Jump to content

cybermetric

Member
  • Posts

    77
  • Joined

  • Days Won

    5

Everything posted by cybermetric

  1. You have misspelled the extension. This is not a new variant, it is the pahd variant which appeared a while back. My comments sitll apply.
  2. Looks like a new STOP variant. You have an offline id. Thus your files were likely encrypted by an offline key. You will be able to get them decrypted WHEN/IF Emsisoft is donated the offline/private key by a victim that has paid the ransomers. There is no way of telling when that will happen - it may be never. For now, you should run the Emsisoft decrypter on some of your encrypted files every week or so to check. Emsisoft does not announce STOP key donations.
  3. Fabio: This is NOT a newer version of STOP. The OP should submit an encrypted file and a ransom note to the IDR site here: https://id-ransomware.malwarehunterteam.com/ The site will attempt to identify the ransomware his files are actually encrypted with.
  4. Run the Emsisoft decrypter on some of your encrypted files every week or so to check. Emsisoft does not report key recoveries.
  5. Are you sure the extension is .qlda? There is a new STOP variant the extension .qdla (V0347)
  6. This is the .npsk STOP variant. Unfortunately, the offline/private key has never been donated to Emsisoft by a victim that paid the ransom and got the key.
  7. Are you sure it's 338? Another poster shows 337 for the version#. What is the complete ID shown in the ransom note?
  8. File pairs can only be used with the "old variant" STOP ransomware. The .tisc variant @Cyberguy has is a "new variant" version and cannot be decrypted by this method.
  9. Also, from the Emsisoft decrypter FAQ: Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again. Make sure Windows has been completely updated.
  10. That has not ever happened for the STOP ransomware. Law enforcement has not nabbed the criminals and/or their servers.
  11. Both the .gujd and the ufwj STOP variants have the same offline ID (ends in "t1"). The same offline/private key will decrypt both variants if encrypted by the offline key, WHEN/IF Emsisoft is donated the offline/private key by a victim that has paid the ransom. This may or may not ever happen.
  12. You're right - it's .leex. This appears just above the decrypter log: Error: No key for New Variant offline ID: LTYv5JAYPKU9SqYbMp9sbHbkMoA4JlKc46dTaLt1Notice: this ID appears be an offline ID, decryption MAY be possible in the future. That is the offline ID for .leex.
  13. Something is amiss with the post of @Dinesh Shrestha. The first decrypter line indicates that he has an offline ID. Moreover, that is the offline ID for the .leek variant. The log from the decrypter indicates his files are encrypted by an online key of the .neer variant. 2 different encryptions? Or is the offline ID for the .neer variant the same as that for the .leek variant? I have no idea. Back to the experts!!
  14. The "error" is simply the decrypter's way of telling you that your files were encrypted by an online key, and cannot be decrypted. Simple as that.
  15. This is the type of response that the decrypter gives when it doesn't find any encrypted files. All I can suggest is to copy perhaps 5 of the files that were not decrypted into a test folder, and run the decrypter on just that folder (as you did on another folder above). If you still get the same result, one of the experts here will have to work on this. What happens if you remove the iqll extension from one of these files? Is it accessible? (Just a thought). in some cases the ransomware burps and just adds the extension without encrypting the file.
  16. You have an offline ID. WHEN/IF Emsisoft is donated the offline/private key by a victim of this variant who has paid the ransom, you will be able to decrypt your files. In the meantime, secure the encrypted files on an external HD for safe-keeping. Run the Emsisoft decrypter on a testbed of encrypted files every week or so to check. Emsisoft doesn't announce donated keys.
  17. The decrypter would have given you a reason. What did it report on the files it wouldn't decrypt?
  18. Run the Emsisoft decrypter NOW. It appears that Emsisoft has received the offline/private key for the .igll STOP variant.
  19. The extension is .ogdo, not odgo. The offline key has never been received by Emsisoft. Your files remain undecryptable until that happens.
  20. There is no solution for files encrypted by an online key of any of the "New Version" STOP variants (which include the .sspg variant).
  21. It is not resolvable. An online ID indicates files were encrypted by an online key, and cannot be decrypted.
  22. One could manually remove the extension quite easily. Also, using some other decrypter may have removed the extensions. I don't know how the Emsisoft decrypter would respond if the extensions have been removed. I'm sure Amigo-A (one of the resident experts) will be along with additional help. The error you got is because you weren't online when you ran the decrypter. The decrypter needs to connect with the Emsisoft server.
×
×
  • Create New...