Demonslay335

The groups behind Phobos actually compromise your system via RDP or other remote software you had open... no antivirus on the planet can protect you if someone had full control of the server.

With it being New Djvu, your files will only be decryptable for free if they were encrypted by the offline key once we acquire it. If the decryptor reports your files have the ID ZioGB1sCYacbrJajtnJKEUKt6xYM3QPgwAPNAwt1, then they were encrypted by the offline key, and thus possibly decryptable in the future. Otherwise, it is an online key, and there is nothing we will be able to do to help since only the criminals have your online key(s).

We have not acquired any new keys since the release of the decryptor. The criminals stopped using that server by time we got the keys, and have been infecting users from another server.

The ".Snc" variant is not supported by the decrypter, but we are currently working on it. Can't guarantee it will be decryptable at this point, they made some changes as expected.

@broniusr I've fixed that now. Please try re-downloading for v1.0.0.1.

@broniusr The decryptor has been updated, please try downloading it again. If you run it from the same directory as before, it should pickup the key file from the previous session, and you won't have to re-bruteforce it. Thanks for reporting the bug.

You were encrypted more recently than we have keys for, that's why you get that message. Nothing we can do at the present time.

@broniusr You are correct, the malware encrypts up to 0x27100 bytes of the file, and I forgot to test bait files smaller than that limit. I'll post here once the decryptor has been updated to factor for that bug in the malware. Every version of this malware family has had at least one such bug relating to the crypto, so annoying...

Not yet, but decryption of 3.0 is coming soon. The idiot who coded it has an annoying bug that corrupts many files that we have to overcome.

Please upload this file to VirusTotal and provide a link here. C:\Users\dasba\AppData\Local\a8402009-cadb-4977-b8d8-209fe362c63a\2.exe

Yep, as I suspected. The files are corrupted. What's going on is the MP3 format is likely a little bit tolerant of some data loss. GlobeImposter 2.0 does not encrypt the whole file, only like the first few MB I believe. If you were to simply remove the ".DOCM" extension from the file, you would get the exact same result. GetCrypt Ransomware uses a random 4-character uppercase extension, so that's the only reason the decrypter is fooled into "accepting" your file pair. Due to the way I am breaking that ransomware, the tool also cannot actually verify whether the decryption was successful, it just has to blindly throw the crypto at the file.

Mind sharing some of these encrypted MP3s that are supposedly "decrypted"? I have an idea as to what is going on, and it's not actually decryption...

If you can find a file "bginfo.png" on the system in the same folder as the executable, there might be a chance. Otherwise, so far it does not look like it can be decrypted without that file at the current time.

We will really need the executable or commands used to encrypt the files in order to analyze it any more. By the way, the filepair you provided are not the same file before/after the encryption. The encrypted file's filename decodes to "rollup.png". It's just simple base64 encoding on the name.

No, the malware would re-encrypt them...

Do NOT do that. Your files will just get re-encrypted with the offline key, which STOPDecrypter already has. So it's just a complete waste of time and won't accomplish anything but possibly causing more damage to your system.

The .pumax variant is 100% decryptable if you follow the instructions in the README.txt and provide it an encrypted file and its original. Don't bother with the ID and MAC, I don't need to archive those for that variant.

If you can zip up everything they gave you and a few encrypted files and attach it here, we can see what we can do.

Possibly in the future, just give us some time. 😉

To second @GT500, have you heard of a little something called CVE-2019-0708? It's literally an exploit that doesn't require even logging in, completely bypassing MFA... it's not the first such exploit recently, nor will it likely be the last. Good that you have MFA, but seriously put it behind VPN.

It's STOP Djvu Ransomware, please read the FAQ here: https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/ In addition, we still need the malware executable for this extension. Please check Task Scheduler for a suspicious task running every 5 minutes, and disable it. Go to Properties, and find the executable it is pointing to, upload it to VirusTotal, and post a link here.

Please follow the instructions in the link ID Ransomware gave you to provide the information needed to archive your case. In addition, we still need the malware executable itself. Check your Task Scheduler for a suspicious task running every 5 minutes or so - go to Properties and find the executable it points to, and upload it to VirusTotal, then provide us the link.

This is STOP Djvu Ransomware, and we need a sample of the malware. Can you check Task Scheduler for a suspicious task running very often (like every 5 minutes)? If you find it, please disable it, then go to Properties for it, Actions tab, and select the "Start a program" - click Edit, and note the location the executable is. Find that executable and upload it to VirusTotal, then send me a link to it. If you need further help with this, I will have a support team member reach out to you for more guided assistance. I do need that malware sample ASAP. In addition to securing the malware executable, please follow the directions in this article to provide me the Personal ID and MAC addresses of the infected machine. https://kb.gt500.org/stopdecrypter

The only requirement to run the decrypter is to have .NET Framework 4.5.2 or newer installed - this is a very old version that came out when Vista was still supported, so if you don't have it, then your system is likely severely outdated on security updates.

@Blue22 I already answered you in this topic: