Moss Ransomware
The Moss Ransomware is a file-locking Trojan that's part of the Ransomware-as-a-Service known as the STOP Ransomware or the Djvu Ransomware, from two of its earliest campaigns. Like most of its family variants, it can block files with encryption, delete backups, and cause other issues while demanding ransoms from victims. Users should have secured backups for recovering any work and let a compatible anti-malware service uninstall the Moss Ransomware as soon as possible.
The Poisonous Greenery Growing Over Your Files
File-locking Trojans from the STOP Ransomware family are well-known for their meaningless, randomly-chosen character names, although, sometimes, a more distinct identity makes itself apparent in a variant. The Moss Ransomware is an exception to the rule of thumb for its family's theme, but, still, is hiding its installer with random characters like '7EDB,' in imitation of a temporary file. Those downloading it or overlooking its presence on their systems will quickly find that its impact is far more permanent than otherwise.
The attacks contained in the Moss Ransomware's payload have long-since been established, according to its relatives like the LYLI Ransomware, the Kolz Ransomware, the Vari Ransomware or the Nesa Ransomware. Custom traits of the Moss Ransomware limit themselves to the extensions it adds to victims' media files ('.moss,' which doesn't remove the first extension), and some new obfuscation hindering threat detection in certain cyber-security products. Otherwise, malware experts note that the bulk of its features are standard, including:
- Data encryption (locking files) with AES and an RSA key.
- Deleting the Windows Restore Points.
- Creating text ransom notes that sell an unlocking service from the attackers, with a 'discount' for prompt responses.
- Blocking websites related to security companies by changing the Windows Hosts file's IP mapping values.
There also is what might be a bug in the Moss Ransomware that generates a Windows 'stopped working' error when the Trojan runs. This issue doesn't impair the encryption feature, though, and malware experts point out that it also could be a deliberate distraction.
Scraping the Moss Ransomware Off of Your File Data
There is a small chance that users can recover their work through decrypting it if the Moss Ransomware can't contact its C&C server and, instead, uses a default RSA key. However, decryption solutions are notoriously unavailable for most Ransomware-as-a-Service attacks. Malware researchers routinely encourage all users to have backups on other devices for fulfilling their data restoration needs for free.
Users also should be cautious of other attacks that might coincide with the Moss Ransomware infections. In many cases, spyware like AZORult or Mimikatz plays a supporting role and can help attackers gain access to passwords and admin-privilege accounts. Changing passwords and related credentials should be part of any recovery plan after experiencing an attack related to file-locker Trojans or similar threats.
Although detection rates have yet to catch up to this campaign, reliable and updated anti-malware services are credible for removing file-locker Trojans, in general. Removing the Moss Ransomware without the assistance of updated security solutions should be delegated to professionals as necessary.
Vegetation that costs nearly a thousand USD for removing might seem like a costly gardening job, but for many, it's not as bad a loss as losing all their data. As the Moss Ransomware's family spreads onward in its plundering, the only thing with the hope of stopping it is its victims' wising up to the game.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.