STOP/MOQS ransomware represents one of the most prolific file-encrypting threats currently targeting Windows users worldwide. Part of the larger STOP/Djvu ransomware family—which has infected hundreds of thousands of systems since 2018—this variant encrypts personal files using strong cryptographic algorithms and appends the .moqs extension to affected filenames. Victims find themselves locked out of documents, photos, databases, and other irreplaceable files, with attackers demanding payment in cryptocurrency for the decryption key.

STOP/MOQS Ransomware — cybersecurity illustration
Photo by cottonbro studio on Pexels

What makes STOP/MOQS particularly dangerous is its aggressive distribution through software cracks, key generators, and pirated content—vectors that bypass traditional security awareness. The ransomware typically arrives bundled with other malware, including information stealers and trojans, creating a multi-layered infection that goes far beyond simple file encryption. Recovery without backups is difficult and often impossible, making this a threat that demands both immediate action and long-term prevention strategies.

Think You're Infected Right Now? If you're seeing ransom notes or files with .moqs extensions, disconnect your computer from the internet and power down external drives immediately. Do NOT pay the ransom—there's no guarantee you'll receive a working decryptor, and payment funds criminal operations. Call Computer Repair Roswell at (770) 856-1577 before taking further action. Time-sensitive decisions made in panic often make recovery harder.

Threat Profile

Attribute Details
Threat Family STOP/Djvu ransomware family
Variant Name STOP/MOQS (also detected as Ransom:Win32/StopCrypt, STOP Djvu)
File Extension .moqs appended to encrypted files
Platform Windows (all versions from Windows 7 onward)
First Observed Part of ongoing STOP family campaign (2018–present)
Encryption Method Salsa20 + RSA-1024 (online key) or AES (offline key)
Ransom Note _readme.txt placed in each encrypted folder
Ransom Demand $490–$980 USD in Bitcoin, with "discount" for quick payment
Distribution Cracked software, keygens, torrents, malicious email attachments, exploit kits
Additional Payloads Often bundled with Vidar, RedLine, or Azorult information stealers
Persistence Run registry keys, scheduled tasks, startup folder entries
Network Behavior Contacts C2 servers for encryption key retrieval; may operate offline with local keys
IoC Artifacts Files in %LOCALAPPDATA% and %APPDATA% with random names; modified registry Run keys; _readme.txt ransom notes
Removal Difficulty Moderate to remove malware; extremely difficult to decrypt files without key

How It Spreads

STOP/MOQS ransomware overwhelmingly targets users seeking pirated software, making it a threat driven by convenience rather than sophisticated social engineering. Threat actors bundle the ransomware with popular software cracks, license key generators, and "patched" versions of commercial applications—tools that users deliberately download and execute, often while security software is disabled. This creates the perfect infection vector: the victim bypasses security measures voluntarily, trusts the executable enough to run it with administrative privileges, and may not notice suspicious behavior until encryption completes.

The ransomware also spreads through secondary channels that exploit trust and urgency. Malicious email attachments disguised as invoices, shipping notifications, or tax documents may carry STOP/MOQS as part of a multi-stage dropper. Exploit kits targeting unpatched vulnerabilities in browsers or plugins can silently download and execute the payload. In some cases, the ransomware arrives as a secondary infection—delivered by an existing trojan or botnet malware already resident on the compromised system.

Common distribution vectors include:

  • Software cracks and keygens — Executables claiming to activate Adobe, Microsoft, or Autodesk products
  • Torrent downloads — Popular movies, games, or software bundled with the ransomware installer
  • Malicious advertisements — "Codec required" or "Player update needed" prompts on streaming sites
  • Email attachments — Archives or executables masquerading as business documents
  • Fake updates — Browser or Flash Player update prompts on compromised websites
  • Remote Desktop Protocol (RDP) attacks — Brute-force attacks on poorly secured business systems
  • Drive-by downloads — Exploit kits targeting browser vulnerabilities on compromised legitimate sites

What It Does On Your Machine

Upon execution, STOP/MOQS works quickly to establish persistence and begin its encryption routine. The malware typically drops its main executable into a randomly-named subfolder within %LOCALAPPDATA% or %APPDATA%, using GUID-style folder names that blend into legitimate Windows application data. It immediately creates registry entries in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key to ensure it launches at every system startup, and may establish scheduled tasks as backup persistence mechanisms. Many variants also disable Windows Defender and other security software by modifying registry settings or terminating security processes.

The encryption phase targets user-created files across all accessible drives, including mapped network shares and connected external storage. STOP/MOQS specifically hunts for documents, spreadsheets, databases, photos, videos, archives, and other high-value data—skipping system files necessary for Windows operation. Each encrypted file receives the .moqs extension and becomes completely inaccessible. The ransomware drops a text file named _readme.txt in each folder containing encrypted files, with instructions for contacting the attackers and paying the ransom.

What many victims discover too late is that STOP/MOQS rarely arrives alone. The same infection chain frequently installs information-stealing malware—Vidar, RedLine, and Azorult being common companions. While you're focused on encrypted files, these stealers quietly exfiltrate browser passwords, cryptocurrency wallet files, FTP credentials, email client data, and two-factor authentication cookies. By the time you address the ransomware, your accounts may already be compromised.

Typical STOP/MOQS Filesystem Artifacts
C:\Users\[Username]\AppData\Local\[Random-GUID]\syshelper.exe // Main payload (name varies) C:\Users\[Username]\AppData\Roaming\[Random-GUID]\updatewin.exe // Persistence copy C:\Users\[Username]\Desktop\_readme.txt // Ransom note (duplicated in all affected folders) C:\Users\[Username]\Documents\photo.jpg.moqs // Encrypted file example Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper = "C:\Users\[Username]\AppData\Local\[GUID]\syshelper.exe" Scheduled Task: Time Trigger[Random]Runs persistence executable daily

The ransom note typically demands between $490 and $980 in Bitcoin, with a "50% discount" if victims contact the attackers within 72 hours—a pressure tactic designed to prevent rational decision-making. The note provides email addresses (often on ProtonMail or similar privacy-focused services) and a personal ID number to reference your infection. Critically, there is no guarantee that paying produces a working decryption tool, and many victims report being ghosted after payment or receiving defective decryptors that damage files further.

Manual Removal — Step by Step

01

Disconnect From All Networks Immediately

Unplug the Ethernet cable or disable Wi-Fi to prevent the ransomware from encrypting network-shared files or spreading to other devices. If external drives or USB storage are connected, power them down and disconnect them—but don't unplug them while the system is actively encrypting. Take a photo of your screen showing the ransom note and file extensions for documentation purposes.

02

Boot Into Safe Mode With Networking

Restart the computer and press F8 repeatedly during boot (or use the advanced startup options in Windows 10/11 settings) to access Safe Mode with Networking. This loads only essential system processes, preventing most malware from launching while still allowing internet access for downloading tools. If you cannot access Safe Mode normally, use the Windows installation media recovery environment.

03

Identify and Terminate Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and look for suspicious processes—executables with random names running from AppData\Local or AppData\Roaming subfolders are prime suspects. Right-click suspicious processes, select "Open file location," note the path, then end the process. Be cautious: legitimate Windows processes also run from AppData, so verify before terminating anything you're uncertain about.

04

Remove Persistence Mechanisms

Press Win+R, type regedit, and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to suspicious executables in AppData folders and delete them. Open Task Scheduler (search in Start menu) and review scheduled tasks—delete any that reference unfamiliar executables or have random names. Check the Startup folder at C:\Users\[YourName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup for malicious shortcuts.

05

Delete the Malware Files

Navigate to the file locations you identified in Task Manager (typically subfolders in %LOCALAPPDATA% or %APPDATA% with GUID-style names) and delete the entire folder. Use Shift+Delete to bypass the Recycle Bin. Look for recently modified folders if you're uncertain—STOP/MOQS typically creates its directories around the infection time. Delete any copies of _readme.txt ransom notes you find, though this is cosmetic rather than functional removal.

06

Run Comprehensive Anti-Malware Scans

Download and install Malwarebytes (free version is sufficient) and run a full system scan—not a quick scan. STOP/MOQS often arrives with information stealers and other trojans that require dedicated detection. Follow up with a scan using your primary antivirus if it's reputable (Windows Defender is adequate if kept updated). HitmanPro provides good secondary detection for stubborn remnants. Remove everything these tools flag, reboot, and scan again to verify clean results.

07

Check for Decryption Possibilities

Visit the Emsisoft STOP Djvu Decryptor page to determine if a free decryption tool exists for your specific variant. The decryptor only works for "offline key" infections where the ransomware couldn't contact its command server during encryption—roughly 20-30% of cases. Upload a few encrypted files to the Emsisoft checker; if it reports success, download and run the decryptor. If unsuccessful, file recovery remains difficult without backups or professional data recovery assistance.

08

Reset Browsers and Clear Extensions

STOP/MOQS infections often include browser hijackers or credential stealers. Reset each browser to default settings: in Chrome/Edge, go to Settings → Reset settings → Restore defaults; in Firefox, Help → More troubleshooting information → Refresh Firefox. Review installed extensions and remove anything unfamiliar. Clear all cookies and cached data to eliminate potential session hijacking tokens left by info-stealer components.

09

Change All Critical Passwords

Because STOP/MOQS frequently arrives with password-stealing companions, assume all credentials stored in browsers or accessible applications have been compromised. Change passwords for email, banking, social media, and any work-related accounts—do this from a confirmed-clean device if possible. Enable two-factor authentication on every service that supports it. Check for unauthorized access in your account activity logs, particularly for email and financial services.

10

Reboot Normally and Verify System Integrity

Restart the computer into normal mode and observe behavior during the first few minutes. Watch for unexpected processes, unusual disk activity, or network connections. Run one more quick scan with Malwarebytes to confirm the system remains clean. Monitor for the next several days—check Task Manager periodically, watch for performance issues, and verify that no new suspicious files appear in AppData directories. If anything seems off, professional analysis may reveal remnants automated tools missed.

Prevention

  1. Never download cracked software or keygens. This is the primary infection vector. Pirated software isn't free—you're paying with data, money, or both. Purchase legitimate licenses or use reputable free alternatives. If cost is prohibitive, open-source options exist for most commercial software categories.
  2. Maintain 3-2-1 backups of critical data. Keep three copies of important files, on two different media types, with one stored off-site or offline. An encrypted external drive that only connects during scheduled backups protects against ransomware. Cloud backup services with versioning (like Backblaze or Carbonite) provide recovery even if the ransomware encrypts synced folders.
  3. Keep Windows and all software fully updated. Enable automatic updates for Windows, browsers, Java, Adobe products, and other commonly targeted applications. Exploit kits delivering ransomware rely on unpatched vulnerabilities that updates close. Don't postpone updates indefinitely—they exist for security reasons.
  4. Use reputable security software and keep it active. Windows Defender is adequate baseline protection if properly configured and updated. Supplement with Malwarebytes for periodic scans. Never disable security software to run questionable downloads—if software requires disabling protection, it's almost certainly malicious.
  5. Configure User Account Control and run as standard user. Don't use an administrator account for daily tasks. UAC prompts warning that an application wants to make system changes are protection, not annoyance. Ransomware running with limited privileges has reduced ability to establish deep persistence or modify security settings.
  6. Enable "Show file extensions" in Windows Explorer. Open File Explorer Options, View tab, and uncheck "Hide extensions for known file types." This reveals when executables disguise themselves with fake document icons. A file showing as "invoice.pdf.exe" becomes obviously suspicious when extensions are visible.
  7. Treat email attachments with healthy skepticism. Don't open unexpected attachments, even from known contacts—their account may be compromised. Legitimate businesses don't send invoices or shipping notices as executables. When in doubt, contact the sender through a separate communication channel to verify authenticity before opening anything.
  8. Restrict macro execution in Office applications. Go to File → Options → Trust Center → Trust Center Settings → Macro Settings, and select "Disable all macros except digitally signed macros." Many ransomware campaigns deliver through Office documents with malicious VBA macros—disabling them blocks this entire attack category.
Our Guarantee: When Computer Repair Roswell removes ransomware from your system, we provide a 90-day warranty on our work. If the same infection reappears within that window (not caused by new risky behavior), we'll address it at no additional charge. We also consult on backup strategies and security hardening to prevent reinfection—solving the problem once means solving it completely.

Bring It In

Ransomware removal isn't just about cleaning the infection—it's about recovering what matters and preventing recurrence. At Computer Repair Roswell, we've handled hundreds of STOP/Djvu ransomware cases and understand both the technical removal process and the data recovery challenges these infections create. We'll analyze your specific variant to determine if free decryption tools exist, safely remove all malware components including stealer companions, assess what passwords and accounts may be compromised, and help you implement proper backup systems so this never happens again. The manual removal steps above work for technically confident users, but one missed registry key or overlooked scheduled task means the infection remains dormant, ready to re-encrypt when you least expect it.

Our shop at 1394 East Crossville Road in Roswell handles both walk-in and scheduled appointments Monday through Friday. We'll give you an honest assessment—if your files encrypted with an online key can't be recovered without paying (which we strongly advise against), we'll explain your options clearly rather than selling false hope. If backup restoration is possible, we'll handle it properly. If data recovery services might help, we'll refer you to reputable specialists we trust. Call us at (770) 856-1577 or stop by. Ransomware doesn't have to mean permanent data loss—but quick, informed action makes all the difference between recovery and regret.