IVect 0 Report post Posted March 22, 2019 Today 22.03.2019, I have been infected by ransomware with ending .chech I had already hooked up WD's passport to my computer via USB and it happened it infected all my movies all my songs all photos from vacations, oh my god I literally cried even I got a read.me file, I read it and they want I need to pay money to recover the files :( , I searched by youtube videos and website how to solve this problem, I give up, so I'm writing this accident here, please help me please... 😭 here is the readme.txt _readme.txt Quote Share this post Link to post Share on other sites
GT500 645 Report post Posted March 22, 2019 I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them. Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 22, 2019 59 minutes ago, GT500 said: I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them. Thank you so much for the fast reply! I really appreciate it, it is saying that I have a STOP (Djvu) Here is the link where ID showed which may be ransomware https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/ Identified by ransomnote_email: [email protected] sample_extension: .chech sample_bytes: [0x20434 - 0x2044E] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D Quote Share this post Link to post Share on other sites
GT500 645 Report post Posted March 22, 2019 I'll ask and see if STOPDecrypter supports that variant yet. Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 22, 2019 Oh ok thank you so much for helping me and fast responding, I really appreciate it Quote Share this post Link to post Share on other sites
GT500 645 Report post Posted March 22, 2019 I've been told that this is a brand new variant, and we'll need a copy of the ransomware itself before we can be certain about anything. That being said, our best guess at the moment is that your files were encrypted using an online key generated by the ransomware's command and control servers, and even if we were able to get the offline key for this variant of STOP it more than likely won't help you recover your files. Keep in mind of course that this is merely an assumption, and we can't know for certain until we get a copy of this new variant of the ransomware for analysis. Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 22, 2019 Oh ok I hope it will really work, I have it on my mind, thank you in advance. Have a good time Quote Share this post Link to post Share on other sites
GT500 645 Report post Posted March 22, 2019 Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:https://www.virustotal.com/ Note that there are a lot of reports of this ransomware coming from pirated software. Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 22, 2019 Oh and also I tried to decrypt it but it saying: [!] No keys were found for the following IDs: [*] ID: lMucPqka0s0hobOaIc5ioshulS7sdVSwA18UksnB Please archive these IDs and the following MAC addresses in case of future decryption: [*] MAC: This info has also been logged to STOPDecrypter-log.txt Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 22, 2019 9 minutes ago, GT500 said: Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:https://www.virustotal.com/ Note that there are a lot of reports of this ransomware coming from pirated software. Ah sorry a file that encrypted my files, my bad I did not read it exactly, you know im really worried, sorry for that, I edited it because I made a mistake Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 22, 2019 28 minutes ago, GT500 said: Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:https://www.virustotal.com/ Note that there are a lot of reports of this ransomware coming from pirated software. And there is a sample of my file D3DX9_42.dll.chech Quote Share this post Link to post Share on other sites
Amigo-A 61 Report post Posted March 23, 2019 The list of supported extensions ans OFFLINE-keys is in the program window. Do not try to decrypt files if the extension is not supported. Michael attached a text file with links to archive of STOPDecrypter. It is necessary to read and do as written there. He has 500-600 requests from the victims and does not have time to explain to everyone personally. Download Image Download Image Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 23, 2019 Oh, ok thanks, I hope the offline key will be soon available for .chech Quote Share this post Link to post Share on other sites
Amigo-A 61 Report post Posted March 23, 2019 We all hope so. But our hopes and desires do not always find technical realization. 👋 Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 23, 2019 I understand, ok have a nice day and thank you for helping Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 23, 2019 If you gonna get new information about decryptor, very please notify me, I need those files. Have a nice time and again thanks for trying to help me Quote Share this post Link to post Share on other sites
Amigo-A 61 Report post Posted March 25, 2019 IVect A new version of STOPDecrypter has been released for your variant extension today. It is possible that this will help you decrypt the files or big part of them.LInk to decrypter >> For all the nuances please contact the developer - Demonslay335 Download Image Download Image Quote Share this post Link to post Share on other sites
GT500 645 Report post Posted March 25, 2019 @IVect I assume the updated STOPDecrypter didn't work for you? Michael Gillespie was fairly certain that your ID wouldn't be one of the offline ID's, and it looks like he was correct. Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 26, 2019 Hey there I just wanted to say that it skipped the files, and there is an info: Skipped 2 files. [!] No keys were found for the following IDs: [*] ID: lMucPqka0s0hobOaIc5ioshulS7sdVSwA18UksnB (.chech ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MAC: This info has also been logged to STOPDecrypter-log.txt Thank you for trying to help I appreciate it, see you Quote Share this post Link to post Share on other sites
GT500 645 Report post Posted March 26, 2019 That doesn't look like an offline ID, so it's more than likely not decryptable. Could you let me know the MAC address that STOPDecrypter shows for the effected computer? I can forward it to Michael Gillespie, and he can make a note of it in case he's able to find the decryption key for your ID at some point in the future. Note that you can send any information to me in a private message that you don't want to post publicly on the forums. Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 27, 2019 14 hours ago, GT500 said: That doesn't look like an offline ID, so it's more than likely not decryptable. Could you let me know the MAC address that STOPDecrypter shows for the effected computer? I can forward it to Michael Gillespie, and he can make a note of it in case he's able to find the decryption key for your ID at some point in the future. Note that you can send any information to me in a private message that you don't want to post publicly on the forums. Yes of course here it is MAC: 90:48:9A:88:6C:B9 Quote Share this post Link to post Share on other sites
GT500 645 Report post Posted March 27, 2019 Thank you. I've let Michael know that he can find your MAC address and ID here. Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted March 28, 2019 Ok, thank you Quote Share this post Link to post Share on other sites
GT500 645 Report post Posted March 28, 2019 You're welcome. If there are any future developments, then Michael with either contact you directly, or he will let me know and I'll pass on the information. Quote Share this post Link to post Share on other sites
GT500 645 Report post Posted October 19, 2019 We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quote Share this post Link to post Share on other sites
IVect 0 Report post Posted December 29, 2019 I will try that. Thank you Quote Share this post Link to post Share on other sites
