External Hard Drives Are Infected By Ransomware!

[bryanclemente 0]

Hi!

I was infected by Ransomware last month. And I thought my local hard drive is the only one infected. But unfortunately, my external hard drives that are connected are also infected.

Please help... I'm willing to spend time and follow instructions this time. The name of the ransomware is .promoz.

Thank you for the big help!

FRST.txt Addition.txt FRAME 2.jpg.promoz _readme.txt

[stapp 124]

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like one of our experts to review them.

[GT500 559]

That's a variant of the STOP ransomware:
https://id-ransomware.malwarehunterteam.com/identify.php?case=1f114e09723aff0219904a02fac3b34e2fd10da6

Your ID doesn't appear to be an offline ID, so the chances of being able to decrypt your files is slim. That being said, if you download STOPDecrypter from the following link, run it, and copy and paste the ID and MAC it gives you into a reply then I can forward them to the create of STOPDecrypter in case he is able to figure out your decryption key at some point in the future:
https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip

[bryanclemente 0]

I'll check on it tomorrow, once I'm in the office. Will get back as soon as possible. Thank you so much! 

[bryanclemente 0]

Hi @stapp, here's the result. 

1 Result

STOP (Djvu)

 This ransomware may be decryptable under certain circumstances.

Please refer to the appropriate guide for more information.

Identified by

• ransomnote_email: [email protected]
• sample_extension: .promoz
• sample_bytes: [0x35061 - 0x3507B] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D

 

Click here for more information about STOP (Djvu)

[bryanclemente 0]

Hi @GT500,

I want to try this but is it safe to do it on my working pc? Cause, I read that it's pretty dangerous to try this as if it fails it might damage my files.

Should I do it on a usb and a different pc that won't affect any files? I want to try doing this on my Mac since I just reformatted it but I don't think there's a Mac version for this. Right?

I just want to know the safety measures in trying this. Thank you @GT500!

[GT500 559]

9 hours ago, bryanclemente said:

I want to try this but is it safe to do it on my working pc? Cause, I read that it's pretty dangerous to try this as if it fails it might damage my files.

It won't try to decrypt your files if it can't find a key for your ID, and I'm about 90% certain it won't have a key for your ID, so as long as you don't try to manually enter a key then your files shouldn't remain unaffected.

 

9 hours ago, bryanclemente said:

Should I do it on a usb and a different pc that won't affect any files?

You should be able to do that if you want to. I think all you need is a copy of an encrypted file and the ransom note for the decrypter to get the ID from.

 

9 hours ago, bryanclemente said:

I want to try doing this on my Mac since I just reformatted it but I don't think there's a Mac version for this. Right?

You are correct that there is no Mac version. If you want to do it on your Mac, then you'd have to use a Virtual Machine to run Windows on the Mac.

[bryanclemente 0]

@GT500

Okay, I'll try do this. Hopefully, it'll work.

So my best chances of decrypting this is by trying this and waiting for the future decrypting tool.

If ever where can I follow up the future decrypting tool?

[GT500 559]

12 hours ago, bryanclemente said:

So my best chances of decrypting this is by trying this and waiting for the future decrypting tool.

You won't need a new decryption tool, you'll just need a decryption key to enter into STOPDecrypter so that it can decrypt your files.

 

12 hours ago, bryanclemente said:

If ever where can I follow up the future decrypting tool?

If the creator of STOPDecrypter is ever able to figure out your decryption key, then either he will contact you directly, or he'll let me know and I'll contact you.

[bryanclemente 0]

On 4/11/2019 at 1:39 AM, GT500 said:

If the creator of STOPDecrypter is ever able to figure out your decryption key, then either he will contact you directly, or he'll let me know and I'll contact you.

Does he knows about our conversation? or can I contact him?

[GT500 559]

On 4/13/2019 at 1:28 PM, bryanclemente said:

Does he knows about our conversation? or can I contact him?

He'll know about our conversation when I send him your ID and MAC. Once he has that information, he'll be able to contact you if he figures out your decryption key.

[GT500 559]

If you want more detailed instructions on using STOPDecrypter to get your ID and MAC address, then you can find them at the following link:
https://kb.gt500.org/stopdecrypter

[bryanclemente 0]

On 4/16/2019 at 2:06 AM, GT500 said:

He'll know about our conversation when I send him your ID and MAC. Once he has that information, he'll be able to contact you if he figures out your decryption key.

Alright!! Thank you so much Sir!

[bryanclemente 0]

On 4/16/2019 at 3:22 AM, GT500 said:

If you want more detailed instructions on using STOPDecrypter to get your ID and MAC address, then you can find them at the following link:
https://kb.gt500.org/stopdecrypter

Will try this! Thank you!

[GT500 559]

You're welcome.

If you need any help with the instructions, then let me know. If you'd prefer to post your ID and MAC address on BleepingComputer as mentioned in the instructions, then feel free to do so.