ransomeware threat.files are encrypted with .moqs extension – Ransomware Help & Tech Support – BleepingComputer

You are dealing with a newer variant ofSTOP (Djvu) Ransomwareas explainedherebyAmigo-A(Andrew Ivanov). Since switching to the new STOP Djvu variants (and the release of .gero) the malware developers have been consistent on using4-letter extensions.

The.djvu* and newer variants will leave ransom notes named_openme.txt,_open_.txtor_readme.txt

Please read thefirst page(Post #1) of theSTOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) Support TopicAND theseFAQsfor asummary of this infection, it's variants,any updatesandpossible decryption solutionsusing theEmsisoft Decryptor.

In regards tonew variants of STOP (Djvu) Ransomware...decryption of data requires anOFFLINE IDwith corresponding private key. There no longer is an easy method to get a private key for many of these newer variants andno way to decrypt files if infected with an ONLINE KEY without paying the ransom(which is not recommended)and obtaining the private keys from the criminals who created the ransomware. Emsisoft can only get a private key for OFFLINE IDs AFTER a victim has PAID the ransom, receives a key and provides it to them.

If infected with an ONLINE KEY, decryption is impossiblewithout the victims specific private key.ONLINE KEYS are unique for each victim and randomly generated in a secure manner with unbreakable encryption. Emsisoft cannot help decrypt files encrypted with the ONLINE KEY due to the type of encryption used by the criminals and the fact that there is no way to gain access to the criminal's command server and retrieve this KEY.ONLINE ID'sfor new STOP (Djvu) variants arenot supportedby theEmsisoft Decryptor

TheEmsisoft Decryptorwill also tell you if your files are decryptable, whether you're dealing with an "old" or "new" variant of STOP/Djvu, and whether your ID is ONLINE or OFFLINE.

Emsisoft has obtained and uploaded to their server OFFLINE IDs for many(but not all)of the new STOP (Djvu) variantsas noted inPost #9297and elsewhere in the support topic.

**If there is no OFFLINE ID for the variantyou are dealing with,we cannot help you unless a private key is retrieved and provided toEmsisoft. When and if the private key for any new variant is obtained it will be pushed to the Emsisoft server and automatically added to the decryptor. Thereafter, any files encrypted by the OFFLINE KEY for that variant can be recovered using theEmsisoft Decryptor. For now, the only other alternative to paying the ransom, is tobackup/save your encrypted data as is and wait for possible future recovery of a private key for an OFFLINE ID.

There is no timetable for when or if a private key for an OFFLINE ID will be recovered and shared with Emsisoft and no announcement by Emsisoft when they arerecovereddue tovictim confidentiality. That means victims should keep reading the support topic for updates orrun the decryptor on a test sample of encrypted files every week or twoto check if Emsisoft has been able to obtain and add the private key for the specific variant which encrypted your data.

** If an OFFLINE ID is available for the variant you are dealing with and your files were not decrypted by Emsisoft Decryptor, then you most likely were encrypted by anONLINE KEYand those files arenot recoverable(cannot be decrypted) unless you pay the ransom to the criminals and receive the private key.If infected with an ONLINE ID, theEmsisoft Decryptorwill indicate this fact under theResults Taband note the variant is impossible to decrypt.

You need to post any questions in the above support topic.If you have followed those instruction and need further assistance, then you still need to ask for help in that support topic.

Rather than have everyone with individual topics and to avoid unnecessary confusion, this topic is closed.

ThanksThe BC Staff

More:
ransomeware threat.files are encrypted with .moqs extension - Ransomware Help & Tech Support - BleepingComputer