cybermetric

16 hours ago, Elias Merino said:

My files are encrypted, with the following code: Error: No key for New Variant online ID: 4uZnA2fk2KkJnnTAsuhjarGr70PcScZ3jYfEh37Z
Notice: this ID appears to be an online ID, decryption is impossible

Greetings

This is not an "error". This is the decrypter's way of telling you your files are encrypted by an online key and cannot be decrypted. 

Check the C: directory for the SystemID/PersonaID.txt file. It contains all of the ID's relating to the encryption. If one of them ends in "t1", some of your files may be decrypted WHEN/IF Emsisoft is donated the offline/private key for this variant by a victim that has paid the ransom and obtained the key. This may not ever happen.  

If there are no ID's listed that end in "t1", then all of your files were encrypted by an online key and cannot be decrypted. 

12 hours ago, Si-Li Qin said:

I also have .bbbe, but seems like there's a difference, mine is a online variant:

File: D:\[BBBE]\01.Tranquility.mp3.bbbe
Error: No key for New Variant online ID: 0WzvMdKbnmGiMY3JFHfZyiA4g66KiCZIz8vh6GXO
Notice: this ID appears to be an online ID, decryption is impossible

The difference is that your files were encrypted by a online key, and are not decryptable by the Emsisoft decrypter or any other free decrypter now in existence. 

An original file is the unencrypted file which matches the encrypted one.  ie - silly.jpg  and silly.jpg.omfl. 

The original file might have a copy on a flash drive, camera, some other computer. It might be a file you sent to someone, or they sent to you and it could be resent. It might be a file you downloaded from the internet. etc, etc.

But it doesn't matter. You can't use the "matched file pairs" with a "new version" variant such as .omfl. It WON'T work.

The "error" just indicates that the Emsisoft decrypter cannot find an key to decrypt your files. It further indicates that they were encrypted by an online key and are thus not decryptable. There is no "error" by the decrypter. It is perhaps a poor choice of words.  

First of all, version 1.0.0.5 is the latest version of the Emsisoft decrypter. It does not have to be "updated". It will decrypt your files if they were encrypted by an offline key, and that key has been donated to Emsisoft by a victim that has paid the ransom. The key was donated to Emsisoft some time ago. Thus, if your files were not decrypted by the Emsisoft decrypter, they were encrypted by an online key and CANNOT be decrypted. Not by the Emsisoft decrypter or any other free decrypter now in existence.

Secondly, the "Stop Djvu Decryption" page you refer to is only for "old version" STOP variants. The .omfl variant is a "new version" STOP variant, and the file pairs method will NOT work for it. (As the page tells you in the Notice)

1 hour ago, Lycan said:

Error: No key for New Variant offline ID: jYeuANkMCJOEtaXsN8JcBUuEjwSP20EGT4t2Nct1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future
 

Please suggest a fix to this asap.

There is no "fix". 

Your files were encrypted by an offline key, so WHEN/IF Emsisoft is donated that key by a victim that has paid the ransom, the Emsisoft decrypter will be able to decrypt your files. There is no way to tell when the key will be donated to Emsisoft - it may be never.

For now, run the Emsisoft decrypter on some of your encrypted files each week or so to check. Emsisoft does not announce key donations. 

3 hours ago, Fuchs2465 said:

File: C:\AMD\AMD_Radeon_Installer_20.12.1\Packages\Drivers\Display\WT6A_INF\B361909\dgtrayicon.exe.bbbe
Error: No key for New Variant offline ID: jYeuANkMCJOEtaXsN8JcBUuEjwSP20EGT4t2Nct1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future

The decrypter gave you your answer : decryption may be possible in the future".

This means your files were encrypted by an offline key, and the Emsisoft decrypter will decrypt your files WHEN/IF Emissoft is donated that key by a victim that paid the ransom. There is no way of knowing when that will happen - maybe never.

For now, run the Emsisoft decrypter on some of your encrypted files every week or so, to check. Emsisoft does not announce donated keys 

4 hours ago, jdsjuancho said:

Hi there! I've been hacked with this .zaqi variant is that variant decryptable? i don't know if my files were encrypted by an online or offline key.

Can you help me? thx

Run the Emsisoft decrypter on some of your encrypted files - Get it here: https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

The decrypter will tell you the status of your files:

If it indicates "decryption is impossible", your files were encrypted by an online key and cannot be decrypted by the Emsisoft decrypter or any other free decrypter currently in existence.

If it indicates " decryption may be possible in the future", your files were encrypted by an offline key, and will be decryptable with the Emsisoft decrypter WHEN/IF that key is donated to Emsisoft by a victim that has paid the ransom. There is no way of telling when that will happen - if ever. In this case, run the decrypter on some of your encrypted files every week or so to check. Emsisoft does not report key donations. 

5 hours ago, Gamezad said:

All my files are encrypted .Zaki and encrypted online Help me

Are you sure of the extension? There is a .zaqi STOP variant which appeared a short time ago. 

If you files were encrypted by an online key, they are not decryptable by the Emsisoft decrypter or any other free decrypter that exists today. 

You have misspelled the extension. This is not a new variant, it is the pahd variant which appeared a while back. My comments sitll apply. 

16 minutes ago, motilalsoni said:

Hello Sir

 

Can you please help me decrypt .phad file 

 

Variant offline ID: dvQHMo0IXSevQni9AAQQ1xZ9UBSuYArpJOjiLLt1

Looks like a new STOP variant. You have an offline id. Thus your files were likely encrypted by an offline key. You will be able to get them decrypted WHEN/IF Emsisoft is donated the offline/private key by a victim that has paid the ransomers.  There is no way of telling when that will happen  - it may be never.

For now, you should run the Emsisoft decrypter on some of your encrypted files every week or so to check. Emsisoft does not announce STOP key donations. 

Fabio:

This is NOT a newer version of STOP. 

The OP should submit an encrypted file and a ransom note to the IDR site here: https://id-ransomware.malwarehunterteam.com/

The site will attempt to identify the ransomware his files are actually encrypted with. 

3 hours ago, dj1 said:

How do I know if solution has been released by emsisoft? 

Run the Emsisoft decrypter on some of your encrypted files every week or so to check. Emsisoft does not report key recoveries. 

20 minutes ago, Prakashhsm said:

My files are encrypted by QLDA virus and all the files in all the drive are affected and got the extension .qlda. 

 

Using quick heal removed the trojeon but files are not able to be decrypted using stop djvu.

 

Please help.

Are you sure the extension is .qlda? There is a new STOP variant the extension .qdla  (V0347)

3 hours ago, Amigo-A said:

Good.

What are the first 4 digits in your personal ID inside the _readme.txt file?

It's 0338 from another post in the Bleeping Computer ransomware forum.

16 hours ago, D.Z said:

Unfortunately, I tried several times, but it all comes down to error

Error: No key for New Variant offline ID: PUYef3QgyNaY7l8zzvWo4yIuFfw9blf3NZjYd3t1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future

how can fixed .

This is the .npsk STOP variant. Unfortunately, the offline/private key has never been donated to Emsisoft by a victim that paid the ransom and got the key. 

On 10/11/2021 at 9:41 AM, Npp said:

yess!

Are you sure it's 338? Another poster  shows 337 for the version#. What is the complete ID shown in the ransom note?

File pairs can only be used with the "old variant" STOP ransomware. The .tisc variant @Cyberguy has is a "new variant" version and cannot be decrypted by this method. 

25 minutes ago, Amigo-A said:

@cybermetric

Yes. And that too.

It seems to me that it has a system freeze. I am confused by the screenshot of the screen with the number 7. Any other design?

Updating the system can be problematic or impossible. 

Windows 7 operating system.

Also, from the Emsisoft decrypter FAQ:

Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again.

Make sure Windows has been completely updated. 

8 hours ago, Amigo-A said:

This site does not open for me.

1 hour ago, Jeevan Kaushal said:

File: G:\.mpg\DVD 3.mpg.piiq
Error: No key for New Variant online ID: 2700pHc4WDN1Hj1HsNnYFVZK7tL82jE39kEJNKRd
Notice: this ID appears to be an online ID, decryption is impossible
 

Did the law enforcement release priveate keys to public ??

my ransomware virus was .piiq 

That has not ever happened for the STOP ransomware. Law enforcement has not nabbed the criminals and/or their servers. 

1 hour ago, Kokiem said:

I dont get it. You say right now we dont know if the same key can be used to decrypt both extension, even if they have the same ID?

Both the .gujd and the ufwj STOP variants have the same offline ID (ends in "t1"). The same offline/private key will decrypt both variants if encrypted by the offline key, WHEN/IF Emsisoft is donated the offline/private key by a victim that has paid the ransom. This may or may not ever happen. 

46 minutes ago, Amigo-A said:

I see only .neer data here. Perhaps some images are not loading and I cannot see them. They overlap one another.

I don't know the .leek variant. You may have meant to say .leex from general list. 

You're right - it's .leex.    

This appears just above the decrypter log:

Error: No key for New Variant offline ID: LTYv5JAYPKU9SqYbMp9sbHbkMoA4JlKc46dTaLt1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future.

That is the offline ID for .leex.

Something is amiss with the post of @Dinesh Shrestha.  

The first decrypter line indicates that he has an offline ID. Moreover, that is the offline ID for the .leek variant.

The log from the decrypter indicates his files are encrypted by an online key of the .neer variant.

2 different encryptions?  Or is the offline ID for the .neer variant the same as that for the  .leek variant?  I have no idea.

Back to the experts!!

1 hour ago, fermasoli said:

 

How should I attach and where should I send these files?

I appreciate your help

The "error" is simply the decrypter's way of telling you that your files were encrypted by an online key, and cannot be decrypted. Simple as that.