Sign in to follow this  
IVect

Someone has a decryptor for .chech

Recommended Posts

 Today 22.03.2019, I have been infected by ransomware with ending .chech   I had already hooked up WD's passport to my computer via USB and it happened it infected all my movies all my songs all photos from vacations, oh my god I literally cried even I got a read.me file, I read it and they want I need to pay money to recover the files :(  , I searched by youtube videos and website how to solve this problem, I give up, so I'm writing this accident here, please help me please... 😭 

here is the readme.txt

_readme.txt

Share this post


Link to post
Share on other sites

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites
59 minutes ago, GT500 said:

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Thank you so much for the fast reply! I really appreciate it, it is saying that I have a STOP (Djvu)

Here is the link where ID showed which may be ransomware  https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/ 

Identified by

  • ransomnote_email: [email protected]
  • sample_extension: .chech
  • sample_bytes: [0x20434 - 0x2044E] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D

Share this post


Link to post
Share on other sites

I'll ask and see if STOPDecrypter supports that variant yet.

Share this post


Link to post
Share on other sites

I've been told that this is a brand new variant, and we'll need a copy of the ransomware itself before we can be certain about anything. That being said, our best guess at the moment is that your files were encrypted using an online key generated by the ransomware's command and control servers, and even if we were able to get the offline key for this variant of STOP it more than likely won't help you recover your files.

Keep in mind of course that this is merely an assumption, and we can't know for certain until we get a copy of this new variant of the ransomware for analysis.

Share this post


Link to post
Share on other sites

Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:
https://www.virustotal.com/

Note that there are a lot of reports of this ransomware coming from pirated software.

Share this post


Link to post
Share on other sites

Oh and also I tried to decrypt it but it saying:  [!] No keys were found for the following IDs:
[*] ID: lMucPqka0s0hobOaIc5ioshulS7sdVSwA18UksnB
Please archive these IDs and the following MAC addresses in case of future decryption: [*] MAC: 
This info has also been logged to STOPDecrypter-log.txt

Share this post


Link to post
Share on other sites
9 minutes ago, GT500 said:

Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:
https://www.virustotal.com/

Note that there are a lot of reports of this ransomware coming from pirated software.

 

Ah sorry a file that encrypted my files, my bad  I did not read it exactly, you know im really worried, sorry for that, I edited it because I made a mistake

Share this post


Link to post
Share on other sites
28 minutes ago, GT500 said:

Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review:
https://www.virustotal.com/

Note that there are a lot of reports of this ransomware coming from pirated software.

And there is a sample of my file 

 

D3DX9_42.dll.chech

Share this post


Link to post
Share on other sites

The list of supported extensions ans OFFLINE-keys is in the program window.
Do not try to decrypt files if the extension is not supported.
Michael attached a text file with links to archive of STOPDecrypter. It is necessary to read and do as written there.
He has 500-600 requests from the victims and does not have time to explain to everyone personally.

links2.png
Download Image

2-0-1-12.png
Download Image

Share this post


Link to post
Share on other sites

We all hope so. But our hopes and desires do not always find technical realization. 👋

Share this post


Link to post
Share on other sites

If you gonna get new information about decryptor, very please notify me, I need those files. Have a nice time and again thanks for trying to help me 

 

Share this post


Link to post
Share on other sites

@IVect I assume the updated STOPDecrypter didn't work for you? Michael Gillespie was fairly certain that your ID wouldn't be one of the offline ID's, and it looks like he was correct.

Share this post


Link to post
Share on other sites

Hey there I just wanted to say that it skipped the files, and there is an info:

Skipped 2 files.

[!] No keys were found for the following IDs:
[*] ID: lMucPqka0s0hobOaIc5ioshulS7sdVSwA18UksnB (.chech )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MAC: 
This info has also been logged to STOPDecrypter-log.txt

 

Thank you for trying to help I appreciate it, see you
 

 

 

Share this post


Link to post
Share on other sites

That doesn't look like an offline ID, so it's more than likely not decryptable. Could you let me know the MAC address that STOPDecrypter shows for the effected computer? I can forward it to Michael Gillespie, and he can make a note of it in case he's able to find the decryption key for your ID at some point in the future.

Note that you can send any information to me in a private message that you don't want to post publicly on the forums.

Share this post


Link to post
Share on other sites
14 hours ago, GT500 said:

That doesn't look like an offline ID, so it's more than likely not decryptable. Could you let me know the MAC address that STOPDecrypter shows for the effected computer? I can forward it to Michael Gillespie, and he can make a note of it in case he's able to find the decryption key for your ID at some point in the future.

Note that you can send any information to me in a private message that you don't want to post publicly on the forums.

Yes of course here it is MAC: 90:48:9A:88:6C:B9 

Share this post


Link to post
Share on other sites

Thank you. I've let Michael know that he can find your MAC address and ID here.

Share this post


Link to post
Share on other sites

You're welcome. ;)

If there are any future developments, then Michael with either contact you directly, or he will let me know and I'll pass on the information.

Share this post


Link to post
Share on other sites

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.