Recommended Posts

hello, 

this .kiratos virus just messed up my PC because i clicked an adware and hit "run" instead of "cancel" 
all my files including all my autocad drawings and projects are encrypted, and i have to hand them in 2 days time! 

can someone help me with this? should i just pay the ransom? 

Share this post


Link to post
Share on other sites
7 minutes ago, Demonslay335 said:

Follow the instructions in the first post of this support topic and FAQ and provide the personal ID and MAC addresses of the infected machine ASAP.

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/

hello, 

i think there was a page where i had to upload the ransom note, an encrypted file and the emails they sent me for ransom? i did that, other than that, i have no idea what i have to do, i was never infected with a virus before 

i read the first post and tried to download the program but i cant seem to be able to do it, i can't click on the download button. 

_readme.txt

Share this post


Link to post
Share on other sites
19 minutes ago, Demonslay335 said:

@q8asami

Do as the instructions in the link I just posted say... quickly.

if you mean to download STOPDecryptor and run, i already did so, but it says that they didn't find any key. 

i ran an untivirus program previously and it deleted alot of files that was downloaded by the virus but the encryption remains 

Share this post


Link to post
Share on other sites

Decrypted 0 files!
Skipped 31 files.

[!] No keys were found for the following IDs:
[*] ID: 4yfBziuz4XrFMwl8DINdJq7Iiwqb37ulWuAYfInB (.kiratos )
[*] ID: 4yfBziuz4XrFMwl8DINdJq7Iiwqb37ulWuAYfInB (.pdf )
[*] ID: 4yfBziuz4XrFMwl8DINdJq7Iiwqb37ulWuAYfInB (.ai )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MAC: 00:FF:3F:B9:20:45
[*] MAC: 30:5A:3A:00:8E:B7
This info has also been logged to STOPDecrypter-log.txt
 

Share this post


Link to post
Share on other sites
5 hours ago, q8asami said:

would you be kind to tell me how i can get  the malware for you? 

What Anti-Virus were you using?

Usually you'd need to restore the files from the quarantine, ZIP them, and then attach them to a reply. We can provide more detailed instructions if we knew which Anti-Virus software detected them.

Share this post


Link to post
Share on other sites

Malwarebytes has a video "how to" that shows you how to restore items from the quarantine at the following link:
https://support.malwarebytes.com/videos/1049

Note that the quarantine will list the full path (which appears to be called "Location") to where the file was originally located. You'll want to look for the files you restore in that location.

The only other information that Malwarebytes seems to have on the quarantine feature is in their user guide at the following link:
https://support.malwarebytes.com/docs/DOC-1709

Share this post


Link to post
Share on other sites

i did go to the quarantine tab and it's empty, checked the malwarebytes folder and there is no file of the current date 

the only file of the current date are 

Actions.dll

BrowserSDKDLL.dll

MBAMCore.dll

nothing in the recycling bin either 

Share this post


Link to post
Share on other sites

Please help. I need decryption.

 

 

Ethernet        Intel(R) 82579L 5C-26-0A-6E-B3-7A                                    
Wi-Fi           Intel(R) A0-88-B4-78-F5-70  

 

ID: 072Asdju732sdfAdh21X4jpQyVJYRAveC7VEqeBYgozJa69HWyLrnyBDg

Share this post


Link to post
Share on other sites
On 4/28/2019 at 6:02 PM, q8asami said:

i did go to the quarantine tab and it's empty, checked the malwarebytes folder and there is no file of the current date

It's more than likely that the ransomware deleted itself before you ran the scan, or that Malwarebytes just never detected it. It's fairly normal for ransomware to delete itself once it is done encrypting files, as this leaves less information for malware analysts.

Share this post


Link to post
Share on other sites
14 hours ago, amr said:

Please help. I need decryption.

Ethernet        Intel(R) 82579L 5C-26-0A-6E-B3-7A                                    
Wi-Fi           Intel(R) A0-88-B4-78-F5-70  

ID: 072Asdju732sdfAdh21X4jpQyVJYRAveC7VEqeBYgozJa69HWyLrnyBDg

I've been told that the time window for being able to figure out keys for .kiratos has ended, however I will go ahead and pass this on to the developer of STOPDecrypter so that he can archive it just in case he's able to figure out the decryption key at some point in the future.

  • Like 1

Share this post


Link to post
Share on other sites

Dear Sir

I hope you can help me to decrypt my files. I need .kiratos decryption.

 

[!] No keys were found for the following IDs:
[*] ID: e4Z7Ued2uSyQfbA7vS8VKtF2dGKGH8qEQ4E1Uht1 (.kiratos )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MAC: C8:5B:76:05:6D:6A
[*] MAC: AA:A7:95:B8:10:D9
[*] MAC: A8:A7:95:B8:10:D9
[*] MAC: 00:FF:05:D2:8D:6D
[*] MAC: A8:A7:95:B8:10:D9

------------------------------------
My personal ID: 072Asdju732sdfAdhmmu6gybVaTsZaDZAVuj9ELraajhjh3Kcnyc1RKII

Share this post


Link to post
Share on other sites
12 hours ago, WFawaz said:

[*] ID: e4Z7Ued2uSyQfbA7vS8VKtF2dGKGH8qEQ4E1Uht1 (.kiratos )

That's an offline ID, however support for .kiratos has (as far as I am aware) not yet been added to STOPDecrypter. I'll send you a private message with more information.

Share this post


Link to post
Share on other sites
22 hours ago, atom82 said:

We'll need to know your ID as well. You can find it in the ransom notes that the ransomware left behind. They'll have a name like _readme and will appear before most other files when things are sorted alphabetically.

Share this post


Link to post
Share on other sites

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.