.Kiratos Decryptor

[Gurit Hamboro]

HI Guys,

Using your latest STOPRansomware , need help with these :

Unidentified ID: hSGZAhPjkQfF7stvJC3swWpUKWH7UtDnqpZp94ko (.jpg )
Unidentified ID: hSGZAhPjkQfF7stvJC3swWpUKWH7UtDnqpZp94ko (.kiratos )
MAC: FA:28:19:EF:5D:89

any help will be highly appreciated

Thanks..

ps:  sorry for my bad english

[Demonslay335]

Please follow the instructions in the BleepingComputer support topic to give me all of the MAC addresses of the infected PC.

[GT500]

There's a batch file that you can use to get the MAC addresses quickly. If you'd like to try it, you can download the ZIP archive from the following link:
https://www.gt500.org/emsisoft/MAC_Address_Batch_File.zip

Simply download it, open it, and double-click the Get_MAC_Addresses file in the folder that appears. A black window will open and then close, and once that happens the batch file is done. You'll find a new file on your Desktop named MAC_Addresses which you can send to Demonslay335 so that he can try to figure out your decryption key.

Note that the quicker you can get him this information, the better your chances of being able to recover your files.

[Gurit Hamboro]

Thanks for your reply,

here they are.  included STOPDecrypter logfiles

STOPDecrypter-log.txt MAC_Addresses.txt

573_MAJU.pdf.kiratos _readme.txt

[bledex]

need help for kiratos too.. 

here my mac and personal id 

MAC: 
D0:50:99:86:A6:4B

personal ID:
072Asdju732sdfAdhNmICd235UhnVWtKObZj9euyn8BtbejvDsafO34bq

thanks

[Loydsd]

@Demonslay335 ! Just infected with .kiratos ransomware encryption virus. 
personal ID:
072Asdju732sdfAdhFGNZkCQSiUYfQgC8zNc4XAf
mac: 
50-E5-49-8F-F4-C1  

[Sai]

8 hours ago, GT500 said:

There's a batch file that you can use to get the MAC addresses quickly. If you'd like to try it, you can download the ZIP archive from the following link:
https://www.gt500.org/emsisoft/MAC_Address_Batch_File.zip

Simply download it, open it, and double-click the Get_MAC_Addresses file in the folder that appears. A black window will open and then close, and once that happens the batch file is done. You'll find a new file on your Desktop named MAC_Addresses which you can send to Demonslay335 so that he can try to figure out your decryption key.

Note that the quicker you can get him this information, the better your chances of being able to recover your files.

Help me please! 

need help for kiratos too.. 

here my mac and personal id 

MAC: 
28:F1:0E:4B:9A:3C

personal ID:
072Asdju732sdfAdhZjqPRPyO34YFCjA18Kj9IsdseMEnOJrWNhuoEez4

[Ali364]

On ‎4‎/‎28‎/‎2019 at 10:31 AM, Demonslay335 said:

Please follow the instructions in the BleepingComputer support topic to give me all of the MAC addresses of the infected PC.

Connection Name Network Adapter Physical Address    Transport Name                                           
=============== =============== =================== ==========================================================
Ethernet        Realtek PCIe FE 74-E6-E2-30-D1-B7   Media disconnected                                       
Wi-Fi           Broadcom 802.11 10-08-B1-CC-67-5D   \Device\Tcpip_{6D930E6D-D860-403B-8393-6A40BA134970}     
Bluetooth Netwo Bluetooth Devic 10-08-B1-CC-67-5E   Media disconnected                                       
 

[Ali364]

Your personal ID:
072Asdju732sdfAdhUyCBgR2bSAFgQT7cjOsFvUZDYWMq9FtfG3RNrV8x

MAC_Addresses.txt

[Sai]

Your personal ID:
072Asdju732sdfAdhZjqPRPyO34YFCjA18Kj9IsdseMEnOJrWNhuoEez4

MAC_Addresses.txt

[curmot]

21 hours ago, Demonslay335 said:

Please follow the instructions in the BleepingComputer support topic to give me all of the MAC addresses of the infected PC.

hi @Demonslay335 plz help me for .kiratos

 

_readme.txt MAC_Addresses.txt STEMPEL LUNAS.png.kiratos STOPDecrypter-log.txt

[Gurit Hamboro]

22 hours ago, Demonslay335 said:

Please follow the instructions in the BleepingComputer support topic to give me all of the MAC addresses of the infected PC.

really need your help, here is my MAC addresses..

Thanks A Lot

STOPDecrypter-log.txt MAC_Addresses.txt

[GT500]

I've been told that the time window for being able to figure out keys for .kiratos has ended, however I will go ahead and pass this on to the developer of STOPDecrypter so that he can archive it just in case he's able to figure out the decryption key at some point in the future.

[Gurit Hamboro]

1 hour ago, GT500 said:

I've been told that the time window for being able to figure out keys for .kiratos has ended, however I will go ahead and pass this on to the developer of STOPDecrypter so that he can archive it just in case he's able to figure out the decryption key at some point in the future.

Yes Sir,

Thanks for your kindness..

Hopefully I find a way out from this problem soon.

Best Regard,

Gurit Hamboro

 

[GT500]

You're welcome.

[SAIWU]

Please help me Sir Demonslay335,☹️

Here's my MAC ADD : A4:1F:72:52:08:44

ID number : 072Asdju732sdfAdhNfAjLViU2VDDBxEgZOOROjyvmprZ4ovJ6MrBfjDR

Thank you in advance Sir,

_readme.txt

[GT500]

19 hours ago, SAIWU said:

Please help me Sir Demonslay335,☹️

Here's my MAC ADD : A4:1F:72:52:08:44

ID number : 072Asdju732sdfAdhNfAjLViU2VDDBxEgZOOROjyvmprZ4ovJ6MrBfjDR

Thank you in advance Sir,

_readme.txt 1.14 kB · 1 download

.kiratos? Or another variant of STOP/Djvu?

[SAIWU]

On 5/2/2019 at 8:15 AM, GT500 said:

.kiratos? Or another variant of STOP/Djvu?

Kiratos Sir, 

[SAIWU]

all my files was encrypted by kiratos.

[GT500]

20 hours ago, SAIWU said:

Kiratos Sir, 

OK. I've already sent your information to the creator of STOPDecrypter, and he'll archive it in case he is able to figure out your decryption key at some point in the future.

[ArifMaz]

Hey, i need help with decrypting my files .kiratos that was infected 

personal ID:
072Asdju732sdfAdhta0hOtzBPDV6XnIJ4P1ua40YEaqy9t5kQWJZdp7x

Mac Addresses

Intel(R) Centri 24-77-03-73-E0-48   \Device\Tcpip_{C3B7C206-55A8-49B3-AB26-E5638A95C004}

[GT500]

On 5/5/2019 at 7:53 AM, ArifMaz said:

Hey, i need help with decrypting my files .kiratos that was infected 

personal ID:
072Asdju732sdfAdhta0hOtzBPDV6XnIJ4P1ua40YEaqy9t5kQWJZdp7x

Mac Addresses

Intel(R) Centri 24-77-03-73-E0-48   \Device\Tcpip_{C3B7C206-55A8-49B3-AB26-E5638A95C004}

I've forwarded your information to the creator of STOPDecrypter so that he can archive it in case he is able to figure out your decryption key at some point in the future.

[Parthshah19]

Hello there my files are encrypted with kiratos ! 

Connection Name Network Adapter Physical Address    Transport Name                                            
=============== =============== =================== ==========================================================
Local Area Conn Qualcomm Athero 08-62-66-4F-FD-08   \Device\Tcpip_{E3E745AA-927B-4A3E-9C2A-99C2650A7272}      
Local Area Conn Kaspersky Secur 00-FF-1F-FD-95-9F   Media disconnected   

[GT500]

14 hours ago, Parthshah19 said:

Hello there my files are encrypted with kiratos ! 

We'll need the ID from one of the ransom notes as well. They should have a name like _readme (or something similar to this).

[sait]

haloo

my another pc already infectedby kiratos ransomware

 

here is details

 

----------------------------------------

STOPDecrypter v2.1.0.2

OS Microsoft Windows NT 6.2.9200.0, .NET Framework Version 4.0.30319.42000

----------------------------------------

 

No key for ID:tIedRopeskclmUIXU93bMjDlLFYBHv14rLhk0Ul1 (.kiratos )

Unidentified ID: tIedRopeskclmUIXU93bMjDlLFYBHv14rLhk0Ul1 (.kiratos )

MACs: 18:31:BF:6B:D4:B5

Decrypted 1 files, skipped 9

 

Your personal ID:

072Asdju732sdfAdhtIedRopeskclmUIXU93bMjDlLFYBHv14rLhk0Ul1

 

 

thank you boss..

[GT500]

14 hours ago, sait said:

No key for ID:tIedRopeskclmUIXU93bMjDlLFYBHv14rLhk0Ul1 (.kiratos )

Unidentified ID: tIedRopeskclmUIXU93bMjDlLFYBHv14rLhk0Ul1 (.kiratos )

MACs: 18:31:BF:6B:D4:B5

Decrypted 1 files, skipped 9

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

[sait]

On 5/25/2019 at 7:59 AM, GT500 said:

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

ok.dont forget to tell me later

[GT500]

19 minutes ago, sait said:

ok.dont forget to tell me later

If the creator of STOPDecrypter is able to figure out a decryption key for you, then he should contact you privately to let you know.

[sait]

38 minutes ago, GT500 said:

If the creator of STOPDecrypter is able to figure out a decryption key for you, then he should contact you privately to let you know.

Okay..thnk boss

[SAIWU]

On 5/4/2019 at 7:06 AM, GT500 said:

OK. I've already sent your information to the creator of STOPDecrypter, and he'll archive it in case he is able to figure out your decryption key at some point in the future.

What should i do next Sir? Its almost a month but no reply yet. Tia

[GT500]

On 6/2/2019 at 12:41 PM, SAIWU said:

What should i do next Sir? Its almost a month but no reply yet. Tia

Just give us a little more time.

[khan]

Please help me with the  kiratos ransomware

 

[!] No keys were found for the following IDs:
[*] ID: DUAzgfiz8Ug4k3X4t6MN8G37npjIONdl9bHd172u (.kiratos )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:1E:A6:76:DC:06, 00:1E:A6:76:DC:07, 00:25:22:35:C3:CE
This info has also been logged to STOPDecrypter-log.txt

[GT500]

On 6/8/2019 at 12:22 PM, khan said:

Please help me with the  kiratos ransomware

[!] No keys were found for the following IDs:
[*] ID: DUAzgfiz8Ug4k3X4t6MN8G37npjIONdl9bHd172u (.kiratos )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:1E:A6:76:DC:06, 00:1E:A6:76:DC:07, 00:25:22:35:C3:CE
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

[yousef_elmalk]

On 4/28/2019 at 7:31 PM, Demonslay335 said:

Please follow the instructions in the BleepingComputer support topic to give me all of the MAC addresses of the infected PC.

dear sir GT 500

my files were infected with .kiratos EXT, and below my mac address, is there any help ? 

and there is a sample of file 

thanks in advance

MAC_Addresses.txt 00f43dedbe88a8b4b433cdf289cc1ee1.aac.kiratos.zyaspgnf.kiratos

[GT500]

On 6/16/2019 at 2:28 PM, yousef_elmalk said:

my files were infected with .kiratos EXT, and below my mac address, is there any help ? 

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

[yousef_elmalk]

thanks dear GT 500 for your effort 

below the information that you advised me to copy 

 

[+] Loaded 44 offline keys
Please archive the following info in case of future decryption:
[*] ID: gLS3y0S8B1sLghmJRotI5oE48HO2VRo1i8N8qGoT
[*] MACs: 28:D2:44:4A:78:F0, FC:F8:AE:4D:14:63, FE:F8:AE:4D:14:62, FC:F8:AE:4D:14:62, FC:F8:AE:4D:14:66
This info has also been logged to STOPDecrypter-log.txt
 

 

 

[yousef_elmalk]

thanks dear GT 500 for your effort 

below the information that you advised me to copy 

 

[+] Loaded 44 offline keys
Please archive the following info in case of future decryption:
[*] ID: gLS3y0S8B1sLghmJRotI5oE48HO2VRo1i8N8qGoT
[*] MACs: 28:D2:44:4A:78:F0, FC:F8:AE:4D:14:63, FE:F8:AE:4D:14:62, FC:F8:AE:4D:14:62, FC:F8:AE:4D:14:66
This info has also been logged to STOPDecrypter-log.txt
 

 

 

FRST.txt

[yousef_elmalk]

FRST.txt

[Amigo-A]

@yousef_elmalk

from your logs

Quote

Reimage Protector

Uninstall Reimage Protector. It will not protect your PC. 

Quote

GridinSoft Anti-Ransomware
Spybot - Search & Destroy 2
Acronis Ransomware Protection

If all this was on your PC before the STOP Ransomware attack with the .kiratos extension, then it should be clear that this will not protect your PC and he will be attacked again. 

[GT500]

7 hours ago, yousef_elmalk said:

[+] Loaded 44 offline keys
Please archive the following info in case of future decryption:
[*] ID: gLS3y0S8B1sLghmJRotI5oE48HO2VRo1i8N8qGoT
[*] MACs: 28:D2:44:4A:78:F0, FC:F8:AE:4D:14:63, FE:F8:AE:4D:14:62, FC:F8:AE:4D:14:62, FC:F8:AE:4D:14:66
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

[GT500]

4 hours ago, yousef_elmalk said:

FRST.txt 983.14 kB · 1 download

Please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2019-06June-18/yousef_elmalk/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

1. Run the FRST download from earlier, and press the Fix button just once and wait.
2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.
   

[yousef_elmalk]

thanks again Mr.GT 500

 

Fixlog.txt

[GT500]

The logs shows that everything was deleted OK. Would it be possible to run another scan with FRST and attach the new logs to a reply so that I can make sure the computer appears to be clean now?

[yousef_elmalk]

this is a new Logs Mr. GT 500

FRST.txt

[GT500]

OK, it looks like everything was removed successfully.

[Amigo-A]

Quote

==================== Files in the root of some directories ================

2019-04-26 23:38 - 2019-04-26 23:38 - 000025954 _____ () C:\ProgramData\SMRResults521.dat
2019-04-26 02:24 - 2019-04-26 15:05 - 000000797 _____ () C:\Users\Z\AppData\Roaming\84I5806DL2N.txt.zyaspgnf
2019-04-26 18:07 - 2019-04-26 18:07 - 000000257 _____ () C:\Users\Z\AppData\Roaming\XGB3GJEL1GF.txt
2019-04-26 15:05 - 2019-04-26 15:05 - 000008946 _____ () C:\Users\Z\AppData\Roaming\ZYASPGNF-MANUAL.txt
2019-04-26 15:06 - 2019-04-26 15:06 - 000008946 _____ () C:\Users\Z\AppData\Roaming\Microsoft\ZYASPGNF-MANUAL.txt
2019-04-25 22:44 - 2019-04-25 22:44 - 000016320 _____ () C:\Users\Z\AppData\Local\InstallationConfiguration.xml
2019-04-25 22:44 - 2019-04-25 22:44 - 000140800 _____ () C:\Users\Z\AppData\Local\installer.dat
2019-04-26 02:25 - 2019-04-26 02:25 - 000000049 _____ () C:\Users\Z\AppData\Local\script.ps1
2019-04-25 22:44 - 2019-04-25 22:44 - 000722944 _____ () C:\Users\Z\AppData\Local\sha.db

 

 

ZYASPGNF-MANUAL.txt - this file of ransom note from GandCrab 5.2
84I5806DL2N.txt.zyaspgnf - this file has been encrypted GandCrab 5.2
script.ps1 - file from other Ransomware

[GT500]

1 hour ago, Amigo-A said:

script.ps1 - file from other Ransomware

That's from STOP/Djvu. Newer variants run a PowerShell script by that name, and download and execute Azorult.

https://www.virustotal.com/gui/file/3ee2282c3a5455cb207f83bd115cddee414708c9c00474aa25b55b81867dbec5/detection (first submission June 17th, 2019)

[yousef_elmalk]

is there anything is needed from my side MR.GT 500?

[GT500]

5 hours ago, yousef_elmalk said:

is there anything is needed from my side MR.GT 500?

You can run a scan with Emsisoft Emergency Kit if you'd like to ensure that your computer is clean, and you'll want to change any passwords as well, however beyond that all you have left to do is wait until we're able to give you a solution to decrypt your files.

[Xcf]

.kiratos virus extension

Personal ID:
072Asdju732sdfAdh1dAZcn629IyyOMmOEYoGDOmaxsTwvupU2MFl0WZV

MAC_Addresses.txt _readme.txt STOPDecrypter-log.txt MPC-HC x64.lnk.kiratos