Moka Ransomware

When the “.moka” extension is found attached to your files, there is no doubt that Moka Ransomware has invaded your system and encrypted your personal files. The added extension is not the only indicator of the infection. If you try to open the corrupted files, you will see that they are not readable, and that is not an error. The attackers behind the infection have made your files unreadable so that they could demand money from you. Unfortunately, at the time of research, the infection was not “decryptable,” by which we mean that legitimate decryptors that could help did not exist, and it was not possible to decrypt files manually. Of course, these are the perfect conditions for cybercriminals to trick gullible or desperate victims into paying a ransom in return for an alleged decryptor. Hopefully, you have not wasted your money yet, and if you are curious about this, please continue reading. By the time you are done reading, you will know how to remove Moka Ransomware.

The origin story of Moka Ransomware is pretty boring, and one we’ve seen many times before. This infection was created using the STOP Ransomware code, and so it is identical to Nesa Ransomware, Meds Ransomware, Zatrov Ransomware, Vesrato Ransomware, Cetori Ransomware, and HUNDREDS of other infections. Most of them appear to belong to the same group of cybercriminals because most use the same contact information. Naturally, they are distributed using the same methods too, and you are most likely to face Moka Ransomware by interacting with spam emails and malicious downloaders. Security flaws within remote access systems could be exploited too. After execution, this malware encrypts files immediately, and a ransom note is created too. You should find it in the Local Drive, and it should be named “_readme.txt.” It is safe to open this file. At first, the message informs that files were encrypted and introduces an alleged “decrypt tool” that should be capable of restoring your personal files.

Once you are convinced that there is light at the end of the tunnel, the Moka Ransomware ransom note informs that a ransom of $490 must be paid within 72 hours if the victim wants to obtain the decryptor. To obtain this tool, you are also asked to email gerentoshelp@firemail.cc or gorentos@bitmessage.ch. If you did that, you would be provided with instructions on how to pay the huge ransom. So, are your files worth taking a risk for? Quite possibly, they are, but that does not mean that you should jump into action and fulfill every demand that cybercriminals introduce you to. Note that your chances of retrieving a decryptor are very slim no matter what you do, and our research team does NOT advise paying the ransom. Contacting the attackers is dangerous too because you do not know what they could send you now or sometime in the future. Understand that the attackers behind Moka Ransomware can make any promise just to get you to act a certain way. They do not care about your virtual security, and they are likely to stop all communication with you the moment the ransom payment is received.

According to our research team, Moka Ransomware is installed to a folder with a random name that you can find in the %LOCALAPPDATA% directory. These are the files you need to identify and delete. Of course, you also need to delete the launcher file, which could be anywhere and whose name could be completely random. Are you up for a challenge? If you do not think you can delete Moka Ransomware, it is best if you install legitimate anti-malware software. It will automatically remove all malicious components, and you will not need to do anything yourself. The best part is that your system’s security will be reinstated by this software, and that is another good reason to install it. Unfortunately, regardless of how you remove this malware, your personal files will not be restored. Hopefully, you have backups that can act as replacements for the encrypted personal files.

Moka Ransomware Removal

1. Delete the [random name] file that launched the malicious threat.
2. Launch Explorer by tapping Win+E keys.
3. Type %LOCALAPPDATA% into the quick access field at the top and tap Enter.
4. Identify and Delete the [random name] folder that contains ransomware files.
5. Move to the Local Drive (usually, it is C:\).
6. Delete the folder named SystemID that contains the file named PersonalID.txt.
7. Delete the ransom note file named _readme.txt.
8. Close all windows and then Empty Recycle Bin.
9. Install a legitimate malware scanner to perform a thorough system scan.