Moba ransomware - Virus Files Removal - Decryption Methods Included

Moba virus Removal Guide

What is Moba ransomware?

Moba ransomware is a file locking virus that uses blackmail strategy to gain money from infected users

Moba ransomwareMoba ransomware is the threat that creates a money-demanding message in a text file to encourage victims to pay up for the alleged decryption software.

Moba ransomware is a cryptovirus that infects the machine via pirated software installers and affects files like documents, pictures, audio files, archives, and appends .moba extension to them. The data encryption allows threat actors to demand ransom from people by claiming that nobody else can help them to recover it. As soon as the file locking process is complete, users are shown _readme.txt file, which contains typical information provided by Djvu ransomware creators. The contents of the ransom note have been pretty much the same for a while – hackers demand $490/$980 Bitcoin payment consistently, although the contact emails may vary (this time is provided).

Moba file virus authors are aware that no fully functional decryption tool currently exists, and they are ready to abuse this fact. Nevertheless, the case is not completely lost, as there are several other options that, in some cases, could help you (for example, Emisosft's decryptor works for versions that were encrypted with an offline RSA[1] key). Nevertheless, you should also take care of the threat removal first, as malicious actors behind the STOP virus family are known to deliver malware along with Trojans and also install additional modules that can steal sensitive information via the web browsers.

Name Moba ransomware
Type Cryptovirus[2]
Family Djvu/STOP ransomware that is known since 2017
File marker .moba – the appendix is added at the end of every file affected by the encryption algorithm. It comes at the end after the original name and file-type extension
Ransom note _readme.txt contains the message from virus creators that delivers all the information about the infection (contact details, ransom size, etc.)
Distribution Djvu virus variants are known to be spread via pirated software installers and cracks/loaders/keygens, etc. Nonetheless, other popular distribution methods, such as spam emails, might also be used
Elimination To get rid of Moba file virus, you should employ powerful security applications, such as SpyHunter 5Combo Cleaner or Malwarebytes
Why can't I Open .moba files? Scanning the computer with security software will not recover your files, as it is not designed for that. Without backups, however, retrieving data is quite difficult, although not impossible. You can try Emsisoft's decryption tool or rely on third-party software – we provide detailed instructions in the recovery section below
Repair To remediate compromised Windows system, you can employ repair tools like FortectIntego – it can sometimes save you from having to perform a full OS reinstall

Moba ransomware is the threat that manages to affect the system in various ways. Besides encryption, this infection also gathers some other methods to damage the machine and processes supposedly useful for the victim later on. These features and recovery functions like System Restore can get disabled.

Moba virus tries to offer the discount and claim about the only option that is paying, but you shouldn't consider the payment because all the supposed promises are false and criminals more likely going to disappear after the cryptocurrency transfer instead.

Moba ransomware demands the payment in a text file named _readme.txt that delivers the following:


Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

Make sure to remove Moba ransomware, instead of paying or contacting these criminals, with proper anti-malware tools, and then clear the traces, terminate any damage, so the computer is safe for other steps. There is a possibility to get some formats of data recovered[3] since researchers create some particular tools. But the best solution for encoded files is data backups, that you need to make yourself.

Moba ransomware virusMoba ransomware - the cryptovirus that asks for money in the form of Bitcoin.

Moba ransomware launches the attack with an encryption algorithm that is army grade and can change the original code fully. Experts[4] always note that encoding is a difficult process and not easily reversible. This is why decryption tools and applications for malware termination didn't get developed for years.

Computers that load Moba ransomware virus become slow, and the threat uses resources of the machine during file locking, so the computer is not easily used. These issues should indicate that there is something wrong with your machine security-wise. React as soon as you can to any speed or performance issues, so you can detect the malware before it gets extremely persistent.

Even though Moba ransomware creators promise the file recovery while asking for hundreds of dollars, you shouldn't consider paying because criminals are not trustworthy. Also, recently it has been discovered that .mp3 and some JPG files might be decrypted by using the official decrypters. For other data, you either need a backup file copy or the program that could recover files for you.

We should note that it is possible to lose your files permanently or suffer money losses when you pay these criminals behind the Moba virus. There are no guarantees that all your files will get restored, even though you pay or use decrypters, file recovery tools. This is why it is extremely crucial to back your files more frequently.

You will not be able to open .moba files after scanning the computer with anti-malware

The general misconception about ransomware is that users believe that a scan with anti-malware software will recover .moba files. However, as soon as they perform the procedure, they still see that all files are missing regular icons and that the file extension is still present. The truth is, once a malicious file is launched, it begins the encryption process almost immediately, and the only way to interrupt the process is to shut the machine down. Unfortunately, the locking procedure usually lasts a very short time, and most users would not notice that something is wrong right away.

Thus, if you are asking how to open .moba files, the answer is rather disappointing – you most likely can not. Paying cybercriminals is not advised, however, as they might never send you the required decryption tool.

.moba file decryption optionsYou will not be able to open .moba files, although there are some methods that might help you

Luckily, Moba ransomware belongs to a well-known malware family, so many security researchers are working on it. Besides, there are third-party tools that could sometimes help you open .moba files. Here are some rules that must be met for the recovery to be successful:

  • Emsisoft security researchers have created a decryption tool that can help some Djvu ransomware victims. However, it only works for those cases when malware used an offline ID to lock files. Besides, somebody already should have paid the ransom and provided and an offline key to Emsisoft researchers.
  • Third-party recovery tools might sometimes be successful in recovering at least some files. The chances increase if the computer is used as less as possible after the encryption took place.
  • Built-in recovery options, such as System Restore or Previous Versions, would only work if the virus failed to eliminate Shadow Volume Copies, although this happens very rarely.

Note that you should first backup all the .moba files (encrypted data does not hold any malicious code, so it is safe to use) and only then perform a full system scan with anti-malware software. Finally, attempt to recover files with the help of detailed instructions we provide below.

The virus payload triggers the encryption process

The threat like this that runs in the background can end up on the system pretty quickly and uses stealthy methods to infect the computer silently. The most common method is to spread the payload file in torrents, file downloads, free apps, software cracks, pirated content, game cheats, licensed versions of OS.

Pirated content became a rising trend for this family of ransomware, so the payload gets loaded in the packages of online games, updates, fake software installers that people most likely get from torrent services, pirating platforms. You need to pay attention to senders, files included alongside the ones that you need when you still decide to use this method of getting programs and games.

If you want to entirely avoid such infections, you should fully rely on official sources only and always pay attention to red flags on emails, files that get attached to those notifications, and create questions. Be more cautious online.

The process of Moba ransomware termination requires proper tools

Moba ransomware virus is the threat that significantly affects your machine, performance, speed, and crucial processes that are needed for file recovery and virus termination. When ransomware manages to add or remove files from system folders, you cannot use some features for file restoring purposes or security options for virus elimination.

Fortunately, you can remove Moba ransomware using automatic methods and proper anti-malware tools, security applications like SpyHunter 5Combo Cleaner, or Malwarebytes. This is the best option because programs designed to find malicious files and intruders can check various places on the machine.

Moba cryptovirusMoba ransomware is the file locking virus that marks all the affected files using .moba appendix.

Then you only need to follow proper steps and remove Moba ransomware how the program suggests for you. Double-checking is needed, so you can be sure that you are not risking to get the second round of encryption on the system. Also, a scan with FortectIntego is required for the repair of system functions that can be possibly needed for the file recovery.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Moba virus. Follow these steps

Manual removal using Safe Mode

Reboot the machine in Safe Mode with Networking to properly eliminate Moba ransomware virus

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Moba using System Restore

Try the System Restore feature for the elimination of this virus

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Moba. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Moba removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Moba from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Moba, you can use several methods to restore them:

Data Recovery Pro should help with encrypted files and restore them

You can try to restore Moba ransomware encoded material with Data Recovery Pro

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Moba ransomware;
  • Restore them.

Windows Previous Versions feature for file recovering

Files can get restored of you used System restore previously

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – the method for file recovery after Moba ransomware encryption

When Moba ransomware virus is not affecting Shadow Volume Copies, you can use them for file recovery

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Moba ransomware decryption options – limited

This version is not decryptable, but you can try Djvu decrypter tool for some files encoded using offline IDs

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Moba and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions