.kroput new ransomware attack

[amgad asker 0]

i need help in recoviring my data as i got a new attack from ransomware using extension .kroput

[quietman7 1]

Files encrypted with the .kroput extensions is the newest variant of STOP (DJVU) Ransomware.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the malware developer to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. This is a service that helps identify what ransomware may have encrypted your files.

Please read here for a summary of this infection, it's variants and possible decryption solutions with instructions (including what to do if the decrypter does not work).

[amgad asker 0]

dear Quietma7 thank you for replying here is the text file comes with virus and a sample of my files

i wish we fing a tool soon

regards

_readme.txt mooyah presentation.docx.kroput

[ignacio 0]

I have the same problem... Could you please help me?

Best regards

_readme.txt 1710_Calendario Máster en Estudios Avanzados en Literatura Española e Hispanoamericana(2).pdf.kroput

[quietman7 1]

STOPDecrypter was updated to include support for the .kroput variant if you were hit by the OFFLINE KEY - "upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1" as explained in here.

Please read the instructions here (including what to do if the decrypter does not work).

Demonslay335 (Michael Gillespie) is the creator of STOPDecrypter. He is a trusted Security Colleague (Expert) here at Emsisoft, a ransomware researcher/analyst with the MalwareHunterTeam, the creator of ID Ransomware (IDR).

[Israel 0]

Pls..i have also been affected by the .kroput ransomeware and all efforts to decrypt the files i have  has been futile..but i have downloaded malwarebyte and used it to scan the system but i don't think the system is clean yet..but will be glad if i can get any suggestion from you...and yes please i will love it if you can you can assist me with the decrypting of this files... Please find attached the corrupt files sample

https://drive.google.com/open?id=1s66AJxBLGKbeli1cPdUrsHAnyFk3Qr4C

https://drive.google.com/open?id=1by8KgF-k5k_7dCJqa5Z9reKgk43XoER5

hen 3d.rar.kroput _readme.txt

[GT500 589]

6 hours ago, Israel said:

Pls..i have also been affected by the .kroput ransomeware and all efforts to decrypt the files i have  has been futile..

Did you run the STOPDecrypter as quietman7 recommended? If so, what did it tell you?

[Israel 0]

Gt500 thanks for your swift reply...i have tried it and it does work thanks...cheers...i really appreciate what you guys are doing...thanks a lot... You just saved my life...😊

[GT500 589]

You're welcome.

[Israel 0]

hi GT500.... thanks for the other time...but the STOPDecryptor cant decrypt some files... its giving me message like it could not generate the key for its ID which is (  ÍD:  upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1 )... any suggestion...can i brute force it or not...

[Israel 0]

Hi GT500....i think this is a new id..it keeps popping up amongst some of my skipped files..[*] ID: MMSFFsw52SZ3rPnHDpabInv00XrWHFVQyupJy9hC.... i'll upload the stopdecrypter log file soon

 

[GT500 589]

5 hours ago, Israel said:

upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1

This is a new offline ID that is in the latest version of STOPDecrypter (published today). Redownload it, and any files that use that ID should be decryptable.

 

3 hours ago, Israel said:

MMSFFsw52SZ3rPnHDpabInv00XrWHFVQyupJy9hC

This is almost certainly an online key, which means files that have this ID will more than likely not be decryptable.

Michael Gillespie (the guy who made STOPDecrypter) will need the MAC address of the effected computer in order to archive this in case he can figure out the private key later. It should be in STOPDecrypter's logs when you run it on the computer to decrypt the files.

 

5 hours ago, Israel said:

can i brute force it or not...

It's technically possible, if you don't mind waiting for a few thousand years for it to finish.

In general, if brute forcing a key for encrypted files is viable (as in it will finish in a reasonable amount of time), then we'll release a decryption tool that is capable of doing it.

[Israel 0]

 here...its a new ID...

ID inside ransome note-- ID: upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1

ID detected by decryptor--ID: MMSFFsw52SZ3rPnHDpabInv00XrWHFVQyupJy9hC

MAC: 74:DA:38:E3:83:16

[Amigo-A 40]

If the identifier of the encrypted files is still changing, then perhaps the malicious file is still in the system. Moreover it is necessary to check and reset the host-file. All known STOP-Djvu variants of the Promo subgroup modify it.

Most of the known STOP ransomware attacks occurred due to the use of broken or repackaged installers of well-known programs, ranging from MS Office to large application programs.

[Israel 0]

@Amigo-A....Ok...Please help me as regards how i can take it off my hosts file..Thanks

 

[Amigo-A 40]

It's simple, but I am not a support representative.
According to the rules of any forum, only support representatives should do this. 

How to check the PC for the presence of an active infection you will be advised by the forum support service representatives.

 

[Amigo-A 40]

The full list of addresses is in my article about STOP Ransomware under the spoiler - Update of March 1, 2019.
But the list may change.
You can check for a modified file by trying to open these sites.
www.emsisoft.com - this you have already opened, if still here.
www.windowsupdate.com
www.microsoft.com
www.ds.download.windowsupdate.com
www.update.microsoft.com
www.virustotal.com
www.drweb.com
www.eset.com
www.comodo.com
www.mcafee.com

If all these sites open in your browser, then the host-file has not been modified.

Download Image

This image is only part of an extensive list. At the beginning of March there were 502 addresses with repetitions with www and without www. I checked the file from yesterday's variants with the extension .proden. This host-file has not changed.
But there are already new variants. I have not received any samples yet. This infection is very active. Extortionists act brazenly and are not afraid of anything.

Perhaps now something else will add.

[Amigo-A 40]

This STOP Ransomware has a special file delself.bat for self-deletion after encryption, but there may be several active malware on the PC, including different versions and different types. We observed a case of how three different Crypto-Ransomware worked simultaneously. Just a victim without thinking about the situation launched various hacked programs and they at a real time encrypted the files each according to his plan. 

As a result, all files were encrypted several times and had different extensions with repetitions.

is it necessary to say that deciphering such a "crypto porridge" is unrealistic.

[GT500 589]

In regards to the possibility of the ransomware still being active on the system, please follow the instructions at this link for posting in our Help, my PC is infected! section, and one of our malware removal specialists will assist you with making sure that your computer is clean.

They will be able to help you with any bad HOSTS file entries as well.

[GT500 589]

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/