cybermetric

If the only ID in your SystemID/PersonaIID.txt file ends in 't1', your files were encrypted by the offline key, and will be recoverable WHEN/IF Emsisoft recovers that key. Suggest you run the Emsisoft decrypter on a test bed of encrypted files every week or so to check. Emsisoft does not announce key recoveries.

The _readme.txt file isn't hidden. The ransomware drops it all over the place. The file to look for is the SystemID/PersonalID.txt file usually located on the C:drive It contains all of the ID's involved in the encryption. If one of the ID's listed therein ends in 't1', you should be able to recover SOME files WHEN/IF the offline/private key is recovered by Emsisoft. IF none do, ALL of your files were encrypted by an online key and cannot be recovered.

@ruptapash biswas: This is an offline ID, but it is not related to the .mado variant. What is the complete extension of the file involved?

Actually, Amigo-A, the ID is the offline ID for .mado.

.foop (V0213) is the latest STOP variant, currently undecryptable. Wannacry is a totally different ransomware - so which do you have? both? What is the complete extension added to your encrypted files?

Your PersonalID.txt file indicates that your files were all encrypted by an online key. Files encrypted by one of the 'new djvu' STOP variants (of which .nppp is one) using an online key cannot be decrypted.

This makes no sense - the ID listed is not the offline ID for this variant.

Kevin: The .mosk offline/private key was added to the Emsisoft server sometime ago, according to Demonslay.

File pairs will not work with any 'new djvu' variant (of which .topi is one). The key received with the decrypter will only benefit you and the few others who have files encrypted with the offline key. Those whose files are encrypted by an online key are out of luck (and money). It will decypt all of the encrypted files of the person whose ransom note and ID were used to get the decrypter and key.

We had a similar report in the BleepingComputer ransomware forum by one @wpuerta. Demonslay though it was because he wasn't connected to the internet while running the decrypter. I tried running the decrypter on some files with internet disconnected and got this error for each file: File: C:\Users\LDH\Pictures\Test\.MKOS with Offline Keys\NOTULEN RAPAT 26 Agustus 2019.pdf.mkos Error: The remote name could not be resolved: 'decrypter.emsisoft.com' This is what I would have expected in such a case.

@Amigo-A: The .hets variant is one of the 'new djvu' STOP variants. The offline/private key was recovered sometime ago. File pairs will not help in this case.

Kevin: .djvut is an "old djvu" variant. The poster should be able to recover some files by uploading matched original/encrypted file pairs to the Emsisoft submission portal, and then using the Emsisoft decrpter.

Heroset is an 'old djvu' variant. He should be able to decrypt files by uploading a matched original /encrypted file pair to the Emsisoft portal. Not only do the files need to be >150 KB, the encrypted file must be exactly 78 bytes larger than the original. If it is not, the original was changed at some point, and for the purposes of decryption is a different file. Also, with jpg's, several matched file pairs may be needed to get all of the files decrypted. The file pairs must be from the same source, i.e - if the encrypted jpg's were taken with a Konica camera, the file pairs must be from that same source.