The variants of the infamous DJVU (STOP) Ransomware seem to be plundering the cyber-world enormously. Another active variant of STOP, Moresa Ransomware, has recently been reported by the cyber-security analysts.
The attack of the Moresa Ransomware begins with the encryption of files with strong Encryption Algorithms. After scrutinizing the system for the targeted files, it encrypts the files & appends .moresa extension to the file names. Hence, renders the files unusable & inaccessible to the users.
If you find your files locked by Moresa crypto virus, please note that you cannot restore the encrypted data manually. A unique decryption key, which is stored on the hacker’s server, is required to restore the data.
The decryption key may be obtained only after the ransom amount has been paid to the hackers. However, paying the ransom may not yield positive results. Research analysis has revealed that hackers avoid the victims once the ransom has been received.
Following the successful encryption, a ransom note (a text file) is dropped on the victim’s system. The note prompts the victims to pay the ransom amount in order to restore the data. Failing to pay the ransom in prescribed time, may lead to the permanent deletion of files by the hackers.
Name | Moresa |
Type | Ransomware |
Category | Malware |
Impacted Operating System | Windows |
Distribution Methods | Spam e-mail campaigns, torrent websites, malicious ads |
Ransom Amount | $980/$490 (in Bitcoins) |
Moresa Ransomware is the brand-new addition to the devious (STOP) DJVU Ransomware Family. The first attack of Moresa was reported on 21st April 2019. Many of the Antivirus databases have listed Moresa as STOP Moresa Ransomware.
The prime distribution technique used by the developers of DJVU Ransomware is Spam E-mail Campaigns.
Once the system has been infected, it searches every nook & corner of the system for the targeted files. These may include:
Upon finding the targeted files, it encrypts them with strong Encryption Algorithms & Cryptography methods such as AES & RAS, hence makes them unusable.
The encrypted files are appended with a unique “.moresa” extension. For Example- a file named “image.jpg” might be renamed as “image.jpg.moresa”.
The sole motive of the cyber-criminals behind encrypting user & system files is to extort money from the victims. A ransom-demanding message in the text format (_readme.txt) is dropped in every folder consisting .moresa files.
The Ransom-Demanding Message Reads as follows:
The note prompts the users to pay the ransom amount in order to purchase the decryption key to restore the data. Getting the encrypted data back is not a breeze, as the hackers demand a hefty amount (in bitcoins).
The ransom note appears every time a user tries to access the encrypted files.
The ransom amount demanded by the Moresa developers is $980 (in bitcoins). The ransom note claims to offer 50% discount on the amount ($490) in case the victims contacts them within 72 hours of the encryption.
Fearing to lose their important & sensitive data, the victims often tend to contact the hackers & pay the ransom amount.
In order to guarantee the decryption, the hackers ask the victims to send one encrypted file via vengisto@india.com or vengisto@firemail.cc.
The file sent to the hackers will be decrypted free of cost.
Please note that offering free decryptions are merely tricks to take the users into thinking that they possess correct decryption tools. Paying the ransom often does not yield positive yields, the analysis has shown. The hackers often stop responding after the ransom amount has been received.
Therefore, users are advised to avoid any encouragement to contact the hackers & pay the ransom. Rather, users must ensure backing up their data regularly & be vigilant while using internet.
The chief method of propagation employed by the developers of Moresa Ransomware is Spam e-mail campaigns. Hackers send spam e-mails with infected attachments to the victims PC. The e-mails may seem legitimate as these are sent with names of legit services in the subject lines. These may include e-mails from PayPal, USPS, FedEx & others.
The spam e-mails may contain infected attachments such as invoices, documents containing fraudulent PayPal links, links to Google Drive etc. A mere click on these e-mails may install Moresa Ransomware on the user’s system.
The infection of Moresa Ransomware may also spread via
5 Click on the username and enter the password (if any).
OR
OR
Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.
Hits: 95
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.