temp%;
  • %AppData%;
  • %LocalAppData%

The malicious file is then executed – it starts the preparations from the file encryption process (Windows registry modified, Windows backup function disabled, connections to remote servers established, etc.).

Once all personal files are locked on the computer, the ransom note _readme.txt is dropped, which reads:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-IbdGyCKhdr
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
salesrestoresoftware@firemail.cc

Reserve e-mail address to contact us:
salesrestoresoftware@gmail.com

Keep in mind that paying ransom to Mosk ransomware developers is quite risky – they might simply ignore your requests after you pay the demanded ransom. Additionally, payments from victims will only fuel their will to produce more robust versions of Djvu and infect more victims.

Remember to remove Mosk ransomware along with all the secondary payloads on your PC – check out the details on how to enter Safe Mode (might be necessary sometimes due to prevalence features of the malware) in the removal section of the post below.

Mosk ransomware encrypted files

Mosk ransomware authors rely on pirated software installers for the infection

Djvu/STOP is one of the largest ransomware families to date, and is extremely prevalent – it accounts for 56% of total infections around the globe, according to Emsisoft's ransomware report for 2019 Q2 – Q3.[3] Mosk ransomware developers managed to achieve such success due to active distribution campaigns, that are usually performed via torrent/warez websites that host pirated software installers or keygens/cracks that can activate paid versions of programs for free.

While security experts[4] warn users that downloading such files is not only illegal but also dangerous due to potential malware infections, there will still be many that are willing to risk it. In order to avoid devastating consequences, users should take precautions when downloading high-risk files from unsafe sites (we do not endorse users engaging in pirating software in the first place).

You should employ an ad-blocker extension that would block malicious JavaScript from being executed while visiting torrent and similar sites. Additionally, you should always scan the executable via tools like Virus Total before proceeding to open it. Nevertheless, due to its functionality (i.e., cracking), keygens and cracks will always be marked as malicious, regardless if they include a malicious payload that carries ransomware or not.

Also, you should make sure that you equip your computer with robust anti-malware software, update your OS/programs on time, not open attachments from spam emails, back up your files, and practice general caution when it comes to online web browsing.

Mosk ransomware removal and file recovery methods

Ransomware is a sophisticated computer parasite that includes many features and enables multiple background changes. For that reason, manual Mosk ransomware removal is almost impossible for regular computer users – we do not recommend to engage in doing so. Instead, there are several security programs capable of removing malware automatically after a full system scan is performed. Be aware that malware removal from the system might result in permanent data corruption. Nevertheless, if the payload is kept on the system running, all the incoming files will be encrypted, making the computer practically unusable.

Thus, we advise you to remove Mosk ransomware with anti-malware software. Due to advanced functionality of the virus, that might not be possible until you enter Safe Mode and perform a full system scan from there – the guidelines below. Once you terminate the virus, you can try using several different methods to recover .mosk locked files, as there are several decryptors and third-party tools available for the disposal.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.