Masok file extension ransomware virus (Restore, Decrypt .masok files)

What is a Masok file? A file with the .masok extension is a file that has been locked by Masok ransomware which similar to other ransomware (like Brusaf or Londec). These security threats are also known as crypto malware that use very strong hybrid encryption with a large key in order to encrypt users’ files. It is not possible to open the files by simply changing the file extension. The photos, documents and music will be unlocked only if users pay for the private key that will unlock these files.

Masok virus is a new ransomware. What is ransomware? Ransomware is a type of malware that blocks access to files, by encrypting them, until the user pays a ransom payment to the fraudsters. In many cases, the ransom demand comes with a deadline. If the victim does not make a payment within this time frame, the amount will be higher or the affected files are gone forever. Masok ransomware known to encrypt almost all file types, including files with extensions:

wallet, .txt, .erf, .ltx, .rb, .xld, .xx, .zdc, .sb, .cfr, .wmf, .re4, .hvpl, .upk, .ai, .menu, .wb2, .yml, .kdc, .orf, .xlsm, .ff, .pak, .xy3, .epk, .fsh, .webp, .iwd, .svg, .itl, .pptx, .z, .zw, .kf, .wbc, .wp6, .rofl, .dba, .jpg, .png, .itdb, .rtf, .mcmeta, .csv, .xdl, .wmv, .desc, .vdf, .dxg, .dbf, .bay, .webdoc, .t12, .pef, .zip, .wbd, .bsa, .wp7, .wbmp, .wps, .arch00, .apk, .accdb, .snx, .gho, .wbm, .odp, .odm, .dcr, .qic, .wpa, .xlk, .wma, .raf, .cdr, .wdb, .p12, .ptx, .odb, .0, .xyp, .slm, .mdb, .ncf, .bc6, .ods, .xdb, .docx, .d3dbsp, .ws, .indd, .bik, .wsh, .dazip, .ppt, .gdb, .xbdoc, .py, .wsd, .3ds, .lrf, .wp, .wav, .pptm, .docm, .mdbackup, .js, .crw, .zif, .wpg, .dng, .dmp, .odc, .x, .xls, .xf, .xlsb, .w3x, .zip, .p7b, .xbplate, .p7c, .wmd, .wm, .wgz, .qdf, .psk, .srw, .vfs0, .wma, .wpb, .ztmp, .rwl, .xar, .m2, .pem, .r3d, .wcf, .sidn, .hkx, .icxs, .arw, .raw, .css, .ntl, .crt, .yal, .wpd, .iwi, .sie, .wps, .m3u, .y, .mddata, .wpw, .wmo, .sr2, .jpe, .xxx, .sid, .wmv, .z3d, .3dm, .mlx, .vcf, .mpqge, .bkf, .ibank, .xlsx, .7z, .map, .wn, .wri, .xpm, .mef, .t13, .litemod, .doc, .sav, .2bp, .sidd, .asset, .wsc, .cer, .das, .wpt, .tax, .x3d, .zi, .hkdb, .xlgc, .rim, .kdb, .cas, .lvl, .xml, .wp5, .pdf, .wpe, .bc7, .sql, .big, .mov, .wotreplay, .hplg, .syncdb, .bkp, .fos, .cr2, .forge, .dwg, .zdb, .wbk, .xmind, .itm, .xyw, .psd, .xwp, .rw2, .db0, .wot, .pst, .bar, .avi, .xll, .ysp, .mp4, .jpeg, .ybk, .x3f, .srf, .xls, .pkpass, .wpd, .zabw, .sis, .vtf, .1, .lbf, .3fr, .rgss3a, .flv, .nrw, .tor, .m4a, .1st, .sum, .fpk, .eps, .vpp_pc

Upon encryption, all locked personal files will then be appended with the .masok extension (e.g., ‘photo.jpg is renamed to ‘photo.jpg.masok’). Ransomware leaves a ransom instructions called ‘_readme.txt’ with instructions for extortion and ransom payment, threatening destruction of files if payment is not made. The ransom instructions directs victims to make payment online in Bitcoins.

ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-p1HwbAuGCw
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
gorentos@bitmessage.ch
Reserve e-mail address to contact us:
gorentos2@firemail.cc
Your personal ID:

 

Threat Summary

Name	Masok
Type	File locker, Filecoder, Crypto virus, Ransomware, Crypto malware
Encrypted files extension	.masok
Ransom note	_readme.txt
Contact	gorentos@bitmessage.ch, gorentos2@firemail.cc
Ransom amount	$490,$980 in Bitcoins
Symptoms	Documents, photos and music won’t open. Files are encrypted with a .masok file extension. Files called such as ‘_readme.txt’, ‘READ-ME’, or ‘_readme” in every folder with an encrypted file.
Distribution methods	Phishing Emails that is carefully developed to trick a victim into opening an attachment or clicking on a link that contains a malicious file. Drive-by downloading (when a user unknowingly visits an infected webpage and then malware is installed without the user’s knowledge). Social media, like web-based instant messaging applications. Remote desktop protocol (RDP) hacking.
Removal	To remove Masok ransomware use the removal guide
Decryption	To decrypt Masok ransomware use the steps

 

This blog post is developed for those who are looking for a solution to fully remove Masok ransomware virus from the computer, and for those who want to learn as much as possible about how recover documents, photos and music. We hope you will find answers to all your questions in this blog post.

Quick links

1. How to remove Masok ransomware virus
2. How to decrypt .masok files
3. Masok decryption tool
4. How to restore .masok files
5. How to protect your machine from Masok crypto malware?

How to remove Masok ransomware virus

Cyber security experts have built efficient malware removal tools to aid users in uninstalling Ransomware, trojans and worms. Below we will share with you the best malicious software removal utilities with the ability to find and uninstall Masok ransomware virus and other malicious software.

How to uninstall Masok ransomware virus with Zemana Anti-Malware (ZAM)

Zemana AntiMalware (ZAM) is a malware removal tool. Currently, there are two versions of the utility, one of them is free and second is paid (premium). The principle difference between the free and paid version of the utility is real-time protection module. If you just need to check your machine for malicious software and delete Masok crypto malware and other security threats, then the free version will be enough for you.

1. Installing the Zemana AntiMalware is simple. First you’ll need to download Zemana Free from the following link.
   
   

   Zemana AntiMalware
   164029 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. Once you have downloaded the installation file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana Free setup on your personal computer.
3. Select installation language and click ‘OK’ button.
4. On the next screen ‘Setup Wizard’ simply click the ‘Next’ button and follow the prompts.
   
5. Finally, once the setup is done, Zemana Free will run automatically. Else, if does not then double-click on the Zemana icon on your desktop.
6. Now that you have successfully install Zemana Anti-Malware, let’s see How to use Zemana Anti Malware (ZAM) to remove Masok ransomware from your computer.
7. After you have started the Zemana, you will see a window as displayed in the figure below, just press ‘Scan’ button to begin checking your machine for the ransomware.
   
8. Now pay attention to the screen while Zemana AntiMalware scans your computer.
   
9. After finished, it will show the Scan Results. When you are ready, click ‘Next’ button.
   
10. Zemana may require a restart machine in order to complete the Masok removal procedure.
11. If you want to completely delete ransomware from your machine, then click ‘Quarantine’ icon, select all malware, adware software, potentially unwanted software and other threats and click Delete.
12. Reboot your PC to complete the ransomware removal process.

Use MalwareBytes Free to delete Masok virus

Manual Masok removal requires some computer skills. Some files and registry entries that created by the crypto malware can be not fully removed. We recommend that use the MalwareBytes that are completely clean your PC system of ransomware. Moreover, this free application will allow you to remove malware, potentially unwanted apps, adware and toolbars that your PC system can be infected too.

Visit the page linked below to download MalwareBytes Anti Malware (MBAM). Save it directly to your MS Windows Desktop.

When downloading is done, close all windows on your computer. Further, start the file named mb3-setup. If the “User Account Control” prompt pops up as displayed below, click the “Yes” button.

It will open the “Setup wizard” which will help you install MalwareBytes AntiMalware (MBAM) on the personal computer. Follow the prompts and do not make any changes to default settings.

Once install is complete successfully, click Finish button. Then MalwareBytes Free will automatically run and you can see its main window like the one below.

Next, press the “Scan Now” button . MalwareBytes Anti Malware (MBAM) application will scan through the whole personal computer for the Masok crypto malware, other malicious software, worms and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. During the scan MalwareBytes Free will detect threats exist on your machine.

Once the scan is finished, a list of all items found is produced. When you’re ready, click “Quarantine Selected” button.

The MalwareBytes Free will remove Masok crypto malware related folders,files and registry keys and move threats to the program’s quarantine. Once the process is finished, you may be prompted to reboot your system. We advise you look at the following video, which completely explains the process of using the MalwareBytes to delete hijackers, adware and other malware.

Scan your computer and uninstall Masok with KVRT

KVRT is a free removal tool that can check your system for a wide range of security threats such as the Masok crypto virus, adware, potentially unwanted programs as well as other malware. It will perform a deep scan of your personal computer including hard drives and Windows registry. Once a malicious software is found, it will help you to uninstall all detected threats from your PC system with a simple click.

Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it to your Desktop so that you can access the file easily.

When downloading is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as displayed below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT tool will start scanning the whole machine to find out Masok ransomware and other known infections. This procedure may take quite a while, so please be patient. When a threat is found, the number of the security threats will change accordingly.

After Kaspersky virus removal tool has finished scanning your PC, you can check all threats detected on your machine as shown in the figure below.

In order to delete all items, simply click on Continue to start a cleaning procedure.

How to decrypt .masok files

To date, there is no other way to unlock the affected documents, photos and music, but only to pay the ransom payment to scammers. Developers of free Masok decryption utilities which can decrypt these files are working on creating them, but the result is not yet, and it is not known when it will be.

Never pay the ransom! Nevertheless, everyone has to remember that paying the cyber criminals who are threatening you is a terrible idea. You can pay this money, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the fraudsters) in order to recover access to blocked photos, documents and music. There still are some methods to defuse ransomware virus without paying ransom, so you would not need to pay attackers and you would not let them reach their goal.

Of course, it can not be considered that the only correct method out of the situation when your personal computer is infected with Masok ransomware, will be the payment of ransom, as this only leads to the prosperity of illegal actions of fraudsters. The smart thing to do is to try to recover the encrypted files from the backup or wait for the release of the Masok decryption utility to unlock them. You can also try to unlock documents, photos and music using free applications listed below.

Masok decryption tool

With some variants of Masok ransomware virus, it is possible to decrypt encrypted files using free tools listed below.

Michael Gillespie (@) released the Masok decryption tool named STOPDecrypter. It can decrypt .Masok files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.

STOPDecrypter is a program that can be used for Masok files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Masok files using this free tool.

1. Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
   download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
2. After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
3. Further, select ‘Extract all’ and follow the prompts.
4. Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.

If STOPDecrypter does not help you to decrypt .Masok files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.

How to restore .masok files

In some cases, you can restore files encrypted by Masok crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.

Use shadow copies to recover .masok files

An alternative is to recover .masok photos, documents and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing personal files that were locked by Masok ransomware. The tutorial below will give you all the details.

Visit the following page to download ShadowExplorer. Save it on your Desktop.

Once the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the figure below.

Double click ShadowExplorerPortable to launch it. You will see the a window as displayed on the screen below.

In top left corner, choose a Drive where encrypted documents, photos and music are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).

On right panel look for a file that you wish to restore, right click to it and select Export like the one below.

Recover .masok files with PhotoRec

Before a file is encrypted, the Masok ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover apps such as PhotoRec.

Download PhotoRec by clicking on the link below.

After the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.

Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll open a screen similar to the one below.

Choose a drive to recover as displayed in the figure below.

You will see a list of available partitions. Select a partition that holds encrypted files as shown in the following example.

Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.

Next, press Browse button to select where recovered personal files should be written, then click Search.

Count of restored files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the restore is finished, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed on the screen below.

All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your machine from Masok crypto malware?

Most antivirus applications already have built-in protection system against the crypto malware. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.

Use HitmanPro.Alert to protect your PC system from Masok crypto virus

HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.

HitmanPro.Alert can be downloaded from the following link. Save it to your Desktop.

After downloading is finished, open the file location. You will see an icon like below.

Double click the HitmanPro Alert desktop icon. After the utility is launched, you will be displayed a window where you can select a level of protection, as on the image below.

Now press the Install button to activate the protection.

To sum up

Once you’ve complete the step-by-step instructions above, your PC system should be clean from Masok crypto virus and other malicious software. Your computer will no longer encrypt your photos, documents and music. Unfortunately, if the instructions does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help here.