GT500
-
Content Count
10989 -
Joined
-
Days Won
315
Posts posted by GT500
-
-
6 hours ago, traggs444 said:Tried using the decryptor and this is what i get for every file
It's not abnormal for files to have different ID's than the ones in ransom notes. Unfortunately it's the ID's for the files that matter. You may have some files with offline ID's, however all of the others that have online ID's won't be decryptable.
6 hours ago, traggs444 said:File: F:\Documents\kebe APPOINTMENT CARD.docx.topi
Unable to decrypt Old Variant ID: z8NmjELd7txFYso2TeFqBPO3933BwbBmxX7Tplc1That's a newer variant, not and older variant. We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.
-
As an addendum to what I said above, the loadpoints for the ransomware were missing in the log, and were more than likely already removed by the decrypter (it doesn't delete the ransomware, but will prevent it from running again).
-
1
-
-
11 hours ago, MrSalazar said:But as I'll update if my machine might still be infected, and if I connect to the internet that virus can start installing those malicious programs all over again.
Don't worry about that. It's more important to run the fixlist with FRST. If anything new gets installed, Kevin will deal with it in the next log.
-
1
-
-
15 hours ago, babisk said:Unable to decrypt Old Variant ID: yXnGC4abzj1RA4UtIt3dwZvONKEXUXKy9Tq7dnGF
First 5 bytes: 0000002066That's a newer variant, not and older variant. We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.
-
18 hours ago, Josh254 said:Unable to decrypt Old Variant ID: m8eTZXfIcnmiTRR4xYFNlsm0Rp0Gedmxk4F6ERDb
First 5 bytes: 255044462DThat's a newer variant, not and older variant. We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.
18 hours ago, Vicky said:@Amigo-A Hey team, Can you help me restore my data,infacted by rasomware kodc ext and unable to find t1 in any id.
There's nothing we can do for online ID's. They require private keys for decryption, and only the criminals have access to those.
-
Yes, if they are under 100 MB then you should be able to attach them to a reply here (only authorized helpers can download them). Otherwise you can use a file sharing network to upload them to, and then send me the link to download them in a private message.
-
15 hours ago, francisco said:One last question: "..if law enforcement is able to bring the criminals behind the ransomware to justice" Has this happened before?
Yes, it has. Usually in cooperation with a computer security company that assists them in gaining access to the servers operated by the criminals. Admittedly it doesn't happen as often or as quickly as we'd all like, but if there are enough police reports filed by victims then law enforcement agencies are more likely to prioritize this ransomware.
15 hours ago, francisco said:Is there any criminal record for this...?
If law enforcement agencies were to share details about an investigation with us, then we would be required to keep such information private.
Unless of course you mean arrests and prosecutions for ransomware creators/distributors in the past, in which case the answer would also be "yes".
15 hours ago, francisco said:Should I hold out hope, if that's the right expression?
We usually recommend waiting for a solution other than paying the ransom if at all possible. Ultimately what you do is up to you and how quickly you need access to your data.
-
Right now we think the decrypter is defaulting to saying it's an old variant when it can't connect to our database. Was your Internet connected and working when you ran the decrypter?
-
18 hours ago, Wagner_tkl said:File: C:\Users\Administrador.NURAP\Desktop\Arquivos criptografados\AlteracoesPortaria1510.pdf.meka
Unable to decrypt Old Variant ID: INtCaq4YE5F6LInFlMEanpjWnkNumE82ffZAPS8OThat's a newer variant, not and older variant. We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.
-
22 hours ago, FlakaShlaka said:Unforunatley , it was not able to, or perhaps i have selected the wrong one?
Can you please share with me the download link for the correct decrypter ?
Thanks.
You should be able to find everything you need to know at the following link (including a link to the decrypter download page):
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/18 hours ago, Alexander Maononga said:File: C:\Autodesk\AutoCAD_2018_English_Win_64bit_Trial\SetupRes\TopBanner.png.kodc
Unable to decrypt Old Variant ID: DgbeXIWvS0TDhuTsmJeOLkjd17klWiZlY8Gr5MhbThat's a newer variant, not and older variant. We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.
-
48 minutes ago, Anonymous1 said:But my laptop has been encrypted by new STOP/djvu ransomware called mosk and I have tried uploading the file but its shows the error.Check the uploaded image for the same.
The error message you posted from the decrypter says it's an old variant. I'll have to ask about that, and see why it's detecting it as an older variant.
Obviously if it's a newer variant, you won't be able to decrypt files if you have an online ID.
-
48 minutes ago, FlakaShlaka said:How can i open the files back to normal ?
They still have the KODC ending.
Thank you for the reply.
Was the decrypter unable to decrypt your files? We may not have the private key for .kodc offline ID's key.
-
1 hour ago, francisco said:Error: Unable to decrypt file with ID: I2QRWkFqlYm4CUA6mGfHzikt3FeitXlSGpSntM2k
This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/1 hour ago, francisco said:I ask you if you are looking for a decryption key for this ".nosu"... I mean... If it's worth to have faith and be patient, untill you (or other antimalware heroes) find the solution..???
The private keys for this ransomware are out of our reach for the moment. That being said, there's always a possibility that they may be publicly released at some point in the future, especially if law enforcement is able to bring the criminals behind the ransomware to justice.
-
1 hour ago, Reggia99 said:@Kevin ZollZoll, @Amigo-A
The virus encrypts even the FRST and the fixlist on the flashdrive so using it to fix is becoming another issues,
What do I do in this situation
Try the following:
- Hold down the Windows logo key on your keyboard, and tap R to open the Run dialog.
- Type (or copy and paste) %LocalAppData% into the field, and click OK.
- Look for a folder with a long name that seems like it's made up of completely random numbers and letters separated by dashes.
- Rename this folder, and then restart your computer.
If the ransomware stops encrypting everything, then you got the right folder. If it doesn't, then you may need to go back and try again.
Below is an example of what the folder may look like. In this example there are two folders, and I would believe one had the Azorult password stealing trojan in it (STOP/Djvu will download and run this trojan in order to steal your passwords), and the other folder had the ransomware in it. It also shows a malicious PowerShell script, which I would believe is what was used to download Azorult.
-
@MrSalazar Please download the following fixlist.txt file and save it to the Desktop:
https://www.gt500.org/emsisoft/fixlist/2020-01January-24/MrSalazar/fixlist.txt
NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop, or wherever the FRST64 file is.
- Run the FRST download from earlier, and press the Fix button just once and wait.
- If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
- When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.
-
1
-
4 hours ago, Raúl said:About the decryptor for v1.0.0.2 , I have downloaded it, now it accept the encrypted files but when I try the decryption process it results in a fail with the following message :
File: C:\langpacks\recup\Recoverit 2019-12-12 at 05.27.28\D(NTFS)\Dropbox\Dropbox\13 (1)_- Raul Constantino Compartido\Raúl Constantino Gardeazábal Assgs\Nueva carpeta\PO_4500494714 Ruhrpumpen.pdf.([email protected])
Error: StartIndex no puede ser inferior a cero.
Nombre del parámetro: startIndexThe encrypted files you attached are all fairly small. Did you try it on any larger files (for instance something a few megabytes in size)?
-
This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ -
7 hours ago, Pree said:Hello sir I got this error to decrypt files. Pls tell me the solution.
Have you uploaded file pairs via our submission form? There's an explanation at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ -
Have you uploaded file pairs via our submission form? There's an explanation at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ -
At first glance your computer appears to be clean. I do recommend removing any pirated software though, as that's where STOP/Djvu infections come from.
-
7 minutes ago, MrSalazar said:But I attached them to my topic. (Public Topic)
If the topic is in the "Help, my files are encrypted!" or the "Help, my PC is infected!" sections of the forums, then only authorized helpers can view or download file attachments in those sections (with the exception of images/pictures).
-
1
-
-
12 hours ago, FlakaShlaka said:About my ID :0198nTsddv06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1
Guess i can remain optimistic ?
Yes, that should be an offline ID. If the decrypter isn't able to decrypt your files right now, then try running it once every week or two to see when we've added the private key for this variant of STOP/Djvu.
-
1
-
-
22 hours ago, ostrick5465 said:There is no way to decrypt my files without paying the hacker??? Can you help me?
Unfortunately there's nothing we can do with newer variants of STOP/Djvu that have an online ID. Since newer variants use RSA keys, they're impervious to known attacks, and the keys are too complex to brute force (even the most powerful super computer would take thousands of years to do it).
19 hours ago, isaiah11 said:plz is my id online
ID: iQatyF7PV7euq0PuNHH70JdFGuuTS71l53BVtEBe
heelp plz
That's an online ID as well.
15 hours ago, MrSalazar said:Yeah, This's my ID too. I need to wait for updates?!
If your ID is an offline ID, then once we're able to find the private key for this variant (which we may have already), then our decrypter should be able to decrypt your files.
12 hours ago, FlakaShlaka said:I have same problem with KODC files that were encrypted , that happend earlier today.
I'm not following what should i do - should i open a new topic here and attach my files from the Farbar Recovery Scan Tool ?
I completed the scan and was generated with 2 files , should i attach them here? it seems that none of the STOP DJVU or others apps are at any help,
I would be glad if you can maybe share instructions on how you can help me de-encrypt them ?
This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/If you want to open a new topic to have your computer checked for remnants of the ransomware, then please feel free to do so. We'll need logs from FRST to look at in order to write a script, and this script will tell FRST what to delete. You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/-
1
-
-
13 hours ago, MrSalazar said:It's safe?
Only authorized helpers can download and view the logs. They are in plain text format, and can't spread infections.
-
1
-
Cannot decrypt Old variant Id
in Help, my files are encrypted!
Posted · Report reply
That's a newer variant, not and older variant. I assume the decrypter told you otherwise? We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.