Masok Ransomware - How to remove

If you noticed that your files have had the “.masok” extension attached to their names, your PC probably has Masok — a virus that breaks the files on the infected computer, cripples the antivirus program, blocks some websites, and installs spyware. This ransomware demands hundreds of dollars to give the data back and does not even guarantee that it’s restored. Due to the way that Masok is distributed, it’s not unlikely that the victims have other infections plaguing their PC that could also be causing problems.

To deal with Masok, we can list the important things that need to be done:

• Remove the virus.
• Plug the security holes to avoid repeat infections.
• Try to recover your locked data.

While the chances of decrypting or recovering the Masok-encrypted files are low (unless you have backups of your files), it’s worth learning about how this infection happened and how you can avoid some malware in the future.

What is Masok

Masok ransomware is a version of STOP/Djvu. STOP is a family of distinct but very closely related cryptoviruses, like Prandel, Mogranos, and Drume. Like Masok, the names of these viruses are also based on what extension they give the infected files. Some cryptoviruses give no extensions or random ones, but not STOP/Djvu.

One of the first things that the Masok virus does when it starts working is to contact the server of its developers. The server sends Masok the encryption key that is used by the virus to lock the files. Documents, text files, media files; ongoing projects, family pictures, important data that you might have even forgotten about. Masok doesn’t break the operating system so you can still use the computer, but the files are locked.

The “.masok” files can’t be unlocked in most cases. They have been, essentially, corrupted, and while that process is reversible, the decryption key is needed. The only way to get it should be for the criminals to send it, and dealing with them is risky. They don’t always fix the files and they might even run away with your money — there are all sorts of horror stories of people who had to deal with cyber-extortionists and were taken advantage of.

The ransom note left behind by Masok, called _readme, is left behind by the virus and it has a message from the developers of the virus. There, the price for the decryption key (which is unique for each infection) is given ($490 or $980), as well as their email addresses — [email protected] and [email protected].

How to deal with ransomware?

Data backups are used to protect against extortionists. They have to be properly secured, the files have to be regularly updated, they need to be kept separate from the computer so that, if something like Masok infects the device, at least the backups aren’t encrypted (which is something that happens to a lot of organizations which keep their backups on the same network as the backed machine).

Tentatively, there is a way that can decrypt some data for some people — a tool called STOPDecrypter. This tool relies on the fact that sometimes, Masok tries and fails to connect to the server and receive the encryption key. In that case, a hardcoded key is used for encryption. It’s much weaker than the online key — hardcoded and the same for many victims. So, run STOPDecrypter on all of your files to find out if any of your files are decryptable. If it doesn’t work then it won’t work. However, some people have successfully recovered their data thanks to it.

As brilliant as it is, STOPDecrypter is a volunteer project mostly maintained by a single person in his free time. It should not be relied on, and the developer has no obligation to continue it. Some cryptoviruses do get a free decrypter released, some — a paid third-party solution (some early variants of STOP were decryptable by Dr.Web). But the only way for all the victims to have a chance to unlock their data is for the criminals to provide the tools — or for law enforcement to release them.

Other ways of .masok file restoring possibilities are listed below this article, they aren’t guaranteed to work, but they’re worth trying.

I don’t know if the developers of Masok are being sought out by law enforcement, but, depending on which country you are in, it would be commendable if you were to report your case to your cybercrime authority.

How Masok infects computers

Masok is usually downloaded by the victims as a file disguised as something else. Keygens, activated commercial software, cracks are often used to deliver malware to people. Additionally, the infected files can arrive on spam emails as attachments or links. If you open the files without having scanned them first, you risk running malware.

Malicious advertising campaigns are sometimes used to infect visitors to certain websites by downloading the virus automatically, but this only works on devices with some vulnerabilities. If you haven’t updated your operating system or your antivirus program in a while, or if the browser you’re using is severely outdated, then you might be vulnerable to malvertising infections.

RDP being hacked and malware being installed manually on your device by criminals remotely is something that businesses and organizations need to worry about more than individuals, but it’s still good to make sure that your Remote Desktop connection is as secure as possible.

Malware being installed by trojans is also a possibility, though, in the case of Masok, it’s reversed — the ransomware installs the trojan. Don’t do any online finances on the infected computer and change your passwords later. The trojan — AZORult — is a credential stealer and, if you don’t want your accounts to be hacked later, change your passwords.

In summation, to avoid the harm that Masok and other cryptoviruses cause:

• Set up data backups.
• Avoid pirating.
• Secure your RDP.
• Scan every file you download.
• Scan your computer regularly.
• Make sure your passwords are complex and set up 2-step verification where possible.

How to remove Masok

Safe mode, manual removal, and a strong antivirus tool like Spyhunter, can be used to remove the viruses, but back up the locked data first if you wish to try to decrypt it later.

Automatic Malware removal tools

How to recover Masok Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Masok Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Masok Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Masok Ransomware. You can check other tools here.  

Step 3. Restore Masok Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Masok Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Masok Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.