Kevin Zoll

Emsisoft Employee
  • Content Count

    18783
  • Joined

  • Last visited

  • Days Won

    177

Everything posted by Kevin Zoll

  1. Changing tools. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. Right-click RogueKiller.exe and select Run As Administrator to run the tool. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.
  2. @Mike77 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-21-2839862633-4155940622-1829493113-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1 Startup: C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rvfgrhjf.lnk [2020-01-25] ShortcutAndArgument: rvfgrhjf.lnk -> C:\Windows\System32\cmd.exe => /c start "" "C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf\svjticje.exe" CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION S2 Main Service; C:\Program Files (x86)\MachinerData\DVD43.exe 1 [X] S2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [X] 2020-01-26 16:02 - 2020-02-03 20:37 - 000000000 ____D C:\Program Files\KMSpico 2020-01-25 18:19 - 2020-02-02 22:25 - 000000000 ____D C:\Users\M.HajAli\AppData\Roaming\Z66488341 2020-01-25 18:19 - 2020-02-02 22:25 - 000000000 ____D C:\Users\M.HajAli\AppData\Roaming\Z44396531 2020-01-25 18:19 - 2020-01-25 18:19 - 000000049 _____ C:\Users\M.HajAli\AppData\Local\script.ps1 2020-01-25 18:18 - 2020-01-25 18:18 - 000000000 ____D C:\ProgramData\2KJS93X1EXOEGAUCUCLDZNV4A 2020-01-25 18:19 - 2020-01-25 18:19 - 000000049 _____ () C:\Users\M.HajAli\AppData\Local\script.ps1 C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf\svjticje.exe C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File AlternateDataStreams: C:\Users\M.HajAli:.repos [6042680] AlternateDataStreams: C:\Users\M.HajAli\Desktop\Wish List.xlsx.topidentifier:$DATA [50] HKU\S-1-5-21-2839862633-4155940622-1829493113-1001\...\StartupApproved\StartupFolder: => "rvfgrhjf.lnk" FirewallRules: [{BDBB6A12-A269-46F5-837F-041BD20B88E8}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe No File FirewallRules: [{68AC56EE-B358-48E3-BBEB-B8017959552C}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe No File FirewallRules: [{B4745770-A60A-4A25-92E4-A5A7EC3F692D}] => (Allow) C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe No File FirewallRules: [{B264D7B5-45BC-4B4D-A76B-00700CA7028B}] => (Allow) C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe No File FirewallRules: [{820DCB93-3883-477F-854B-4837FD05FF5F}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe No File FirewallRules: [{C5B43993-5600-493C-BAFB-B3B7B15F6077}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe No File Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk -> C:\Program Files\KMSpico\AutoPico.exe (No File) Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk -> C:\Program Files\KMSpico\KMSELDI.exe (No File) Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\Log KMSpico.lnk -> C:\Program Files\KMSpico\scripts\Log.cmd () Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  3. If the decryption tool is telling you that the files cannot be decrypted, then they cannot be decrypted. STOP/DJVU NOTES: If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the keys in our database, then our decryption tool will be able to decrypt those files. Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  4. Hello @Muhammadmeer, Welcome to the Emsisoft Support Forums. That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  5. Hello @JuniorXcoder, Thank you for contacting Emsisoft Support. BBOO is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the BBOO variant of STOP/DJVU. NOTES: If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the file(s) were encrypted with an Offline ID that matches one of the keys in our database, then our decryption tool will be able to decrypt those files encrypted using that encryption key. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  6. @Mike77 Formatting the PC is a last resort thing. If that is something you think you need to do, then that is up to you. There is always a chance, however slim, that will will get our hands on private encryption keys. If the PC is messed up then formatting may be needed. However, I would like to get a couple of reports before you decided to do that. Please gather two logs using a program called FRST, and attach them to a reply to this email. Instructions can be found here: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  7. Hello @Sana Rana, Thank you for contacting Emsisoft Support. KODG is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the KODG variant of STOP/DJVU. NOTES: If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the one of the keys in our database, then our decryption tool will be able to decrypt those files encrypted with that encryption key. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  8. If FRST is not running then something is preventing it from running. let's try a different tool. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
  9. Hello @Mike77, Thank you for contacting Emsisoft Support. TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU. NOTES: If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  10. @JejomarCevi2 The answer to both of those questions is no. Any file with an online ID had its encryption keys generated and stored on a command & control server under the control of the ransomware gang that is responsible for encrypting your files. Only the criminals have those keys.
  11. Hello @UMESH VASHISTHA, Thank you for contacting Emsisoft Support. BBOO is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the BBOO variant of STOP/DJVU. NOTE: We have added Offline IDs for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  12. Hello @adnan, Thank you for contacting Emsisoft Support. TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU. NOTE: We have added Offline IDs for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  13. Hello @Gustavo Guerrero, Welcome to the Emsisoft Support Forums. Upload file pairs to https://decrypter.emsisoft.com/submit/stopdjvu/
  14. Hello @ahsan, Welcome to the Emsisoft Support Forums. Upload file pairs to: https://decrypter.emsisoft.com/submit/stopdjvu/
  15. Hello @Veer, Thank you for contacting Emsisoft Support. TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU. NOTE: We have added Offline IDs for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  16. If you are getting a message that states the files cannot be decrypted, then they cannot be decrypted. Any file encrypted with an Online ID means that the encryption keys were generated and store on a command & control server under the control of the ransomware gang responsible for encrypting your files. Only the criminals have access to those keys. @Mr.Mad95154 I don't believe we have a decryption key matching that Offline ID. I suggest running the tool once a week on the chance that we have added the key for that ID.
  17. Hello @Rajitha, Welcome to the Emsisoft Support Forums. We currently are not in possession of a decryption key for that Offline ID. Therefore our decryption tool is incapable of decrypting files matching that ID.
  18. @minhas The decrypter is a standalone .NET executable file, it is not installed. If the tool will not run, make sure that the latest .NET Framework is installed for your version of Windows. All our decryption tool require that .NET Framework version 4.5.2 be installed at a minimum.
  19. If you mean Windows Smart Screen then you must tell it that FRST is not malicious. You click on more info and then allow it. If you mean you browser is blocking it then tell the browser to allow it. If you are referring to EEK detecting it that is a false positive. I need the reports from FRST as EEK shows nothing other than FRST.
  20. Hello @Sammar Abbass, Thank you for contacting Emsisoft Support. REPP is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the REPP variant of STOP/DJVU. NOTE: We have added Offline IDs for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  21. The scan came back clean. Everything should be fine.
  22. That key is only for a specific ID. Until he runs the decrypter we have no idea if the files are decryptable or not. My reply also says that we have added offline keys over the past few days.
  23. @MIULER MOSK is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the MOSK variant of STOP/DJVU. NOTE: We have added Offline IDs for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  24. Hello @AllMyPhoto, Welcome to the Emsisoft Support Forums. Your Personal ID is an Online ID. Our tool cannot decrypt the files because it cannot find a private key that matches the file ID for your files. Encryption keys for Online ID are generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys, only the criminals do.
  25. Can you send me the log report from the decrypter? I will get the developer to take a look.