Kevin Zoll

Emsisoft Employee
  • Content Count

    18703
  • Joined

  • Last visited

  • Days Won

    176

Posts posted by Kevin Zoll


  1. Hello @R.Prince,

     

    Welcome to the Emsisoft Support Forums.

     

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  2. Hello @masanttos,

     

    Welcome to the Emsisoft Support Forums.

     

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  3. Hello @William Lee

    Thank you for contacting Emsisoft Support.

    BBOO is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the BBOO variant of STOP/DJVU.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  4. @Marcos Antonio

    If our decryption tool states that the files cannot be decrypted, then they cannot be decrypted.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  5. Hello @lucky2345

    Thank you for contacting Emsisoft Support.

    TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  6. @Varun

    Quote

     

    Old Variants. Old variants were those in distribution until near the end of August, 2019. Our decrypter supports offline ID's for almost all older variants, and can decrypt files for those with offline ID's without needing any help. For online ID's, it's necessary to supply file pairs to our online submission form so that the decrypter can be "trained" how to decrypt your files. A list of extensions from older variants can be found at the bottom of this post.

    What is a file pair? This refers to a pair of files that are identical (as in they are the exact same file), except one copy is encrypted and the other is not. Our decryption service can analyze the differences between an encrypted file and an original unencrypted copy of the same file, allowing it to determine how to decrypt that type of file. For most victims with an older variant of STOP/Djvu, submitting file pairs will be the only way they will get their files back.

    File pairs only work for one type of file. Due to the way encryption works in STOP/Djvu, file pairs can only help the decryption service figure out how to decrypt one type of file. For instance, if you submit a file pair for an MP3 file, then the decrypter will be able to decrypt all of your other MP3 files, however it won't be able to decrypt any other type of file. There are some exceptions to this, such as certain newer Microsoft Office documents (such as DOCX and XLSX) since those files are technically ZIP archives.

    The decrypter can't decrypt all of my pictures even though I submitted file pairs for them? JPEG/JPG images have a format oddity that causes file pairs to be specific to each source of pictures, rather than the file format in general. As an example, if you have pictures from two different cameras, and submit a file pair from the group of pictures from one of the cameras, then the decrypter will only be able to decrypt files from the camera that the file pair came from. In order to decrypt all JPEG/JPG images, you will need to submit file pairs from every source you've obtained those pictures from.

     

    File pairs can be submitted to https://decrypter.emsisoft.com/submit/stopdjvu/


  7. If our decryption tool states that the files cannot be decrypted, then the files cannot be decrypted.

     

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  8. @Nauman

    If our decryption tool states that it cannot decrypt your files, then the files cannot be decrypted.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  9. @kehinde @Jaykishan

    If our database has a decryption key matching the ID of the file, then that key can be used to decrypt your files.  If the decryption tools states that the files cannot be decrypted, that is because we do not have the decryption key for those files.

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

    • Like 1

  10. Hello @Agha Ali,

     

    Welcome to the Emsisoft Support Forums.

     

    If our decryption tool states that the files cannot be decrypted, then they cannot be decrypted.

     

    General Notes With Regards to STOP/DJVU

     

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
    5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  11. Changing tools.

    Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

    • Double-click on setup.exe to install RogueKiller.

     

    Close all programs and disconnect any USB or external drives before running the tool.

     

    • Right-click RogueKiller.exe and select Run As Administrator to run the tool.
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

  12. @Mike77

     

    Copy the below code to NotepadSave As fixlist.txt to your Desktop.

    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
    HKU\S-1-5-21-2839862633-4155940622-1829493113-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
    Startup: C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rvfgrhjf.lnk [2020-01-25]
    ShortcutAndArgument: rvfgrhjf.lnk -> C:\Windows\System32\cmd.exe => /c start "" "C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf\svjticje.exe"
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    S2 Main Service; C:\Program Files (x86)\MachinerData\DVD43.exe 1 [X]
    S2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [X]
    2020-01-26 16:02 - 2020-02-03 20:37 - 000000000 ____D C:\Program Files\KMSpico
    2020-01-25 18:19 - 2020-02-02 22:25 - 000000000 ____D C:\Users\M.HajAli\AppData\Roaming\Z66488341
    2020-01-25 18:19 - 2020-02-02 22:25 - 000000000 ____D C:\Users\M.HajAli\AppData\Roaming\Z44396531
    2020-01-25 18:19 - 2020-01-25 18:19 - 000000049 _____ C:\Users\M.HajAli\AppData\Local\script.ps1
    2020-01-25 18:18 - 2020-01-25 18:18 - 000000000 ____D C:\ProgramData\2KJS93X1EXOEGAUCUCLDZNV4A
    2020-01-25 18:19 - 2020-01-25 18:19 - 000000049 _____ () C:\Users\M.HajAli\AppData\Local\script.ps1
    C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf\svjticje.exe
    C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
    AlternateDataStreams: C:\Users\M.HajAli:.repos [6042680]
    AlternateDataStreams: C:\Users\M.HajAli\Desktop\Wish List.xlsx.topidentifier:$DATA [50]
    HKU\S-1-5-21-2839862633-4155940622-1829493113-1001\...\StartupApproved\StartupFolder: => "rvfgrhjf.lnk"
    FirewallRules: [{BDBB6A12-A269-46F5-837F-041BD20B88E8}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe No File
    FirewallRules: [{68AC56EE-B358-48E3-BBEB-B8017959552C}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe No File
    FirewallRules: [{B4745770-A60A-4A25-92E4-A5A7EC3F692D}] => (Allow) C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe No File
    FirewallRules: [{B264D7B5-45BC-4B4D-A76B-00700CA7028B}] => (Allow) C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe No File
    FirewallRules: [{820DCB93-3883-477F-854B-4837FD05FF5F}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe No File
    FirewallRules: [{C5B43993-5600-493C-BAFB-B3B7B15F6077}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe No File
    Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk -> C:\Program Files\KMSpico\AutoPico.exe (No File)
    Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk -> C:\Program Files\KMSpico\KMSELDI.exe (No File)
    Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\Log KMSpico.lnk -> C:\Program Files\KMSpico\scripts\Log.cmd ()

     

    Close Notepad.

     

    NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

     

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

     

    IMPORTANT: Save all of your work, as the next step may reboot your computer.

     

    Run FRST and press the Fix button just once and wait.

     

    If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

     

    The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

     

    NOTE: If the tool warns you about an outdated version please download and run the updated version.

     

    Also, let me know how the machine is running now, and what remaining issues you've noticed.


  13. If the decryption tool is telling you that the files cannot be decrypted, then they cannot be decrypted.

    STOP/DJVU NOTES: 

    1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
    2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
    3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
    4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the keys in our database, then our decryption tool will be able to decrypt those files.

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.