Someone has a decryptor for .chech

[IVect 0]

 Today 22.03.2019, I have been infected by ransomware with ending .chech   I had already hooked up WD's passport to my computer via USB and it happened it infected all my movies all my songs all photos from vacations, oh my god I literally cried even I got a read.me file, I read it and they want I need to pay money to recover the files :(  , I searched by youtube videos and website how to solve this problem, I give up, so I'm writing this accident here, please help me please... 😭 

here is the readme.txt

_readme.txt

[GT500 559]

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

[IVect 0]

59 minutes ago, GT500 said:

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Thank you so much for the fast reply! I really appreciate it, it is saying that I have a STOP (Djvu)

Here is the link where ID showed which may be ransomware  https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/ 

Identified by

• ransomnote_email: [email protected]
• sample_extension: .chech
• sample_bytes: [0x20434 - 0x2044E] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D

[GT500 559]

I'll ask and see if STOPDecrypter supports that variant yet.

[IVect 0]

Oh ok thank you so much for helping me and fast responding, I really appreciate it

[GT500 559]

I've been told that this is a brand new variant, and we'll need a copy of the ransomware itself before we can be certain about anything. That being said, our best guess at the moment is that your files were encrypted using an online key generated by the ransomware's command and control servers, and even if we were able to get the offline key for this variant of STOP it more than likely won't help you recover your files.

Keep in mind of course that this is merely an assumption, and we can't know for certain until we get a copy of this new variant of the ransomware for analysis.

[IVect 0]

Oh ok I hope it will really work, I have it on my mind,  thank you in advance. Have a good time

 

[GT500 559]

Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:
https://www.virustotal.com/

Note that there are a lot of reports of this ransomware coming from pirated software.

[IVect 0]

Oh and also I tried to decrypt it but it saying:  [!] No keys were found for the following IDs:
[*] ID: lMucPqka0s0hobOaIc5ioshulS7sdVSwA18UksnB
Please archive these IDs and the following MAC addresses in case of future decryption: [*] MAC: 
This info has also been logged to STOPDecrypter-log.txt

[IVect 0]

9 minutes ago, GT500 said:

Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:
https://www.virustotal.com/

Note that there are a lot of reports of this ransomware coming from pirated software.

 

Ah sorry a file that encrypted my files, my bad  I did not read it exactly, you know im really worried, sorry for that, I edited it because I made a mistake

[IVect 0]

28 minutes ago, GT500 said:

Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:
https://www.virustotal.com/

Note that there are a lot of reports of this ransomware coming from pirated software.

And there is a sample of my file 

 

D3DX9_42.dll.chech

[Amigo-A 11]

The list of supported extensions ans OFFLINE-keys is in the program window.
Do not try to decrypt files if the extension is not supported.
Michael attached a text file with links to archive of STOPDecrypter. It is necessary to read and do as written there.
He has 500-600 requests from the victims and does not have time to explain to everyone personally.

Download Image

Download Image

[IVect 0]

Oh, ok thanks, I hope the offline key will be soon available for .chech

[Amigo-A 11]

We all hope so. But our hopes and desires do not always find technical realization. 👋

[IVect 0]

I understand, ok have a nice day and thank you for helping

[IVect 0]

If you gonna get new information about decryptor, very please notify me, I need those files. Have a nice time and again thanks for trying to help me 

 

[Amigo-A 11]

IVect

A new version of STOPDecrypter has been released for your variant extension today.
It is possible that this will help you decrypt the files or big part of them.
LInk to decrypter >>

For all the nuances please contact the developer - Demonslay335

Download Image

Download Image

[GT500 559]

@IVect I assume the updated STOPDecrypter didn't work for you? Michael Gillespie was fairly certain that your ID wouldn't be one of the offline ID's, and it looks like he was correct.

[IVect 0]

Hey there I just wanted to say that it skipped the files, and there is an info:

Skipped 2 files.

[!] No keys were found for the following IDs:
[*] ID: lMucPqka0s0hobOaIc5ioshulS7sdVSwA18UksnB (.chech )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MAC: 
This info has also been logged to STOPDecrypter-log.txt

 

Thank you for trying to help I appreciate it, see you
 

 

 

[GT500 559]

That doesn't look like an offline ID, so it's more than likely not decryptable. Could you let me know the MAC address that STOPDecrypter shows for the effected computer? I can forward it to Michael Gillespie, and he can make a note of it in case he's able to find the decryption key for your ID at some point in the future.

Note that you can send any information to me in a private message that you don't want to post publicly on the forums.

[IVect 0]

14 hours ago, GT500 said:

That doesn't look like an offline ID, so it's more than likely not decryptable. Could you let me know the MAC address that STOPDecrypter shows for the effected computer? I can forward it to Michael Gillespie, and he can make a note of it in case he's able to find the decryption key for your ID at some point in the future.

Note that you can send any information to me in a private message that you don't want to post publicly on the forums.

Yes of course here it is MAC: 90:48:9A:88:6C:B9 

[GT500 559]

Thank you. I've let Michael know that he can find your MAC address and ID here.

[IVect 0]

Ok, thank you

[GT500 559]

You're welcome.

If there are any future developments, then Michael with either contact you directly, or he will let me know and I'll pass on the information.