Jump to content

External Hard Drives Are Infected By Ransomware!

bryanclemente
 Share Followers 2

Recommended Posts

bryanclemente

bryanclemente 0

Posted
Posted

Hi!

I was infected by Ransomware last month. And I thought my local hard drive is the only one infected. But unfortunately, my external hard drives that are connected are also infected.

Please help... I'm willing to spend time and follow instructions this time. The name of the ransomware is .promoz.

Thank you for the big help!

FRST.txt Addition.txt FRAME 2.jpg.promoz _readme.txt

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted

That's a variant of the STOP ransomware:
https://id-ransomware.malwarehunterteam.com/identify.php?case=1f114e09723aff0219904a02fac3b34e2fd10da6

Your ID doesn't appear to be an offline ID, so the chances of being able to decrypt your files is slim. That being said, if you download STOPDecrypter from the following link, run it, and copy and paste the ID and MAC it gives you into a reply then I can forward them to the create of STOPDecrypter in case he is able to figure out your decryption key at some point in the future:
https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip

Link to post
Share on other sites
bryanclemente

bryanclemente 0

Posted
  • Author
Posted

Hi @stapp, here's the result. 

1 Result

STOP (Djvu)

 This ransomware may be decryptable under certain circumstances.

Please refer to the appropriate guide for more information.

Identified by

  • ransomnote_email: [email protected]
  • sample_extension: .promoz
  • sample_bytes: [0x35061 - 0x3507B] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D

 

Click here for more information about STOP (Djvu)

Link to post
Share on other sites
bryanclemente

bryanclemente 0

Posted
  • Author
Posted

Hi @GT500,

I want to try this but is it safe to do it on my working pc? Cause, I read that it's pretty dangerous to try this as if it fails it might damage my files.

Should I do it on a usb and a different pc that won't affect any files? I want to try doing this on my Mac since I just reformatted it but I don't think there's a Mac version for this. Right?

I just want to know the safety measures in trying this. Thank you @GT500!

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
9 hours ago, bryanclemente said:

I want to try this but is it safe to do it on my working pc? Cause, I read that it's pretty dangerous to try this as if it fails it might damage my files.

It won't try to decrypt your files if it can't find a key for your ID, and I'm about 90% certain it won't have a key for your ID, so as long as you don't try to manually enter a key then your files shouldn't remain unaffected.

 

9 hours ago, bryanclemente said:

Should I do it on a usb and a different pc that won't affect any files?

You should be able to do that if you want to. I think all you need is a copy of an encrypted file and the ransom note for the decrypter to get the ID from.

 

9 hours ago, bryanclemente said:

I want to try doing this on my Mac since I just reformatted it but I don't think there's a Mac version for this. Right?

You are correct that there is no Mac version. If you want to do it on your Mac, then you'd have to use a Virtual Machine to run Windows on the Mac.

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
12 hours ago, bryanclemente said:

So my best chances of decrypting this is by trying this and waiting for the future decrypting tool.

You won't need a new decryption tool, you'll just need a decryption key to enter into STOPDecrypter so that it can decrypt your files.

 

12 hours ago, bryanclemente said:

If ever where can I follow up the future decrypting tool?

If the creator of STOPDecrypter is ever able to figure out your decryption key, then either he will contact you directly, or he'll let me know and I'll contact you.

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
On 4/13/2019 at 1:28 PM, bryanclemente said:

Does he knows about our conversation? or can I contact him?

He'll know about our conversation when I send him your ID and MAC. Once he has that information, he'll be able to contact you if he figures out your decryption key.

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted

You're welcome.

If you need any help with the instructions, then let me know. If you'd prefer to post your ID and MAC address on BleepingComputer as mentioned in the instructions, then feel free to do so.

Link to post
Share on other sites
  • 5 months later...
GT500

GT500 853

Posted
Posted

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Link to post
Share on other sites
bryanclemente

bryanclemente 0

Posted
  • Author
Posted
On 10/19/2019 at 9:06 AM, GT500 said:

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Thank you so much!

I just checked it. But unfortunately I was not able to automatically decrypt my files. I have to pair first. I tried on some pdf files and glady it works!! 

But the my problem right now is that. I have to make all my files be processed. And some of my files are really big. So I will have a hard time uploading it. 

My question will does all of my files needs to be learnt?  And what if I have bigger files? I've read that you guys can help if the files are so big.

 

Thank you for the big help!

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

You need to upload files of different formats to the new decryption service, but you need to do this separately for each file type (PNG, JPG, DOC, PDF, RTF, TXT... )
If you found the largest original PDF,  then need find its encrypted version.
This must be uploaded to the service so that the decryptor finds a way to decrypt this file. After that, you should try to decrypt all other PDF files.
Similarly, you need to do with other types of files.
This way you can decrypt almost all files, but it will take a lot of time for all operations.

Link to post
Share on other sites
bryanclemente

bryanclemente 0

Posted
  • Author
Posted
1 hour ago, Amigo-A said:

You need to upload files of different formats to the new decryption service, but you need to do this separately for each file type (PNG, JPG, DOC, PDF, RTF, TXT... )
If you found the largest original PDF,  then need find its encrypted version.
This must be uploaded to the service so that the decryptor finds a way to decrypt this file. After that, you should try to decrypt all other PDF files.
Similarly, you need to do with other types of files.
This way you can decrypt almost all files, but it will take a lot of time for all operations.

I did try it! And it is working! Thank you very for that. However, I tried putting and MP4 file which is just 85mb and it is not giving me a result. And I thought that maybe because it is a big file. And I read that for bigger files I should ask for support. Is this something that you can work on? :)

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
On 10/20/2019 at 10:52 AM, bryanclemente said:

However, I tried putting and MP4 file which is just 85mb and it is not giving me a result. And I thought that maybe because it is a big file. And I read that for bigger files I should ask for support. Is this something that you can work on?

If you have a file pair that's too big, you can ZIP the files and share them with us via a file sharing service (MegaMediaFireZippyshare, etc). Send the download link in a private message, and feel free to use a password when zipping the files, or if the file sharing service allows it then when uploading the file (Mega should allow encrypting files with a password, however I'm not certain if that feature is available for free).

If you don't already have an archive manager, then you can use 7-Zip or WinRAR. Once installed, you can right-click on a file and there will be options to compress files with them. We can open any archive format that these tools can create (ZIP, 7z, RAR, etc).

Link to post
Share on other sites
bryanclemente

bryanclemente 0

Posted
  • Author
Posted
10 hours ago, GT500 said:

If you have a file pair that's too big, you can ZIP the files and share them with us via a file sharing service (MegaMediaFireZippyshare, etc). Send the download link in a private message, and feel free to use a password when zipping the files, or if the file sharing service allows it then when uploading the file (Mega should allow encrypting files with a password, however I'm not certain if that feature is available for free).

If you don't already have an archive manager, then you can use 7-Zip or WinRAR. Once installed, you can right-click on a file and there will be options to compress files with them. We can open any archive format that these tools can create (ZIP, 7z, RAR, etc).

Hi GT500,

Sent the link on your private message. Thank you!

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
14 hours ago, bryanclemente said:

Hi GT500,

Sent the link on your private message. Thank you!

I've forwarded your download link to the analyst who made the decrypter, and I'll let you know once he's had a chance to take a look at them.

Link to post
Share on other sites
bryanclemente

bryanclemente 0

Posted
  • Author
Posted
5 hours ago, GT500 said:

@bryanclemente I was told that you'd already submitted a file pair that should allow the decrypter to decrypt your MP4 files (or at least any that start with the same 5 bytes). Are you having trouble with MP4 decryption?

Yes, my only problem is the MP4 files. It's not giving me a result. I will press submit and then it will load but then go back again to submit button without giving me any result. And I thought maybe because it is a big file. But it's only 85 mb. 

Capture.JPG

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
19 hours ago, bryanclemente said:

Yes, my only problem is the MP4 files. It's not giving me a result. I will press submit and then it will load but then go back again to submit button without giving me any result. And I thought maybe because it is a big file. But it's only 85 mb.

They were already submitted once, so that could be the problem.

What happens when you try to run the decrypter to decrypt your MP4 files? Does it give you an error?

Link to post
Share on other sites
bryanclemente

bryanclemente 0

Posted
  • Author
Posted
On 10/25/2019 at 10:14 AM, GT500 said:

They were already submitted once, so that could be the problem.

What happens when you try to run the decrypter to decrypt your MP4 files? Does it give you an error?

Upon checking it now, I think it is now able to decrypt my .MP4 files. Will update you guys If I have any trouble.

Thank you!

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
On 10/28/2019 at 3:04 AM, bryanclemente said:

Just wondering if there's any solution to files lower the 150 KB? Cause I have Premiere and After Effects files that has encryted and original.

But the problem is it is less than 150 KB...

The file used for the file pair can't be under 150 KB, however I'll have to ask if the decrypter could handle files that small. There are some oddities to how STOP/Djvu encrypts files, which may complicate things.

Link to post
Share on other sites
bryanclemente

bryanclemente 0

Posted
  • Author
Posted
33 minutes ago, GT500 said:

The file used for the file pair can't be under 150 KB, however I'll have to ask if the decrypter could handle files that small. There are some oddities to how STOP/Djvu encrypts files, which may complicate things.

Got it! I understand. Just let me know if there's any answer to that. Will patiently wait. Thank you so much!

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
3 hours ago, bryanclemente said:

Got it! I understand. Just let me know if there's any answer to that. Will patiently wait. Thank you so much!

I've been told that file size doesn't matter for decryption. It only matters when submitting file pairs (if the files are too small, then the decrypter won't be able to decrypt files that are larger).

Link to post
Share on other sites
bryanclemente

bryanclemente 0

Posted
  • Author
Posted
1 minute ago, GT500 said:

I've been told that file size doesn't matter for decryption. It only matters when submitting file pairs (if the files are too small, then the decrypter won't be able to decrypt files that are larger).

Yup! That's exactly my problem, when submitting the file pairs. Hmmn.. Okay, so I guess I really find files that are at least 150kb in size.

If there's any solution to it. Just let me know.

Thanks GT500! 

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
18 hours ago, bryanclemente said:

If there's any solution to it. Just let me know.

There's a theoretical solution. If you can ZIP the largest file pair you have and attach it to a reply, we can attempt to add support for it to the decrypter. It may not work, or at least it may leave the decrypted files partially corrupted, however we can give it a try if you want to.

Link to post
Share on other sites
  • 1 month later...
Yuselita

Yuselita 0

Posted
Posted

Hi!

I also have the same problem. I was infected by Ransomware this morning. And I thought my local hard drive is the only one infected. But unfortunately, my external hard drives that are connected are also infected.

Please help,  The name of the ransomware is .gesd

The contact that attached to my invected harddisk external is like this:

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-063L4ferhE
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0191gtd374y5iuhld6gK7ygUzrA2fGU2JpeDCMPTnBANV3N32v2Ib2ZKn

"

Thank you for the big help!

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
On 12/8/2019 at 9:43 AM, Yuselita said:

Your personal ID:
0191gtd374y5iuhld6gK7ygUzrA2fGU2JpeDCMPTnBANV3N32v2Ib2ZKn

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

 

On 12/8/2019 at 2:17 PM, Samarth Bhardwaj said:

Hello today on 03:28 PM IST my PC was attacked with ransomware which is in .gesd file extension, pls help

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you will be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to post
Share on other sites
Yuselita

Yuselita 0

Posted
Posted
4 hours ago, GT500 said:

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

 

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you will be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

I hope there's an update decryption tool for this new type of ransomware with online key. Please inform me and thank you GT500

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
18 hours ago, Yuselita said:

I hope there's an update decryption tool for this new type of ransomware with online key.

That would only be possible if someone were to release the private keys for us to add to our database for our current decrypter.

 

16 hours ago, Hafid said:

anyone can help me with this ransom virus?

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to post
Share on other sites
Rohith

Rohith 0

Posted
Posted

Hi can anyone help me to decrypt my files stored in external hard disk drive.. my drive has been infected by ransomware and all the files have been saved with extension .NBES

Kindly help... I would like to have more info on this. Is there any tool for solving this issue ?

 

 

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-Be28TGxMAy
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0194Asd374y5iuhldT2rTkvqPawuxU1ZHaaduwWpHn6I22SeYX39M9Zt1

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

The signs "t1" ID at the end of your ID can indicate that in the future the files can be decrypted if the developers receive a decryption key. Today, this is the newest variant, and no one has yet announced that they bought the key from extortionists to pass it to the developers, so that they complement its in decryptor.

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
2 hours ago, Rohith said:

will there be any future update for the decryption tool for decrypting ".nebs" extension files ?

No. Updates to the decrypter are not necessary. If we are able to find the private key for offline ID's for this variant of STOP/Djvu, then we can simply add it to our database, and the decrypter will have access to it without needing an update.

My recommendation is to run the decrypter once every week or two, and once we've been able to find and add the private key it should start decrypting your files.

Link to post
Share on other sites
Rohith

Rohith 0

Posted
Posted
33 minutes ago, GT500 said:

No. Updates to the decrypter are not necessary. If we are able to find the private key for offline ID's for this variant of STOP/Djvu, then we can simply add it to our database, and the decrypter will have access to it without needing an update.

My recommendation is to run the decrypter once every week or two, and once we've been able to find and add the private key it should start decrypting your files.

So which one should i run weekly ? The tool that i downloaded in my machine or the one which is already available in emsisoft site (https://www.emsisoft.com/ransomware-decryption-tools/) which requires original and encrypted copy ? Can you please clarify.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Followers 2
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 01/17/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...