bryanclemente

External Hard Drives Are Infected By Ransomware!

Recommended Posts

Hi!

I was infected by Ransomware last month. And I thought my local hard drive is the only one infected. But unfortunately, my external hard drives that are connected are also infected.

Please help... I'm willing to spend time and follow instructions this time. The name of the ransomware is .promoz.

Thank you for the big help!

FRST.txt Addition.txt FRAME 2.jpg.promoz _readme.txt

Share this post


Link to post
Share on other sites

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like one of our experts to review them.

Share this post


Link to post
Share on other sites

That's a variant of the STOP ransomware:
https://id-ransomware.malwarehunterteam.com/identify.php?case=1f114e09723aff0219904a02fac3b34e2fd10da6

Your ID doesn't appear to be an offline ID, so the chances of being able to decrypt your files is slim. That being said, if you download STOPDecrypter from the following link, run it, and copy and paste the ID and MAC it gives you into a reply then I can forward them to the create of STOPDecrypter in case he is able to figure out your decryption key at some point in the future:
https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip

Share this post


Link to post
Share on other sites

Hi @stapp, here's the result. 

1 Result

STOP (Djvu)

 This ransomware may be decryptable under certain circumstances.

Please refer to the appropriate guide for more information.

Identified by

  • ransomnote_email: [email protected]
  • sample_extension: .promoz
  • sample_bytes: [0x35061 - 0x3507B] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D

 

Click here for more information about STOP (Djvu)

Share this post


Link to post
Share on other sites

Hi @GT500,

I want to try this but is it safe to do it on my working pc? Cause, I read that it's pretty dangerous to try this as if it fails it might damage my files.

Should I do it on a usb and a different pc that won't affect any files? I want to try doing this on my Mac since I just reformatted it but I don't think there's a Mac version for this. Right?

I just want to know the safety measures in trying this. Thank you @GT500!

Share this post


Link to post
Share on other sites
9 hours ago, bryanclemente said:

I want to try this but is it safe to do it on my working pc? Cause, I read that it's pretty dangerous to try this as if it fails it might damage my files.

It won't try to decrypt your files if it can't find a key for your ID, and I'm about 90% certain it won't have a key for your ID, so as long as you don't try to manually enter a key then your files shouldn't remain unaffected.

 

9 hours ago, bryanclemente said:

Should I do it on a usb and a different pc that won't affect any files?

You should be able to do that if you want to. I think all you need is a copy of an encrypted file and the ransom note for the decrypter to get the ID from.

 

9 hours ago, bryanclemente said:

I want to try doing this on my Mac since I just reformatted it but I don't think there's a Mac version for this. Right?

You are correct that there is no Mac version. If you want to do it on your Mac, then you'd have to use a Virtual Machine to run Windows on the Mac.

Share this post


Link to post
Share on other sites

@GT500

Okay, I'll try do this. Hopefully, it'll work.

So my best chances of decrypting this is by trying this and waiting for the future decrypting tool.

If ever where can I follow up the future decrypting tool?

Share this post


Link to post
Share on other sites
12 hours ago, bryanclemente said:

So my best chances of decrypting this is by trying this and waiting for the future decrypting tool.

You won't need a new decryption tool, you'll just need a decryption key to enter into STOPDecrypter so that it can decrypt your files.

 

12 hours ago, bryanclemente said:

If ever where can I follow up the future decrypting tool?

If the creator of STOPDecrypter is ever able to figure out your decryption key, then either he will contact you directly, or he'll let me know and I'll contact you.

Share this post


Link to post
Share on other sites
On 4/11/2019 at 1:39 AM, GT500 said:

If the creator of STOPDecrypter is ever able to figure out your decryption key, then either he will contact you directly, or he'll let me know and I'll contact you.

Does he knows about our conversation? or can I contact him?

Share this post


Link to post
Share on other sites
On 4/13/2019 at 1:28 PM, bryanclemente said:

Does he knows about our conversation? or can I contact him?

He'll know about our conversation when I send him your ID and MAC. Once he has that information, he'll be able to contact you if he figures out your decryption key.

Share this post


Link to post
Share on other sites
On 4/16/2019 at 2:06 AM, GT500 said:

He'll know about our conversation when I send him your ID and MAC. Once he has that information, he'll be able to contact you if he figures out your decryption key.

Alright!! Thank you so much Sir!

Share this post


Link to post
Share on other sites

You're welcome.

If you need any help with the instructions, then let me know. If you'd prefer to post your ID and MAC address on BleepingComputer as mentioned in the instructions, then feel free to do so.

Share this post


Link to post
Share on other sites

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post


Link to post
Share on other sites
On 10/19/2019 at 9:06 AM, GT500 said:

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Thank you so much!

I just checked it. But unfortunately I was not able to automatically decrypt my files. I have to pair first. I tried on some pdf files and glady it works!! 

But the my problem right now is that. I have to make all my files be processed. And some of my files are really big. So I will have a hard time uploading it. 

My question will does all of my files needs to be learnt?  And what if I have bigger files? I've read that you guys can help if the files are so big.

 

Thank you for the big help!

Share this post


Link to post
Share on other sites

You need to upload files of different formats to the new decryption service, but you need to do this separately for each file type (PNG, JPG, DOC, PDF, RTF, TXT... )
If you found the largest original PDF,  then need find its encrypted version.
This must be uploaded to the service so that the decryptor finds a way to decrypt this file. After that, you should try to decrypt all other PDF files.
Similarly, you need to do with other types of files.
This way you can decrypt almost all files, but it will take a lot of time for all operations.

Share this post


Link to post
Share on other sites
1 hour ago, Amigo-A said:

You need to upload files of different formats to the new decryption service, but you need to do this separately for each file type (PNG, JPG, DOC, PDF, RTF, TXT... )
If you found the largest original PDF,  then need find its encrypted version.
This must be uploaded to the service so that the decryptor finds a way to decrypt this file. After that, you should try to decrypt all other PDF files.
Similarly, you need to do with other types of files.
This way you can decrypt almost all files, but it will take a lot of time for all operations.

I did try it! And it is working! Thank you very for that. However, I tried putting and MP4 file which is just 85mb and it is not giving me a result. And I thought that maybe because it is a big file. And I read that for bigger files I should ask for support. Is this something that you can work on? :)

Share this post


Link to post
Share on other sites
5 hours ago, bryanclemente said:

Is this something that you can work on?

Perhaps tomorrow you will be answered by the employees of Emsisoft or Demonslay335. 

Share this post


Link to post
Share on other sites
On 10/20/2019 at 10:52 AM, bryanclemente said:

However, I tried putting and MP4 file which is just 85mb and it is not giving me a result. And I thought that maybe because it is a big file. And I read that for bigger files I should ask for support. Is this something that you can work on?

If you have a file pair that's too big, you can ZIP the files and share them with us via a file sharing service (MegaMediaFireZippyshare, etc). Send the download link in a private message, and feel free to use a password when zipping the files, or if the file sharing service allows it then when uploading the file (Mega should allow encrypting files with a password, however I'm not certain if that feature is available for free).

If you don't already have an archive manager, then you can use 7-Zip or WinRAR. Once installed, you can right-click on a file and there will be options to compress files with them. We can open any archive format that these tools can create (ZIP, 7z, RAR, etc).

Share this post


Link to post
Share on other sites
10 hours ago, GT500 said:

If you have a file pair that's too big, you can ZIP the files and share them with us via a file sharing service (MegaMediaFireZippyshare, etc). Send the download link in a private message, and feel free to use a password when zipping the files, or if the file sharing service allows it then when uploading the file (Mega should allow encrypting files with a password, however I'm not certain if that feature is available for free).

If you don't already have an archive manager, then you can use 7-Zip or WinRAR. Once installed, you can right-click on a file and there will be options to compress files with them. We can open any archive format that these tools can create (ZIP, 7z, RAR, etc).

Hi GT500,

Sent the link on your private message. Thank you!

Share this post


Link to post
Share on other sites
14 hours ago, bryanclemente said:

Hi GT500,

Sent the link on your private message. Thank you!

I've forwarded your download link to the analyst who made the decrypter, and I'll let you know once he's had a chance to take a look at them.

Share this post


Link to post
Share on other sites
6 hours ago, GT500 said:

I've forwarded your download link to the analyst who made the decrypter, and I'll let you know once he's had a chance to take a look at them.

Thank you very much Sir!

Share this post


Link to post
Share on other sites

@bryanclemente I was told that you'd already submitted a file pair that should allow the decrypter to decrypt your MP4 files (or at least any that start with the same 5 bytes). Are you having trouble with MP4 decryption?

Share this post


Link to post
Share on other sites
5 hours ago, GT500 said:

@bryanclemente I was told that you'd already submitted a file pair that should allow the decrypter to decrypt your MP4 files (or at least any that start with the same 5 bytes). Are you having trouble with MP4 decryption?

Yes, my only problem is the MP4 files. It's not giving me a result. I will press submit and then it will load but then go back again to submit button without giving me any result. And I thought maybe because it is a big file. But it's only 85 mb. 

Capture.JPG
Download Image

Share this post


Link to post
Share on other sites

Hello @bryanclemente

Upload these files to the exchange service, give a download link and specialists will try to find the reason, if they do not already know.

Share this post


Link to post
Share on other sites
19 hours ago, bryanclemente said:

Yes, my only problem is the MP4 files. It's not giving me a result. I will press submit and then it will load but then go back again to submit button without giving me any result. And I thought maybe because it is a big file. But it's only 85 mb.

They were already submitted once, so that could be the problem.

What happens when you try to run the decrypter to decrypt your MP4 files? Does it give you an error?

Share this post


Link to post
Share on other sites
On 10/25/2019 at 10:14 AM, GT500 said:

They were already submitted once, so that could be the problem.

What happens when you try to run the decrypter to decrypt your MP4 files? Does it give you an error?

Upon checking it now, I think it is now able to decrypt my .MP4 files. Will update you guys If I have any trouble.

Thank you!

Share this post


Link to post
Share on other sites
On 10/28/2019 at 3:04 AM, bryanclemente said:

Just wondering if there's any solution to files lower the 150 KB? Cause I have Premiere and After Effects files that has encryted and original.

But the problem is it is less than 150 KB...

The file used for the file pair can't be under 150 KB, however I'll have to ask if the decrypter could handle files that small. There are some oddities to how STOP/Djvu encrypts files, which may complicate things.

Share this post


Link to post
Share on other sites
33 minutes ago, GT500 said:

The file used for the file pair can't be under 150 KB, however I'll have to ask if the decrypter could handle files that small. There are some oddities to how STOP/Djvu encrypts files, which may complicate things.

Got it! I understand. Just let me know if there's any answer to that. Will patiently wait. Thank you so much!

Share this post


Link to post
Share on other sites
3 hours ago, bryanclemente said:

Got it! I understand. Just let me know if there's any answer to that. Will patiently wait. Thank you so much!

I've been told that file size doesn't matter for decryption. It only matters when submitting file pairs (if the files are too small, then the decrypter won't be able to decrypt files that are larger).

Share this post


Link to post
Share on other sites
1 minute ago, GT500 said:

I've been told that file size doesn't matter for decryption. It only matters when submitting file pairs (if the files are too small, then the decrypter won't be able to decrypt files that are larger).

Yup! That's exactly my problem, when submitting the file pairs. Hmmn.. Okay, so I guess I really find files that are at least 150kb in size.

If there's any solution to it. Just let me know.

Thanks GT500! 

Share this post


Link to post
Share on other sites
18 hours ago, bryanclemente said:

If there's any solution to it. Just let me know.

There's a theoretical solution. If you can ZIP the largest file pair you have and attach it to a reply, we can attempt to add support for it to the decrypter. It may not work, or at least it may leave the decrypted files partially corrupted, however we can give it a try if you want to.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.