amgad asker 0 Posted March 13, 2019 Report Share Posted March 13, 2019 i need help in recoviring my data as i got a new attack from ransomware using extension .kroput Quote Link to post Share on other sites
quietman7 3 Posted March 13, 2019 Report Share Posted March 13, 2019 Files encrypted with the .kroput extensions is the newest variant of STOP (DJVU) Ransomware. You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the malware developer to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. This is a service that helps identify what ransomware may have encrypted your files. Please read here for a summary of this infection, it's variants and possible decryption solutions with instructions (including what to do if the decrypter does not work). Quote Link to post Share on other sites
amgad asker 0 Posted March 13, 2019 Author Report Share Posted March 13, 2019 dear Quietma7 thank you for replying here is the text file comes with virus and a sample of my files i wish we fing a tool soon regards _readme.txt mooyah presentation.docx.kroput Quote Link to post Share on other sites
ignacio 0 Posted March 13, 2019 Report Share Posted March 13, 2019 I have the same problem... Could you please help me? Best regards _readme.txt 1710_Calendario Máster en Estudios Avanzados en Literatura Española e Hispanoamericana(2).pdf.kroput Quote Link to post Share on other sites
quietman7 3 Posted March 14, 2019 Report Share Posted March 14, 2019 STOPDecrypter was updated to include support for the .kroput variant if you were hit by the OFFLINE KEY - "upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1" as explained in here. Please read the instructions here (including what to do if the decrypter does not work). Demonslay335 (Michael Gillespie) is the creator of STOPDecrypter. He is a trusted Security Colleague (Expert) here at Emsisoft, a ransomware researcher/analyst with the MalwareHunterTeam, the creator of ID Ransomware (IDR). Quote Link to post Share on other sites
Israel 0 Posted March 22, 2019 Report Share Posted March 22, 2019 Pls..i have also been affected by the .kroput ransomeware and all efforts to decrypt the files i have has been futile..but i have downloaded malwarebyte and used it to scan the system but i don't think the system is clean yet..but will be glad if i can get any suggestion from you...and yes please i will love it if you can you can assist me with the decrypting of this files... Please find attached the corrupt files sample https://drive.google.com/open?id=1s66AJxBLGKbeli1cPdUrsHAnyFk3Qr4C https://drive.google.com/open?id=1by8KgF-k5k_7dCJqa5Z9reKgk43XoER5 hen 3d.rar.kroput _readme.txt Quote Link to post Share on other sites
GT500 873 Posted March 22, 2019 Report Share Posted March 22, 2019 6 hours ago, Israel said: Pls..i have also been affected by the .kroput ransomeware and all efforts to decrypt the files i have has been futile.. Did you run the STOPDecrypter as quietman7 recommended? If so, what did it tell you? Quote Link to post Share on other sites
Israel 0 Posted March 22, 2019 Report Share Posted March 22, 2019 Gt500 thanks for your swift reply...i have tried it and it does work thanks...cheers...i really appreciate what you guys are doing...thanks a lot... You just saved my life...😊 Quote Link to post Share on other sites
GT500 873 Posted March 22, 2019 Report Share Posted March 22, 2019 You're welcome. Quote Link to post Share on other sites
Israel 0 Posted March 25, 2019 Report Share Posted March 25, 2019 hi GT500.... thanks for the other time...but the STOPDecryptor cant decrypt some files... its giving me message like it could not generate the key for its ID which is ( ÍD: upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1 )... any suggestion...can i brute force it or not... Quote Link to post Share on other sites
Israel 0 Posted March 25, 2019 Report Share Posted March 25, 2019 Hi GT500....i think this is a new id..it keeps popping up amongst some of my skipped files..[*] ID: MMSFFsw52SZ3rPnHDpabInv00XrWHFVQyupJy9hC.... i'll upload the stopdecrypter log file soon Quote Link to post Share on other sites
GT500 873 Posted March 25, 2019 Report Share Posted March 25, 2019 5 hours ago, Israel said: upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1 This is a new offline ID that is in the latest version of STOPDecrypter (published today). Redownload it, and any files that use that ID should be decryptable. 3 hours ago, Israel said: MMSFFsw52SZ3rPnHDpabInv00XrWHFVQyupJy9hC This is almost certainly an online key, which means files that have this ID will more than likely not be decryptable. Michael Gillespie (the guy who made STOPDecrypter) will need the MAC address of the effected computer in order to archive this in case he can figure out the private key later. It should be in STOPDecrypter's logs when you run it on the computer to decrypt the files. 5 hours ago, Israel said: can i brute force it or not... It's technically possible, if you don't mind waiting for a few thousand years for it to finish. In general, if brute forcing a key for encrypted files is viable (as in it will finish in a reasonable amount of time), then we'll release a decryption tool that is capable of doing it. Quote Link to post Share on other sites
Israel 0 Posted March 26, 2019 Report Share Posted March 26, 2019 here...its a new ID... ID inside ransome note-- ID: upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1 ID detected by decryptor--ID: MMSFFsw52SZ3rPnHDpabInv00XrWHFVQyupJy9hC MAC: 74:DA:38:E3:83:16 Quote Link to post Share on other sites
Amigo-A 136 Posted March 26, 2019 Report Share Posted March 26, 2019 If the identifier of the encrypted files is still changing, then perhaps the malicious file is still in the system. Moreover it is necessary to check and reset the host-file. All known STOP-Djvu variants of the Promo subgroup modify it. Most of the known STOP ransomware attacks occurred due to the use of broken or repackaged installers of well-known programs, ranging from MS Office to large application programs. Quote Link to post Share on other sites
Israel 0 Posted March 26, 2019 Report Share Posted March 26, 2019 @Amigo-A....Ok...Please help me as regards how i can take it off my hosts file..Thanks Quote Link to post Share on other sites
Amigo-A 136 Posted March 26, 2019 Report Share Posted March 26, 2019 It's simple, but I am not a support representative. According to the rules of any forum, only support representatives should do this. How to check the PC for the presence of an active infection you will be advised by the forum support service representatives. Quote Link to post Share on other sites
Amigo-A 136 Posted March 26, 2019 Report Share Posted March 26, 2019 The full list of addresses is in my article about STOP Ransomware under the spoiler - Update of March 1, 2019. But the list may change. You can check for a modified file by trying to open these sites. www.emsisoft.com - this you have already opened, if still here. www.windowsupdate.com www.microsoft.com www.ds.download.windowsupdate.com www.update.microsoft.com www.virustotal.com www.drweb.com www.eset.com www.comodo.com www.mcafee.com If all these sites open in your browser, then the host-file has not been modified. This image is only part of an extensive list. At the beginning of March there were 502 addresses with repetitions with www and without www. I checked the file from yesterday's variants with the extension .proden. This host-file has not changed. But there are already new variants. I have not received any samples yet. This infection is very active. Extortionists act brazenly and are not afraid of anything. Perhaps now something else will add. Quote Link to post Share on other sites
Amigo-A 136 Posted March 26, 2019 Report Share Posted March 26, 2019 This STOP Ransomware has a special file delself.bat for self-deletion after encryption, but there may be several active malware on the PC, including different versions and different types. We observed a case of how three different Crypto-Ransomware worked simultaneously. Just a victim without thinking about the situation launched various hacked programs and they at a real time encrypted the files each according to his plan. As a result, all files were encrypted several times and had different extensions with repetitions. is it necessary to say that deciphering such a "crypto porridge" is unrealistic. Quote Link to post Share on other sites
GT500 873 Posted March 26, 2019 Report Share Posted March 26, 2019 In regards to the possibility of the ransomware still being active on the system, please follow the instructions at this link for posting in our Help, my PC is infected! section, and one of our malware removal specialists will assist you with making sure that your computer is clean. They will be able to help you with any bad HOSTS file entries as well. Quote Link to post Share on other sites
GT500 873 Posted October 19, 2019 Report Share Posted October 19, 2019 We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.