bryanclemente 0 Posted April 8, 2019 Report Share Posted April 8, 2019 Hi! I was infected by Ransomware last month. And I thought my local hard drive is the only one infected. But unfortunately, my external hard drives that are connected are also infected. Please help... I'm willing to spend time and follow instructions this time. The name of the ransomware is .promoz. Thank you for the big help! FRST.txt Addition.txt FRAME 2.jpg.promoz _readme.txt Quote Link to post Share on other sites
stapp 152 Posted April 8, 2019 Report Share Posted April 8, 2019 I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like one of our experts to review them. Quote Link to post Share on other sites
GT500 853 Posted April 8, 2019 Report Share Posted April 8, 2019 That's a variant of the STOP ransomware:https://id-ransomware.malwarehunterteam.com/identify.php?case=1f114e09723aff0219904a02fac3b34e2fd10da6 Your ID doesn't appear to be an offline ID, so the chances of being able to decrypt your files is slim. That being said, if you download STOPDecrypter from the following link, run it, and copy and paste the ID and MAC it gives you into a reply then I can forward them to the create of STOPDecrypter in case he is able to figure out your decryption key at some point in the future:https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip Quote Link to post Share on other sites
bryanclemente 0 Posted April 8, 2019 Author Report Share Posted April 8, 2019 I'll check on it tomorrow, once I'm in the office. Will get back as soon as possible. Thank you so much! Quote Link to post Share on other sites
bryanclemente 0 Posted April 9, 2019 Author Report Share Posted April 9, 2019 Hi @stapp, here's the result. 1 Result STOP (Djvu) This ransomware may be decryptable under certain circumstances. Please refer to the appropriate guide for more information. Identified by ransomnote_email: [email protected] sample_extension: .promoz sample_bytes: [0x35061 - 0x3507B] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D Click here for more information about STOP (Djvu) Quote Link to post Share on other sites
bryanclemente 0 Posted April 9, 2019 Author Report Share Posted April 9, 2019 Hi @GT500, I want to try this but is it safe to do it on my working pc? Cause, I read that it's pretty dangerous to try this as if it fails it might damage my files. Should I do it on a usb and a different pc that won't affect any files? I want to try doing this on my Mac since I just reformatted it but I don't think there's a Mac version for this. Right? I just want to know the safety measures in trying this. Thank you @GT500! Quote Link to post Share on other sites
GT500 853 Posted April 9, 2019 Report Share Posted April 9, 2019 9 hours ago, bryanclemente said: I want to try this but is it safe to do it on my working pc? Cause, I read that it's pretty dangerous to try this as if it fails it might damage my files. It won't try to decrypt your files if it can't find a key for your ID, and I'm about 90% certain it won't have a key for your ID, so as long as you don't try to manually enter a key then your files shouldn't remain unaffected. 9 hours ago, bryanclemente said: Should I do it on a usb and a different pc that won't affect any files? You should be able to do that if you want to. I think all you need is a copy of an encrypted file and the ransom note for the decrypter to get the ID from. 9 hours ago, bryanclemente said: I want to try doing this on my Mac since I just reformatted it but I don't think there's a Mac version for this. Right? You are correct that there is no Mac version. If you want to do it on your Mac, then you'd have to use a Virtual Machine to run Windows on the Mac. Quote Link to post Share on other sites
bryanclemente 0 Posted April 10, 2019 Author Report Share Posted April 10, 2019 @GT500 Okay, I'll try do this. Hopefully, it'll work. So my best chances of decrypting this is by trying this and waiting for the future decrypting tool. If ever where can I follow up the future decrypting tool? Quote Link to post Share on other sites
GT500 853 Posted April 10, 2019 Report Share Posted April 10, 2019 12 hours ago, bryanclemente said: So my best chances of decrypting this is by trying this and waiting for the future decrypting tool. You won't need a new decryption tool, you'll just need a decryption key to enter into STOPDecrypter so that it can decrypt your files. 12 hours ago, bryanclemente said: If ever where can I follow up the future decrypting tool? If the creator of STOPDecrypter is ever able to figure out your decryption key, then either he will contact you directly, or he'll let me know and I'll contact you. Quote Link to post Share on other sites
bryanclemente 0 Posted April 13, 2019 Author Report Share Posted April 13, 2019 On 4/11/2019 at 1:39 AM, GT500 said: If the creator of STOPDecrypter is ever able to figure out your decryption key, then either he will contact you directly, or he'll let me know and I'll contact you. Does he knows about our conversation? or can I contact him? Quote Link to post Share on other sites
GT500 853 Posted April 15, 2019 Report Share Posted April 15, 2019 On 4/13/2019 at 1:28 PM, bryanclemente said: Does he knows about our conversation? or can I contact him? He'll know about our conversation when I send him your ID and MAC. Once he has that information, he'll be able to contact you if he figures out your decryption key. Quote Link to post Share on other sites
GT500 853 Posted April 15, 2019 Report Share Posted April 15, 2019 If you want more detailed instructions on using STOPDecrypter to get your ID and MAC address, then you can find them at the following link:https://kb.gt500.org/stopdecrypter Quote Link to post Share on other sites
bryanclemente 0 Posted April 20, 2019 Author Report Share Posted April 20, 2019 On 4/16/2019 at 2:06 AM, GT500 said: He'll know about our conversation when I send him your ID and MAC. Once he has that information, he'll be able to contact you if he figures out your decryption key. Alright!! Thank you so much Sir! Quote Link to post Share on other sites
bryanclemente 0 Posted April 20, 2019 Author Report Share Posted April 20, 2019 On 4/16/2019 at 3:22 AM, GT500 said: If you want more detailed instructions on using STOPDecrypter to get your ID and MAC address, then you can find them at the following link:https://kb.gt500.org/stopdecrypter Will try this! Thank you! Quote Link to post Share on other sites
GT500 853 Posted April 23, 2019 Report Share Posted April 23, 2019 You're welcome. If you need any help with the instructions, then let me know. If you'd prefer to post your ID and MAC address on BleepingComputer as mentioned in the instructions, then feel free to do so. Quote Link to post Share on other sites
GT500 853 Posted October 19, 2019 Report Share Posted October 19, 2019 We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quote Link to post Share on other sites
bryanclemente 0 Posted October 20, 2019 Author Report Share Posted October 20, 2019 On 10/19/2019 at 9:06 AM, GT500 said: We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Thank you so much! I just checked it. But unfortunately I was not able to automatically decrypt my files. I have to pair first. I tried on some pdf files and glady it works!! But the my problem right now is that. I have to make all my files be processed. And some of my files are really big. So I will have a hard time uploading it. My question will does all of my files needs to be learnt? And what if I have bigger files? I've read that you guys can help if the files are so big. Thank you for the big help! Quote Link to post Share on other sites
Amigo-A 136 Posted October 20, 2019 Report Share Posted October 20, 2019 You need to upload files of different formats to the new decryption service, but you need to do this separately for each file type (PNG, JPG, DOC, PDF, RTF, TXT... ) If you found the largest original PDF, then need find its encrypted version. This must be uploaded to the service so that the decryptor finds a way to decrypt this file. After that, you should try to decrypt all other PDF files. Similarly, you need to do with other types of files. This way you can decrypt almost all files, but it will take a lot of time for all operations. Quote Link to post Share on other sites
bryanclemente 0 Posted October 20, 2019 Author Report Share Posted October 20, 2019 1 hour ago, Amigo-A said: You need to upload files of different formats to the new decryption service, but you need to do this separately for each file type (PNG, JPG, DOC, PDF, RTF, TXT... ) If you found the largest original PDF, then need find its encrypted version. This must be uploaded to the service so that the decryptor finds a way to decrypt this file. After that, you should try to decrypt all other PDF files. Similarly, you need to do with other types of files. This way you can decrypt almost all files, but it will take a lot of time for all operations. I did try it! And it is working! Thank you very for that. However, I tried putting and MP4 file which is just 85mb and it is not giving me a result. And I thought that maybe because it is a big file. And I read that for bigger files I should ask for support. Is this something that you can work on? Quote Link to post Share on other sites
Amigo-A 136 Posted October 20, 2019 Report Share Posted October 20, 2019 5 hours ago, bryanclemente said: Is this something that you can work on? Perhaps tomorrow you will be answered by the employees of Emsisoft or Demonslay335. Quote Link to post Share on other sites
bryanclemente 0 Posted October 21, 2019 Author Report Share Posted October 21, 2019 Got it! Thank you so much! Quote Link to post Share on other sites
bryanclemente 0 Posted October 21, 2019 Author Report Share Posted October 21, 2019 9 hours ago, Amigo-A said: Perhaps tomorrow you will be answered by the employees of Emsisoft or Demonslay335. Got it! Thank you so much! Quote Link to post Share on other sites
GT500 853 Posted October 21, 2019 Report Share Posted October 21, 2019 On 10/20/2019 at 10:52 AM, bryanclemente said: However, I tried putting and MP4 file which is just 85mb and it is not giving me a result. And I thought that maybe because it is a big file. And I read that for bigger files I should ask for support. Is this something that you can work on? If you have a file pair that's too big, you can ZIP the files and share them with us via a file sharing service (Mega, MediaFire, Zippyshare, etc). Send the download link in a private message, and feel free to use a password when zipping the files, or if the file sharing service allows it then when uploading the file (Mega should allow encrypting files with a password, however I'm not certain if that feature is available for free). If you don't already have an archive manager, then you can use 7-Zip or WinRAR. Once installed, you can right-click on a file and there will be options to compress files with them. We can open any archive format that these tools can create (ZIP, 7z, RAR, etc). Quote Link to post Share on other sites
bryanclemente 0 Posted October 22, 2019 Author Report Share Posted October 22, 2019 10 hours ago, GT500 said: If you have a file pair that's too big, you can ZIP the files and share them with us via a file sharing service (Mega, MediaFire, Zippyshare, etc). Send the download link in a private message, and feel free to use a password when zipping the files, or if the file sharing service allows it then when uploading the file (Mega should allow encrypting files with a password, however I'm not certain if that feature is available for free). If you don't already have an archive manager, then you can use 7-Zip or WinRAR. Once installed, you can right-click on a file and there will be options to compress files with them. We can open any archive format that these tools can create (ZIP, 7z, RAR, etc). Hi GT500, Sent the link on your private message. Thank you! Quote Link to post Share on other sites
GT500 853 Posted October 22, 2019 Report Share Posted October 22, 2019 14 hours ago, bryanclemente said: Hi GT500, Sent the link on your private message. Thank you! I've forwarded your download link to the analyst who made the decrypter, and I'll let you know once he's had a chance to take a look at them. Quote Link to post Share on other sites
bryanclemente 0 Posted October 23, 2019 Author Report Share Posted October 23, 2019 6 hours ago, GT500 said: I've forwarded your download link to the analyst who made the decrypter, and I'll let you know once he's had a chance to take a look at them. Thank you very much Sir! Quote Link to post Share on other sites
GT500 853 Posted October 24, 2019 Report Share Posted October 24, 2019 @bryanclemente I was told that you'd already submitted a file pair that should allow the decrypter to decrypt your MP4 files (or at least any that start with the same 5 bytes). Are you having trouble with MP4 decryption? Quote Link to post Share on other sites
bryanclemente 0 Posted October 24, 2019 Author Report Share Posted October 24, 2019 5 hours ago, GT500 said: @bryanclemente I was told that you'd already submitted a file pair that should allow the decrypter to decrypt your MP4 files (or at least any that start with the same 5 bytes). Are you having trouble with MP4 decryption? Yes, my only problem is the MP4 files. It's not giving me a result. I will press submit and then it will load but then go back again to submit button without giving me any result. And I thought maybe because it is a big file. But it's only 85 mb. Quote Link to post Share on other sites
Amigo-A 136 Posted October 24, 2019 Report Share Posted October 24, 2019 Hello @bryanclemente Upload these files to the exchange service, give a download link and specialists will try to find the reason, if they do not already know. Quote Link to post Share on other sites
GT500 853 Posted October 25, 2019 Report Share Posted October 25, 2019 19 hours ago, bryanclemente said: Yes, my only problem is the MP4 files. It's not giving me a result. I will press submit and then it will load but then go back again to submit button without giving me any result. And I thought maybe because it is a big file. But it's only 85 mb. They were already submitted once, so that could be the problem. What happens when you try to run the decrypter to decrypt your MP4 files? Does it give you an error? Quote Link to post Share on other sites
bryanclemente 0 Posted October 27, 2019 Author Report Share Posted October 27, 2019 On 10/25/2019 at 10:14 AM, GT500 said: They were already submitted once, so that could be the problem. What happens when you try to run the decrypter to decrypt your MP4 files? Does it give you an error? Upon checking it now, I think it is now able to decrypt my .MP4 files. Will update you guys If I have any trouble. Thank you! Quote Link to post Share on other sites
bryanclemente 0 Posted October 28, 2019 Author Report Share Posted October 28, 2019 Hi @GT500, Just wondering if there's any solution to files lower the 150 KB? Cause I have Premiere and After Effects files that has encryted and original. But the problem is it is less than 150 KB... Quote Link to post Share on other sites
GT500 853 Posted October 29, 2019 Report Share Posted October 29, 2019 On 10/28/2019 at 3:04 AM, bryanclemente said: Just wondering if there's any solution to files lower the 150 KB? Cause I have Premiere and After Effects files that has encryted and original. But the problem is it is less than 150 KB... The file used for the file pair can't be under 150 KB, however I'll have to ask if the decrypter could handle files that small. There are some oddities to how STOP/Djvu encrypts files, which may complicate things. Quote Link to post Share on other sites
bryanclemente 0 Posted October 29, 2019 Author Report Share Posted October 29, 2019 33 minutes ago, GT500 said: The file used for the file pair can't be under 150 KB, however I'll have to ask if the decrypter could handle files that small. There are some oddities to how STOP/Djvu encrypts files, which may complicate things. Got it! I understand. Just let me know if there's any answer to that. Will patiently wait. Thank you so much! Quote Link to post Share on other sites
GT500 853 Posted October 29, 2019 Report Share Posted October 29, 2019 3 hours ago, bryanclemente said: Got it! I understand. Just let me know if there's any answer to that. Will patiently wait. Thank you so much! I've been told that file size doesn't matter for decryption. It only matters when submitting file pairs (if the files are too small, then the decrypter won't be able to decrypt files that are larger). Quote Link to post Share on other sites
bryanclemente 0 Posted October 29, 2019 Author Report Share Posted October 29, 2019 1 minute ago, GT500 said: I've been told that file size doesn't matter for decryption. It only matters when submitting file pairs (if the files are too small, then the decrypter won't be able to decrypt files that are larger). Yup! That's exactly my problem, when submitting the file pairs. Hmmn.. Okay, so I guess I really find files that are at least 150kb in size. If there's any solution to it. Just let me know. Thanks GT500! Quote Link to post Share on other sites
GT500 853 Posted October 30, 2019 Report Share Posted October 30, 2019 18 hours ago, bryanclemente said: If there's any solution to it. Just let me know. There's a theoretical solution. If you can ZIP the largest file pair you have and attach it to a reply, we can attempt to add support for it to the decrypter. It may not work, or at least it may leave the decrypted files partially corrupted, however we can give it a try if you want to. Quote Link to post Share on other sites
Yuselita 0 Posted December 8, 2019 Report Share Posted December 8, 2019 Hi! I also have the same problem. I was infected by Ransomware this morning. And I thought my local hard drive is the only one infected. But unfortunately, my external hard drives that are connected are also infected. Please help, The name of the ransomware is .gesd The contact that attached to my invected harddisk external is like this: ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-063L4ferhE Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0191gtd374y5iuhld6gK7ygUzrA2fGU2JpeDCMPTnBANV3N32v2Ib2ZKn " Thank you for the big help! Quote Link to post Share on other sites
Samarth Bhardwaj 0 Posted December 8, 2019 Report Share Posted December 8, 2019 Hello today on 03:28 PM IST my PC was attacked with ransomware which is in .gesd file extension, pls help Quote Link to post Share on other sites
GT500 853 Posted December 10, 2019 Report Share Posted December 10, 2019 On 12/8/2019 at 9:43 AM, Yuselita said: Your personal ID: 0191gtd374y5iuhld6gK7ygUzrA2fGU2JpeDCMPTnBANV3N32v2Ib2ZKn This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ On 12/8/2019 at 2:17 PM, Samarth Bhardwaj said: Hello today on 03:28 PM IST my PC was attacked with ransomware which is in .gesd file extension, pls help This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you will be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Quote Link to post Share on other sites
Yuselita 0 Posted December 10, 2019 Report Share Posted December 10, 2019 4 hours ago, GT500 said: This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you will be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ I hope there's an update decryption tool for this new type of ransomware with online key. Please inform me and thank you GT500 Quote Link to post Share on other sites
Hafid 0 Posted December 10, 2019 Report Share Posted December 10, 2019 anyone can help me with this ransom virus? _readme.txt BRIDGE.JPG.gesd Pengalaman Penelitian.docx.gesd Quote Link to post Share on other sites
GT500 853 Posted December 11, 2019 Report Share Posted December 11, 2019 18 hours ago, Yuselita said: I hope there's an update decryption tool for this new type of ransomware with online key. That would only be possible if someone were to release the private keys for us to add to our database for our current decrypter. 16 hours ago, Hafid said: anyone can help me with this ransom virus? This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Quote Link to post Share on other sites
Rohith 0 Posted December 15, 2019 Report Share Posted December 15, 2019 Hi can anyone help me to decrypt my files stored in external hard disk drive.. my drive has been infected by ransomware and all the files have been saved with extension .NBES Kindly help... I would like to have more info on this. Is there any tool for solving this issue ? ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool:https://we.tl/t-Be28TGxMAy Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0194Asd374y5iuhldT2rTkvqPawuxU1ZHaaduwWpHn6I22SeYX39M9Zt1 Quote Link to post Share on other sites
Amigo-A 136 Posted December 15, 2019 Report Share Posted December 15, 2019 2 hours ago, Rohith said: extension .NBES Attach a ransom note (original file) to your message. Quote Link to post Share on other sites
Rohith 0 Posted December 16, 2019 Report Share Posted December 16, 2019 done.. Quote Link to post Share on other sites
Amigo-A 136 Posted December 16, 2019 Report Share Posted December 16, 2019 The signs "t1" ID at the end of your ID can indicate that in the future the files can be decrypted if the developers receive a decryption key. Today, this is the newest variant, and no one has yet announced that they bought the key from extortionists to pass it to the developers, so that they complement its in decryptor. Quote Link to post Share on other sites
Rohith 0 Posted December 17, 2019 Report Share Posted December 17, 2019 will there be any future update for the decryption tool for decrypting ".nebs" extension files ? How long can it take and how do I come to know that the decryption tool will now support decrypting ".nebs' extension files ? Quote Link to post Share on other sites
GT500 853 Posted December 17, 2019 Report Share Posted December 17, 2019 2 hours ago, Rohith said: will there be any future update for the decryption tool for decrypting ".nebs" extension files ? No. Updates to the decrypter are not necessary. If we are able to find the private key for offline ID's for this variant of STOP/Djvu, then we can simply add it to our database, and the decrypter will have access to it without needing an update. My recommendation is to run the decrypter once every week or two, and once we've been able to find and add the private key it should start decrypting your files. Quote Link to post Share on other sites
Rohith 0 Posted December 17, 2019 Report Share Posted December 17, 2019 33 minutes ago, GT500 said: No. Updates to the decrypter are not necessary. If we are able to find the private key for offline ID's for this variant of STOP/Djvu, then we can simply add it to our database, and the decrypter will have access to it without needing an update. My recommendation is to run the decrypter once every week or two, and once we've been able to find and add the private key it should start decrypting your files. So which one should i run weekly ? The tool that i downloaded in my machine or the one which is already available in emsisoft site (https://www.emsisoft.com/ransomware-decryption-tools/) which requires original and encrypted copy ? Can you please clarify. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.