Jump to content

Someone has a decryptor for .chech


Recommended Posts

 Today 22.03.2019, I have been infected by ransomware with ending .chech   I had already hooked up WD's passport to my computer via USB and it happened it infected all my movies all my songs all photos from vacations, oh my god I literally cried even I got a read.me file, I read it and they want I need to pay money to recover the files :(  , I searched by youtube videos and website how to solve this problem, I give up, so I'm writing this accident here, please help me please... 😭 

here is the readme.txt

_readme.txt

Link to post
Share on other sites
59 minutes ago, GT500 said:

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Thank you so much for the fast reply! I really appreciate it, it is saying that I have a STOP (Djvu)

Here is the link where ID showed which may be ransomware  https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/ 

Identified by

  • ransomnote_email: [email protected]
  • sample_extension: .chech
  • sample_bytes: [0x20434 - 0x2044E] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D
Link to post
Share on other sites

I've been told that this is a brand new variant, and we'll need a copy of the ransomware itself before we can be certain about anything. That being said, our best guess at the moment is that your files were encrypted using an online key generated by the ransomware's command and control servers, and even if we were able to get the offline key for this variant of STOP it more than likely won't help you recover your files.

Keep in mind of course that this is merely an assumption, and we can't know for certain until we get a copy of this new variant of the ransomware for analysis.

Link to post
Share on other sites

Oh and also I tried to decrypt it but it saying:  [!] No keys were found for the following IDs:
[*] ID: lMucPqka0s0hobOaIc5ioshulS7sdVSwA18UksnB
Please archive these IDs and the following MAC addresses in case of future decryption: [*] MAC: 
This info has also been logged to STOPDecrypter-log.txt

Link to post
Share on other sites
9 minutes ago, GT500 said:

Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:
https://www.virustotal.com/

Note that there are a lot of reports of this ransomware coming from pirated software.

 

Ah sorry a file that encrypted my files, my bad  I did not read it exactly, you know im really worried, sorry for that, I edited it because I made a mistake

Link to post
Share on other sites
28 minutes ago, GT500 said:

Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:
https://www.virustotal.com/

Note that there are a lot of reports of this ransomware coming from pirated software.

And there is a sample of my file 

 

D3DX9_42.dll.chech

Link to post
Share on other sites

The list of supported extensions ans OFFLINE-keys is in the program window.
Do not try to decrypt files if the extension is not supported.
Michael attached a text file with links to archive of STOPDecrypter. It is necessary to read and do as written there.
He has 500-600 requests from the victims and does not have time to explain to everyone personally.

links2.png

2-0-1-12.png

Link to post
Share on other sites

Hey there I just wanted to say that it skipped the files, and there is an info:

Skipped 2 files.

[!] No keys were found for the following IDs:
[*] ID: lMucPqka0s0hobOaIc5ioshulS7sdVSwA18UksnB (.chech )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MAC: 
This info has also been logged to STOPDecrypter-log.txt

 

Thank you for trying to help I appreciate it, see you
 

 

 

Link to post
Share on other sites

That doesn't look like an offline ID, so it's more than likely not decryptable. Could you let me know the MAC address that STOPDecrypter shows for the effected computer? I can forward it to Michael Gillespie, and he can make a note of it in case he's able to find the decryption key for your ID at some point in the future.

Note that you can send any information to me in a private message that you don't want to post publicly on the forums.

Link to post
Share on other sites
14 hours ago, GT500 said:

That doesn't look like an offline ID, so it's more than likely not decryptable. Could you let me know the MAC address that STOPDecrypter shows for the effected computer? I can forward it to Michael Gillespie, and he can make a note of it in case he's able to find the decryption key for your ID at some point in the future.

Note that you can send any information to me in a private message that you don't want to post publicly on the forums.

Yes of course here it is MAC: 90:48:9A:88:6C:B9 

Link to post
Share on other sites
  • 6 months later...

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Link to post
Share on other sites
  • 2 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...