Moisha, a .Net-based ransomware, was initially spotted in mid-August by Cyble. The name of an organization in its ransom note indicates that the malware was developed to carry out highly-targeted attacks. The threat actor identified as the PT MOISHA team uses double-extortion tactics to exfiltrate and encrypt the victim's data.

Modus operandi

During encryption, the ransomware first creates a global mutex to ensure that only one malware is running on the victim's system at a time. If a mutex already exists, the malware stops running on the device.
  • It then searches the victim's system for a list of services such as backup services, and malware-scanner services. If found running, the malware terminates them, which ensures that they do not prevent access to files due to be encrypted later.
  • The ransomware then checks for the presence of a list of processes and terminates them if they are actively running on the victim’s machine.
  • Moisha disables the Microsoft Defender Antivirus’ real-time protection and deletes shadow copies with PowerShell and Vssadmin.
  • Next, the malware gets the available system and later enumerates the files and folders inside the identified system drive and starts a new thread for the file encryption process.
  • Before starting the encryption process, the ransomware drops the ransom note created by decoding the hardcoded Base64 content in the folder.
  • Victims are instructed in the ransom note to contact the threat actors on their Moisha ID of TOX Messenger for ransom negotiations if they want their encrypted files restored.

Encryption details

  • The ransomware employs the RSA and AES encryption algorithms, as well as a hardcoded Base64 encoded RSA public key.
  • It checks whether the file size is less than 2GB and, if so, calls the encryptor function to speed up file encryption.
  • During the encryption process, the ransomware excludes some directory names, file names, and extensions.
  • Once infected, the malware spreads to other machines on the network and in the end, deletes itself using the PowerShell command line.


Ransomware actors frequently leak or sell this data online, causing severe reputational damage to the affected organizations. To protect from ransomware attacks, businesses must stay ahead of the techniques used by threat actors while also implementing the necessary security best practices and security controls.
Cyware Publisher