A new variant of ransomware virus has been discovered by cyber security specialists. It appends the .moka file extension to encrypted files. This ransomware targets computers running MS Windows by spam emails, malicious software or manually installing the ransomware. This article will provide you with all the things you need to know about ransomware virus, how to remove Moka virus from your computer and how to restore (decrypt) encrypted documents, photos and music for free.
Files encrypted by .moka virus
The Moka ransomware virus is made to encrypt files on the computer. Similar to other ransomware, it is able to block files such as movies, web application-related files, documents, archives, drawings, photos and databases, and other files. The victim will not be able to use them even if he tries to do it through various software. Moka encrypts almost of files, including common as:
.wsc, .x3f, .xf, .hkx, .pdf, .slm, .accdb, .fos, .sr2, .pdd, .vfs0, .wn, .big, .svg, .docx, .wbm, .bc6, .dazip, .das, .arch00, .menu, .raw, .db0, .mpqge, .mp4, .srf, .cfr, .jpe, .mov, .mdbackup, .py, .vpp_pc, .xyw, .m3u, .re4, .bar, .wma, .lbf, .tor, .ptx, .psd, .jpg, .blob, .wmv, .ods, .hkdb, .dmp, .csv, .sidd, .wmd, .0, .rb, .pef, .sav, .zdc, .m2, .zip, .rofl, .zip, .wotreplay, .sql, .ntl, .r3d, .hplg, .odc, .t12, .z, .ztmp, .yal, .wp7, .xmmap, .mdb, .3ds, .1st, .mcmeta, .dbf, wallet, .litemod, .odp, .mddata, .flv, .desc, .forge, .xlsm, .snx, .zdb, .asset, .zabw, .y, .avi, .wire, .xmind, .d3dbsp, .wcf, .pem, .wpb, .sie, .wav, .vpk, .ibank, .doc, .esm, .zif, .wm, .wpa, .tax, .gho, .xld, .wpl, .apk, .syncdb, .p7c, .xdl, .wpt, .indd, .bsa, .wpe, .rw2, .pfx, .2bp, .odt, .dxg, .mlx, .cdr, .css, .wbk, .odm, .hvpl, .yml, .raf, .x3d, .vtf, .sis, .bkf, .upk, .bc7, .wp5, .m4a, .js, .xls, .wsh, .xx, .mef, .xwp, .orf, .x3f, .kf, .wdp, .1, .xy3, .odb, .xlsm, .xml, .fsh, .x, .sidn, .docm, .crt, .dng, .3fr, .gdb, .cas, .webp, .wpw, .xls, .xlk, .xyp, .p7b, .psk, .wp, .pst, .rtf, .wp4, .xpm, .webdoc, .xlsx, .pptx, .dwg, .wdb, .xdb, .wp6, .png, .pptm, .xbplate, .wpd, .wma, .wmv, .lvl, .wmo, .sb, .txt, .p12, .dcr, .vcf, .ff, .der, .7z, .layout, .wb2, .itdb, .wgz, .xlsb, .kdb, .ysp, .wpg, .xar, .xxx, .crw, .wmf, .itl, .iwd, .ybk, .3dm, .xll
With the encryption work is finished, all encrypted files will now have the new .moka extension appended to them. Moka crypto virus drops a file named ‘_readme.txt’. This file contains a ransom instructions that is written in the English language. The ransomnote directs victims to make payment in exchange for the private key needed to decrypt documents, photos and music.
Moka virus ransomnote
Threat Summary
| Name | Moka ransomware virus |
| Type | File virus, File locker, Ransomware, Crypto virus, Crypto malware |
| Encrypted files extension | .moka |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Detection Names | Win32:CrypterX-gen [Trj], A Variant Of Win32/Kryptik.GWFK, Trojan-Ransom.Win32.Stop.di, Trojan:Win32/Dynamer!rfn |
| Symptoms | Your files fail to open. Odd, new or missing file extensions. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. You have received instructions for paying the ransom. |
| Distribution methods | Malicious email attachments. Malicious downloads that happen without a user’s knowledge when they visit a compromised web-page. Social media posts (they can be used to entice users to download malicious software with a built-in ransomware downloader or click a malicious link). Flash Drives containing malicious software. |
| Removal | To remove Moka ransomware use the removal guide |
| Decryption | To decrypt Moka ransomware use the steps |
After reading this post, you will know how to deal with the Moka ransomware. It is important for you to remember that we also cannot guarantee you an absolute solution to all your Moka virus problems. We can offer you a way that might help. Nevertheless, this way is worth your attention because there is still a possibility that it will help you remove Moka ransomware virus and unlock files that have been locked by crypto malware.
Quick links
- How to remove Moka ransomware virus
- How to decrypt .moka files
- How to restore .moka files
- How to protect your personal computer from Moka crypto virus?
- To sum up
How to remove Moka ransomware virus
Ransomware, spyware, trojans and worms can be difficult to delete manually. Do not try to delete this applications without the help of malware removal utilities. In order to fully delete Moka crypto virus from your machine, use professionally developed tools, such as Zemana AntiMalware, MalwareBytes Anti-Malware (MBAM) and Kaspersky virus removal tool.
Use Zemana Free to remove Moka virus
Zemana Anti-Malware (ZAM) is one of the best in its class, it can scan for and remove a lot of of different security threats, including crypto malware, adware, worms, spyware, trojans and malicious software that masqueraded as legitimate computer applications. Also Zemana AntiMalware (ZAM) includes another tool called FRST – is a helpful program for manual removal of files and parts of the Windows registry created by crypto virus.
Now you can install and run Zemana AntiMalware (ZAM) to uninstall Moka ransomware from your web browser by following the steps below:
Visit the page linked below to download Zemana Anti Malware installer named Zemana.AntiMalware.Setup on your machine. Save it to your Desktop.
164030 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Start the installer after it has been downloaded successfully and then follow the prompts to install this utility on your computer.
During setup you can change some settings, but we advise you don’t make any changes to default settings.
When installation is complete, this malware removal utility will automatically start and update itself. You will see its main window as displayed on the screen below.
Now click the “Scan” button . Zemana utility will begin scanning the whole computer to find out Moka ransomware virus, other malicious software, worms and trojans. This procedure may take quite a while, so please be patient. While the Zemana Anti Malware application is scanning, you may see number of objects it has identified as threat.
When Zemana has completed scanning, you will be displayed the list of all detected items on your computer. In order to remove all threats, simply click “Next” button.
The Zemana AntiMalware (ZAM) will uninstall Moka crypto virus and other security threats and add items to the Quarantine. When that process is complete, you can be prompted to restart your personal computer to make the change take effect.
Automatically remove Moka with MalwareBytes Free
If you’re having problems with the Moka virus removal, then download MalwareBytes AntiMalware. It’s free for home use, and detects and deletes various unwanted applications that attacks your PC system or degrades personal computer performance. MalwareBytes Anti Malware (MBAM) can delete adware software, potentially unwanted apps as well as malware, including ransomware and trojans.
Installing the MalwareBytes is simple. First you will need to download MalwareBytes Free on your PC from the following link.
326382 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After downloading is complete, run it and follow the prompts. Once installed, the MalwareBytes Free will try to update itself and when this task is done, click the “Scan Now” button to detect Moka crypto virus related folders,files and registry keys. This task can take some time, so please be patient. While the MalwareBytes Free utility is checking, you can see count of objects it has identified as being infected by malicious software. Review the report and then click “Quarantine Selected” button.
The MalwareBytes Anti-Malware (MBAM) is a free program that you can use to delete all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal utility, we suggest you to read and follow the few simple steps or the video guide below.
Delete Moka from personal computer with KVRT
If MalwareBytes anti malware or Zemana anti malware cannot uninstall this crypto virus, then we recommends to run the KVRT. KVRT is a free removal tool for ransomware viruss, adware, potentially unwanted applications and toolbars.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the link below.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is complete, double-click on the KVRT icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for scanning your computer for the Moka ransomware . A system scan can take anywhere from 5 to 30 minutes, depending on your machine.
When KVRT is complete scanning your personal computer, KVRT will display a scan report like below.
Make sure to check mark the items that are unsafe and then press on Continue to begin a cleaning process.
How to decrypt .moka files
To date, there is no other way to decrypt the locked personal files, but only to pay the ransom payment to scammers. Developers of free Moka decryption tools that can unlock these files are working on creating them, but the result is not yet, and it is not known when it will be.
Never pay the ransom! Nevertheless, everyone has to remember that paying the attackers who are threatening you is a terrible idea. You can pay this ransom, but there is no guarantee that your data will be yours again. That is the reason why you should consider other options (that do not involve paying the creators of the Moka ransomware) in order to recover access to blocked photos, documents and music. There still are some ways to defuse crypto virus without paying ransom, so you would not need to pay attackers and you would not let them reach their goal.
Files encrypted by .moka virus
The Moka ransomware virus is not the only one of its kind, for some of them, there are already ways to unlock encrypted photos, documents and music that were created by IT security experts. This gives hope that the Moka decryption tool can be made for this ransomware as well.
How to restore .moka files
In some cases, you can restore files encrypted by Moka crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.
Use ShadowExplorer to restore .moka files
A free utility called ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can recover .moka photos, documents and music encrypted by the Moka ransomware virus from Shadow Copies for free.
Click the following link to download the latest version of ShadowExplorer for Microsoft Windows. Save it on your Microsoft Windows desktop.
438663 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the figure below.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed on the screen below.
In top left corner, choose a Drive where encrypted personal files are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export like below.
Use PhotoRec to recover .moka files
Before a file is encrypted, the Moka crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file recover programs such as PhotoRec.
Download PhotoRec on your Windows Desktop from the link below.
Once downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen as shown below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as shown below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to select where recovered files should be written, then press Search.
Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, press on Quit button. Next, open the directory where recovered files are stored. You will see a contents similar to the one below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from Moka crypto virus?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your PC system from Moka ransomware virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
First, please go to the following link, then click the ‘Download’ button in order to download the latest version of HitmanPro Alert.
After the download is finished, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is started, you’ll be displayed a window where you can choose a level of protection, like below.
Now click the Install button to activate the protection.
To sum up
Now your computer should be clean of the Moka ransomware. Delete MalwareBytes Anti-Malware and KVRT. We suggest that you keep Zemana Free (to periodically scan your machine for new malicious software). Make sure that you have all the Critical Updates recommended for Microsoft Windows operating system. Without regular updates you WILL NOT be protected when new ransomware virus, harmful software and adware are released.
If you are still having problems while trying to uninstall Moka ransomware virus from your personal computer, then ask for help here.
Thank you so much MYANTISPYWARE TEAM,
I appreciate your help and well explanation, the second tool helped me to restore most of my encrypted files but some photos are decrypted with a very low quality. sometimes a photo with 2M restored with 46KB quality.
I am wondering if there is a way to recover the full images!!
Thanks in advance for your help.