Jump to content

Kevin Zoll

Emsisoft Employee
  • Content Count

    18839
  • Joined

  • Last visited

  • Days Won

    178

Posts posted by Kevin Zoll

  1. @Ali Raza  It is not possible to decrypt STOP/DJVU encrypted files that were encrypted with an Online ID using third-party decryption tools, unless the decryption service was able to obtain the decryption key.  Anyone who claims to be able to decrypt files that no one has publicly released a free decryption tool is either the criminals themselves or working with the criminals.  Who did you send your files to?

  2. Hello,

     

    Welcome to the Emsisoft Support Forums.

     

    That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019.

     

    Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

     

    Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

    For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation.

    While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware.

    Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation.

    Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.

  3. Hello @Vicky,

     

    Welcome to the Emsisoft Support Forums.

     

    The system does not appear to have an active malware infection.  There are a few things showing in the FRST scan reports that should be addressed before doing anything else.

     

     

    Copy the below code to NotepadSave As fixlist.txt to your Desktop.

     

    GroupPolicy\User: Restriction ? <==== ATTENTION
    FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
    2020-01-19 20:01 - 2020-01-19 20:02 - 000000000 ____D C:\ProgramData\I9KQPJQ1YQNPPALO2IE1IGEJ7
    2020-01-18 11:28 - 2020-01-18 11:29 - 000000000 ____D C:\ProgramData\4EBR3QTLGPPXA7O7UKM0WQPCX

     

    Close Notepad.

     

    NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

     

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

     

    IMPORTANT: Save all of your work, as the next step may reboot your computer.

     

    Run FRST and press the Fix button just once and wait.

     

    If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

     

    The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

     

    NOTE: If the tool warns you about an outdated version please download and run the updated version.

     

    TheKODC extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated last year, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019.

     

    Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

     

    Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

    For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation.

    While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware.

    Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation.

    Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.

  4. @elhakim I can see from the FRST reports that you tried to fix this yourself.  Though a fairly typical and understandable reaction, it is the wrong thing to do.  First, you run the very real chance of rendering your system inoperable, and second there are ransomware variants that if removed, will make it impossible to decrypt the files.

     

    Copy the below code to NotepadSave As fixlist.txt to your Desktop.

     

    Startup: C:\Users\muham\AppData\Roaming\Microsoft\Credentials\2428593\muham.lnk [2020-01-21]
    ShortcutTarget: muham.lnk -> C:\Program Files (x86)\Seed Trade\Seed\seed.exe (No File)
    S3 VSScanner; system32\DRIVERS\vsscanner.sys [X]

     

    Close Notepad.

     

    NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

     

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

     

    IMPORTANT: Save all of your work, as the next step may reboot your computer.

     

    Run FRST and press the Fix button just once and wait.

     

    If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

     

    The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

     

    NOTE: If the tool warns you about an outdated version please download and run the updated version.

     

    Also, let me know how the machine is running now, and what remaining issues you've noticed.

  5. @Reggia99 This is what happens when you use software cracks and software that bypasses activation & licensing checks.

     

    Copy the below code to NotepadSave As fixlist.txt to your Desktop.

     

    () [File not signed] C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe
    (@ByELDI -> @ByELDI) [File not signed] C:\Program Files\KMSpico\Service_KMS.exe
    HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [IDMan] => C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe /onboot
    HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => C:\Users\ELITE\AppData\Local\Temp\systm.exe .. [143360 2020-01-22] () [File not signed] <==== ATTENTION
    HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [SysHelper] => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed]
    Startup: C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe [2020-01-22] () [File not signed]
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    CHR HKU\S-1-5-21-2733843967-2851411726-668708617-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    Task: {21E9A013-951F-4642-A689-7F41333D3333} - System32\Tasks\{EF8B4B0E-0DB2-43A6-9ADE-73E476E68F36} => C:\Windows\system32\pcalua.exe -a C:\Users\ELITE\Desktop\setup-antimalware-fix.exe -d C:\Users\ELITE\Desktop
    Task: {472C1014-5966-4056-A20F-4F7B661295D8} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [985792 2015-07-22] (@ByELDI -> @ByELDI) [File not signed]
    Task: {78B90FE6-5587-4ACB-ABFE-C1340D4F0660} - System32\Tasks\{F8B58B6D-37E2-43A1-BE2B-56E42B7BA52B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\idman519.exe" -d "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked"
    Task: {7F55E9F5-071D-4FAE-B034-FD43328A90A5} - System32\Tasks\vmdgiuqzkckchxb => msiexec.exe /quiet /i "C:\Users\ELITE\AppData\Roaming\porjbsuuomwf\mssypkgmnwzyolm.msi" WEBID=STAGE2_PM_P1 TKNME=vmdgiuqzkckchxb
    Task: {819F80EF-B423-4205-974E-6707E5F1783A} - System32\Tasks\gpjhsrnucvcet => msiexec.exe /quiet /i
    Task: {AD87446A-0A10-4CC5-AB4E-118C71A30045} - System32\Tasks\Time Trigger Task => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed]
    Task: {BD4595FB-CBE2-4833-9B45-886075F74421} - System32\Tasks\{1843AF6A-EE8C-4D5A-9FC9-B368A806F95B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\Uninstall.exe" -d C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4 -c -instlsp1
    Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(1): mshta.exe -> "http://update.drp.su/nps/offline/bin/tools/run.hta" "17.7.33 Offline" "1563949582624" "686e31f9-d09f-4a82-bf23-f84c513d7537"
    Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(2): SCHTASKS -> /Delete /TN DRPNPS /F
    Task: {FE6C6162-D3EA-43C8-B305-5E20A7BD8258} - System32\Tasks\{46222C45-E984-4CB4-A9BC-C57521D11103} => C:\Windows\system32\pcalua.exe -a G:\Encarta\ADMSETUP.EXE -d G:\Encarta
    Winsock: Catalog9 01 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    Winsock: Catalog9 02 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    Winsock: Catalog9 03 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    Winsock: Catalog9 04 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    Winsock: Catalog9 05 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    Winsock: Catalog9 06 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    Winsock: Catalog9 07 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    Winsock: Catalog9 08 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    Winsock: Catalog9 09 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    Winsock: Catalog9 10 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    Winsock: Catalog9 22 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.)
    ManualProxies: 1http=127.0.0.1:61541;https=127.0.0.1:61541;socks=127.0.0.1:61540
    BHO-x32: IDMIEHlprObj Class -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMIECC.dll [2010-04-26] (Tonec Inc. -> Tonec Inc.)
    FF user.js: detected! => C:\Users\ELITE\AppData\Roaming\Mozilla\Firefox\Profiles\a7fes3m2.default-release\user.js [2019-09-17]
    FF Plugin-x32: @adobe.com/AuthorwarePlayer -> C:\Windows\system32\Macromed\AUTHORWA\np32asw.dll [No File]
    FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1218158.dll [No File]
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File]
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File]
    R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [985280 2015-07-22] (@ByELDI -> @ByELDI) [File not signed]
    ShellIconOverlayIdentifiers: [            IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => G:\Users\adewunmi\Desktop\IDM 5.19.2.0 Cracked\IDMShellExt64.dll -> No File
    FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File
    FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe No File
    FirewallRules: [TCP Query User{E666B5D1-4247-4B2A-8643-0390C147EBA8}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File
    FirewallRules: [UDP Query User{EB63A870-A908-44A0-8A49-97E0DAA73F72}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File
    FirewallRules: [{F97B1F60-6626-4333-951B-BD4BB4D1DAFD}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed]
    FirewallRules: [{2C42D19B-1022-42F1-8EA8-A7722217EAF1}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed]
    C:\Program Files\KMSpico\AutoPico.exe
    C:\Program Files\KMSpico\KMSELDI.exe
    C:\Program Files\KMSpico\Service_KMS.exe
    C:\Program Files\KMSpico
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico
    C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe
    C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17
    C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q\amix[1]
    C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q
    C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M\2f8a0fe3ae4f1ea2dbe95cd0da034588.exe
    C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M
    C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup\winnm\winnm32.dll
    C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup
    C:\Users\ELITE\AppData\Local\Temp\KMSpico_setup.exe
    C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0\wyfdggb.exe
    C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0
    C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV\3830a7e784f597db266e22ead81fb058.exe
    C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV
    C:\Users\ELITE\AppData\Local\Temp\net.exe
    C:\Users\ELITE\AppData\Local\Temp\systm.exe
    C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe
    C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\kms.exe
    C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)
    C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)
    C:\Windows\System32\Tasks\Time Trigger Task
    C:\Windows\System32\Tasks\gpjhsrnucvcet
    C:\Windows\System32\Tasks\vmdgiuqzkckchxb
    C:\Windows\SysWOW64\idmmbc.dll
    C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe
    C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK
    C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked
    C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4
    C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE
    C:\Users\ELITE\AppData\Roaming\IDM\DwnlData
    C:\Users\ELITE\AppData\Roaming\IDM

     

    Close Notepad.

     

    NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

     

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

     

    IMPORTANT: Save all of your work, as the next step may reboot your computer.

     

    Run FRST and press the Fix button just once and wait.

     

    If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

     

    The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

     

    NOTE: If the tool warns you about an outdated version please download and run the updated version.

     

    Also, let me know how the machine is running now, and what remaining issues you've noticed.

  6. Hello @elhakim,

     

    Welcome to the Emsisoft Support Forums.

     

    What is the Personal ID in the Readme ransom note.

     

    Some variants of STOP are known to install malware to ensure that newly added files are encrypted.

     

    Let's make sure that there is not an active malware infection present, and if there is we can remove it.

     

    Download to your Desktop:

     

    NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

     

    NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive.

     

    • Run Farbar Recovery Scan Tool (FRST):
      • Double-click to run it. When the tool opens click Yes to the disclaimer.

     

    NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.

     

      • Press the Scan button.
      • Farbar Recovery Scan Tool will produce the following logs:
        • FRST.txt
        • Addition.txt
  7. @Anbu

    Some STOP variants are known to install malware in order to ensure that newly added files are encrypted.

    Let's make sure the is no active malware infection present, and it there is then we can remove it.

    Download to your Desktop:

     

    NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

     

    NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive.

     

    • Run Farbar Recovery Scan Tool (FRST):
      • Double-click to run it. When the tool opens click Yes to the disclaimer.

     

    NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.

     

      • Press the Scan button.
      • Farbar Recovery Scan Tool will produce the following logs:
        • FRST.txt
        • Addition.txt
  8. @ferko85

    Let’s deal with the active malware infection before attempting to recover your files.

    Download to your Desktop:

     

    NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

     

    NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive.

     

    • Run Farbar Recovery Scan Tool (FRST):
      • Double-click to run it. When the tool opens click Yes to the disclaimer.

     

    NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.

     

      • Press the Scan button.
      • Farbar Recovery Scan Tool will produce the following logs:
        • FRST.txt
        • Addition.txt
    • Like 2
  9. Hello @Reggia99,

     

    Welcome to the Emsisoft Support Forums.

     

    Let's deal with the active malware infection before attempting to recover your files.

     

    Download to your Desktop:

     

    NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

     

    NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive.

     

    • Run Farbar Recovery Scan Tool (FRST):
      • Double-click to run it. When the tool opens click Yes to the disclaimer.

     

    NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.

     

      • Press the Scan button.
      • Farbar Recovery Scan Tool will produce the following logs:
        • FRST.txt
        • Addition.txt
  10. @NKK

    Quote

     

    Thanks !!

    Would I be able to recover my files by any chance ?

    I just want to let you know that this malware had created a text mssg  in all folders of my system. Will it indicates that ID is offline ? I have read it some where, but I am not sure !!

     

    The report system is not for making replies.  Further abuse of the of the report system will result in a formal warning.

    Regardless of what you may or may not have read somewhere online, the presence of ransom notes all over the file system is not an indicator of the ID being an Offline ID.  It is just what ransomware does.

    Your Personal ID of 0197nTsddDIwEtpIK6kgFIcX2WF5PL9Sluk6KBxQRzL7PUDOm  is an Online ID and as such our tool is incapable of decrypting your files.

  11. Hello @E.H,

     

    Welcome to the Emsisoft Support Forums.

    The ID you supplied is an online ID, meaning that the files cannot be decrypted.  An online ID means that your encryption key was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.

    There is more information available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

  12. @Hankash

    You can try using file recovery software, but expect it not to work.  Depending on how much free space you have on your hard drive and the number of files that were encrypted it is entirely possible that any information referencing the original files in the file table has been overwritten and is not recoverable.

    Google search for file recovery software: https://www.google.com/search?client=firefox-b-1-d&q=file+recovery+software

    Google search for file recovery services: https://www.google.com/search?client=firefox-b-1-d&sxsrf=ACYBGNSlNFFV6G2BIbARhVNhb18Tter8UA%3A1579285173036&ei=tfohXpnrAcvbtAbfvbLQBA&q=file+recovery+services&oq=file+recovery+services&gs_l=psy-ab.3..0j0i22i30l7.76551.78286..79147...0.6..0.220.1201.0j7j1......0....1..gws-wiz.......0i71j0i67.9gMOHjKNupk&ved=0ahUKEwjZmfPdn4vnAhXLLc0KHd-eDEoQ4dUDCAo&uact=5

    A word of caution file/data recovery services can be quite expensive.

    Another option is using a service like coveware to negotiate a lower ransom on your behalf. https://www.coveware.com/

  13. Hello @GIAN,

     

    Welcome to the Emsisoft Support Forums.

     

    That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019.

     

    Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

     

    Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

    For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation.

    While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware.

    Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation.

    Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.

  14. Hello @Hankash,

     

    Welcome to the Emsisoft Support Forums.

     

    That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019.

     

    Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

     

    Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

    For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation.

    While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware.

    Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation.

    Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.

×
×
  • Create New...