Jump to content

.kroput new ransomware attack

amgad asker
 Share Followers 1

Recommended Posts

quietman7

quietman7 3

Posted
Posted

Files encrypted with the .kroput extensions is the newest variant of STOP (DJVU) Ransomware.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the malware developer to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. This is a service that helps identify what ransomware may have encrypted your files.

Please read here for a summary of this infection, it's variants and possible decryption solutions with instructions (including what to do if the decrypter does not work).

Link to post
Share on other sites
quietman7

quietman7 3

Posted
Posted

STOPDecrypter was updated to include support for the .kroput variant if you were hit by the OFFLINE KEY - "upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1" as explained in here.

Please read the instructions here (including what to do if the decrypter does not work).

Demonslay335 (Michael Gillespie) is the creator of STOPDecrypter. He is a trusted Security Colleague (Expert) here at Emsisoft, a ransomware researcher/analyst with the MalwareHunterTeam, the creator of ID Ransomware (IDR).

Link to post
Share on other sites
  • 2 weeks later...
Israel

Israel 0

Posted
Posted

Pls..i have also been affected by the .kroput ransomeware and all efforts to decrypt the files i have  has been futile..but i have downloaded malwarebyte and used it to scan the system but i don't think the system is clean yet..but will be glad if i can get any suggestion from you...and yes please i will love it if you can you can assist me with the decrypting of this files... Please find attached the corrupt files sample

https://drive.google.com/open?id=1s66AJxBLGKbeli1cPdUrsHAnyFk3Qr4C

https://drive.google.com/open?id=1by8KgF-k5k_7dCJqa5Z9reKgk43XoER5

hen 3d.rar.kroput _readme.txt

Link to post
Share on other sites
GT500

GT500 873

Posted
Posted
6 hours ago, Israel said:

Pls..i have also been affected by the .kroput ransomeware and all efforts to decrypt the files i have  has been futile..

Did you run the STOPDecrypter as quietman7 recommended? If so, what did it tell you?

Link to post
Share on other sites
Israel

Israel 0

Posted
Posted

hi GT500.... thanks for the other time...but the STOPDecryptor cant decrypt some files... its giving me message like it could not generate the key for its ID which is (  ÍD:  upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1 )... any suggestion...can i brute force it or not...

Link to post
Share on other sites
GT500

GT500 873

Posted
Posted
5 hours ago, Israel said:

upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1

This is a new offline ID that is in the latest version of STOPDecrypter (published today). Redownload it, and any files that use that ID should be decryptable.

 

3 hours ago, Israel said:

MMSFFsw52SZ3rPnHDpabInv00XrWHFVQyupJy9hC

This is almost certainly an online key, which means files that have this ID will more than likely not be decryptable.

Michael Gillespie (the guy who made STOPDecrypter) will need the MAC address of the effected computer in order to archive this in case he can figure out the private key later. It should be in STOPDecrypter's logs when you run it on the computer to decrypt the files.

 

5 hours ago, Israel said:

can i brute force it or not...

It's technically possible, if you don't mind waiting for a few thousand years for it to finish.

In general, if brute forcing a key for encrypted files is viable (as in it will finish in a reasonable amount of time), then we'll release a decryption tool that is capable of doing it.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

If the identifier of the encrypted files is still changing, then perhaps the malicious file is still in the system. Moreover it is necessary to check and reset the host-file. All known STOP-Djvu variants of the Promo subgroup modify it.

Most of the known STOP ransomware attacks occurred due to the use of broken or repackaged installers of well-known programs, ranging from MS Office to large application programs.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

It's simple, but I am not a support representative.
According to the rules of any forum, only support representatives should do this. 

How to check the PC for the presence of an active infection you will be advised by the forum support service representatives.

 

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

The full list of addresses is in my article about STOP Ransomware under the spoiler - Update of March 1, 2019.
But the list may change.
You can check for a modified file by trying to open these sites.
www.emsisoft.com - this you have already opened, if still here.
www.windowsupdate.com
www.microsoft.com
www.ds.download.windowsupdate.com
www.update.microsoft.com
www.virustotal.com
www.drweb.com
www.eset.com
www.comodo.com
www.mcafee.com

If all these sites open in your browser, then the host-file has not been modified.

Listhost.png

This image is only part of an extensive list. At the beginning of March there were 502 addresses with repetitions with www and without www. I checked the file from yesterday's variants with the extension .proden. This host-file has not changed.
But there are already new variants. I have not received any samples yet. This infection is very active. Extortionists act brazenly and are not afraid of anything.

Perhaps now something else will add.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

This STOP Ransomware has a special file delself.bat for self-deletion after encryption, but there may be several active malware on the PC, including different versions and different types. We observed a case of how three different Crypto-Ransomware worked simultaneously. Just a victim without thinking about the situation launched various hacked programs and they at a real time encrypted the files each according to his plan. 

As a result, all files were encrypted several times and had different extensions with repetitions.

is it necessary to say that deciphering such a "crypto porridge" is unrealistic.

Link to post
Share on other sites
GT500

GT500 873

Posted
Posted

In regards to the possibility of the ransomware still being active on the system, please follow the instructions at this link for posting in our Help, my PC is infected! section, and one of our malware removal specialists will assist you with making sure that your computer is clean.

They will be able to help you with any bad HOSTS file entries as well.

Link to post
Share on other sites
  • 6 months later...
GT500

GT500 873

Posted
Posted

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Followers 1
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 03/05/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...