GT500

Emsisoft Employee
  • Content Count

    10989
  • Joined

  • Days Won

    315

Posts posted by GT500


  1. 22 hours ago, Rushil Bhardwaj L said:

    My laptop has been attacked by the old DJVU ransomware (the extension: .hets). I tried using the decryptor tool, but it was not able to help as the virus in my laptop is of the old variant.

    That's a newer variant, not and older variant. I assume the decrypter told you otherwise? We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.

    • Like 1

  2. 6 hours ago, traggs444 said:

    Tried using the decryptor and this is what i get for every file

    It's not abnormal for files to have different ID's than the ones in ransom notes. Unfortunately it's the ID's for the files that matter. You may have some files with offline ID's, however all of the others that have online ID's won't be decryptable.

     

    6 hours ago, traggs444 said:

    File: F:\Documents\kebe APPOINTMENT CARD.docx.topi
    Unable to decrypt Old Variant ID: z8NmjELd7txFYso2TeFqBPO3933BwbBmxX7Tplc1

    That's a newer variant, not and older variant. We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.


  3. 11 hours ago, MrSalazar said:

    But as I'll update if my machine might still be infected, and if I connect to the internet that virus can start installing those malicious programs all over again.

    Don't worry about that. It's more important to run the fixlist with FRST. If anything new gets installed, Kevin will deal with it in the next log.

    • Like 1

  4. 18 hours ago, Josh254 said:

    Unable to decrypt Old Variant ID: m8eTZXfIcnmiTRR4xYFNlsm0Rp0Gedmxk4F6ERDb
    First 5 bytes: 255044462D

    That's a newer variant, not and older variant. We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.

     

    18 hours ago, Vicky said:

    @Amigo-A  Hey team, Can you help me restore my data,infacted by rasomware kodc ext and unable to find t1 in any id.

    There's nothing we can do for online ID's. They require private keys for decryption, and only the criminals have access to those.


  5. 15 hours ago, francisco said:

    One last question:  "..if law enforcement is able to bring the criminals behind the ransomware to justice" Has this happened before?

    Yes, it has. Usually in cooperation with a computer security company that assists them in gaining access to the servers operated by the criminals. Admittedly it doesn't happen as often or as quickly as we'd all like, but if there are enough police reports filed by victims then law enforcement agencies are more likely to prioritize this ransomware.

     

    15 hours ago, francisco said:

    Is there any criminal record for this...?

    If law enforcement agencies were to share details about an investigation with us, then we would be required to keep such information private.

    Unless of course you mean arrests and prosecutions for ransomware creators/distributors in the past, in which case the answer would also be "yes".

     

    15 hours ago, francisco said:

    Should I hold out hope, if that's the right expression?

    We usually recommend waiting for a solution other than paying the ransom if at all possible. Ultimately what you do is up to you and how quickly you need access to your data.


  6. 18 hours ago, Wagner_tkl said:

    File: C:\Users\Administrador.NURAP\Desktop\Arquivos criptografados\AlteracoesPortaria1510.pdf.meka
    Unable to decrypt Old Variant ID: INtCaq4YE5F6LInFlMEanpjWnkNumE82ffZAPS8O

    That's a newer variant, not and older variant. We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.


  7. 22 hours ago, FlakaShlaka said:

    Unforunatley , it was not able to, or perhaps i have selected the wrong one?

    Can you please share with me the download link for the correct decrypter ?

    Thanks. 

    You should be able to find everything you need to know at the following link (including a link to the decrypter download page):
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

     

    18 hours ago, Alexander Maononga said:

    File: C:\Autodesk\AutoCAD_2018_English_Win_64bit_Trial\SetupRes\TopBanner.png.kodc
    Unable to decrypt Old Variant ID: DgbeXIWvS0TDhuTsmJeOLkjd17klWiZlY8Gr5Mhb

    That's a newer variant, not and older variant. We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.


  8. 48 minutes ago, Anonymous1 said:

    But my laptop has been encrypted by new STOP/djvu ransomware called mosk and I have tried uploading the file but its shows the error.Check the uploaded image for the same.

    The error message you posted from the decrypter says it's an old variant. I'll have to ask about that, and see why it's detecting it as an older variant.

    Obviously if it's a newer variant, you won't be able to decrypt files if you have an online ID.


  9. 1 hour ago, francisco said:

    Error: Unable to decrypt file with ID: I2QRWkFqlYm4CUA6mGfHzikt3FeitXlSGpSntM2k

    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

     

    1 hour ago, francisco said:

    I ask you if you are looking for a decryption key for this ".nosu"...  I mean... If it's worth to have faith and be patient, untill you (or other antimalware heroes) find the solution..???

    The private keys for this ransomware are out of our reach for the moment. That being said, there's always a possibility that they may be publicly released at some point in the future, especially if law enforcement is able to bring the criminals behind the ransomware to justice.


  10. 1 hour ago, Reggia99 said:

    @Kevin ZollZoll, @Amigo-A

    The virus encrypts even the FRST and the fixlist on the flashdrive so using it to fix is becoming another issues,

    What do I do in this situation

    Try the following:

    1. Hold down the Windows logo key on your keyboard, and tap R to open the Run dialog.
    2. Type (or copy and paste) %LocalAppData% into the field, and click OK.
    3. Look for a folder with a long name that seems like it's made up of completely random numbers and letters separated by dashes.
    4. Rename this folder, and then restart your computer.

    If the ransomware stops encrypting everything, then you got the right folder. If it doesn't, then you may need to go back and try again.

    Below is an example of what the folder may look like. In this example there are two folders, and I would believe one had the Azorult password stealing trojan in it (STOP/Djvu will download and run this trojan in order to steal your passwords), and the other folder had the ransomware in it. It also shows a malicious PowerShell script, which I would believe is what was used to download Azorult.

    image.png
    Download Image


  11. @MrSalazar Please download the following fixlist.txt file and save it to the Desktop:

    https://www.gt500.org/emsisoft/fixlist/2020-01January-24/MrSalazar/fixlist.txt

    NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop, or wherever the FRST64 file is.

    1. Run the FRST download from earlier, and press the Fix button just once and wait.
    2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
    3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

    • Like 1

  12. 4 hours ago, Raúl said:

    About the decryptor for v1.0.0.2 , I have downloaded it, now it accept the encrypted files but when I try the decryption process it results in a fail with the following message :

    File: C:\langpacks\recup\Recoverit 2019-12-12 at 05.27.28\D(NTFS)\Dropbox\Dropbox\13 (1)_- Raul Constantino Compartido\Raúl Constantino Gardeazábal Assgs\Nueva carpeta\PO_4500494714 Ruhrpumpen.pdf.([email protected])
    Error: StartIndex no puede ser inferior a cero.
    Nombre del parámetro: startIndex

    The encrypted files you attached are all fairly small. Did you try it on any larger files (for instance something a few megabytes in size)?


  13. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  14. 7 minutes ago, MrSalazar said:

    But I attached them to my topic. (Public Topic)

    If the topic is in the "Help, my files are encrypted!" or the "Help, my PC is infected!" sections of the forums, then only authorized helpers can view or download file attachments in those sections (with the exception of images/pictures).

    • Like 1

  15. 22 hours ago, ostrick5465 said:

    There is no way to decrypt my files without paying the hacker??? Can you help me?

    Unfortunately there's nothing we can do with newer variants of STOP/Djvu that have an online ID. Since newer variants use RSA keys, they're impervious to known attacks, and the keys are too complex to brute force (even the most powerful super computer would take thousands of years to do it).

     

    19 hours ago, isaiah11 said:

    plz is my id online 

    ID: iQatyF7PV7euq0PuNHH70JdFGuuTS71l53BVtEBe
    heelp plz
     

    That's an online ID as well.

     

    15 hours ago, MrSalazar said:

    Yeah, This's my ID too. I need to wait for updates?!

    If your ID is an offline ID, then once we're able to find the private key for this variant (which we may have already), then our decrypter should be able to decrypt your files.

     

    12 hours ago, FlakaShlaka said:

    I have same problem with KODC files that were encrypted , that happend earlier today.

    I'm not following what should i do - should i open a new topic here and attach my files from the  Farbar Recovery Scan Tool ? 

    I completed the scan and was generated with 2 files , should i attach them here? it seems that none of the STOP DJVU or others apps are at any help,

    I would be glad if you can maybe share instructions on how you can help me de-encrypt them ?

    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

    If you want to open a new topic to have your computer checked for remnants of the ransomware, then please feel free to do so. We'll need logs from FRST to look at in order to write a script, and this script will tell FRST what to delete. You can find instructions for downloading and running FRST at the following link:
    https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

    • Like 1