Demonslay335

As the FAQ and all you've read will already tell you, there is nothing we can do. It is impossible to decrypt, as only the criminals have your private RSA key that is unique to your files. Period. This ransomware is exclusively spread via pirated programs, so...

The encrypted files themselves are not infectious or anything. It's always recommended to archive encrypted files in that case in hopes of something changing in the future; unfortunately with STOP Djvu and the new variants with online keys, your only chance will be if the criminals are caught and their private RSA keys seized by law enforcement.

No. If your files were encrypted by an online key, then only the criminals have your key.

@abdi Read the FAQ... it is impossible to decrypt. Period.

The files that were decrypted would have been encrypted by the offline ID... as explained in the FAQ, the malware sometimes encrypts some files with an online key, and others with an offline key. Those 3 files just got lucky. The decryptor would not show the ID if it decrypted them; only if it could not decrypt the files.

Are you sure the file pair you are providing is good? It has to be the exact same file before and after the encryption. Any modifications between that and when it was encrypted would result in a bad pair. You can zip the files together and post them here if the forum allows (use a third-party sharing site if it doesn't), and I can take a look.

We will need the malware executable that encrypted the files in order to update our decryptor.

TXT files will not be possible with this method. The keystream generation depends on the first 5 bytes of the file - TXT files do not have a "standard", and thus will likely never have the same 5 bytes. Unless every single TXT file you have started with the same first word or two by chance...

Some extensions they re-use the same offline ID and corresponding key. In this case, .bboo, .ooss, and .mool all have the same offline ID.

That looks to be a good file pair. It may take a few days to a week to crack the password. I'll let you know.

You can zip the files together and use any third-party sharing site such as WeTransfer, SendSpace, Dropbox, Google Drive, etc. Just paste the link here.

Perfect. Confirmed that is the ransomware. Good news is we should be able to break it. It may take awhile though. Can you provide me with an encrypted file and it's original? Specifically an ".encryptedS" file please. Also, fun fact: the ransomware uses extension ".encryptedL" for files larger than 50,000,000 bytes, and extension ".encryptedS" for files smaller. Must stand for "Large" and "Small" respectively.

You can simply upload it to VirusTotal and provide the link here.

Keystream added to server. Should work for most of your other .mkv files. [+] ID: SinSPnFW89EGyfgIuac5Ym6CxpIkZ5ZjdYvgPcoV [+] Created keystream for files starting with: 1A45DFA3A3

It may be something new, I've not seen a ransom note use that type of victim ID pattern before. We would need the malware executable in order to analyze any further.