.Bufas ramsonware

[Renzo 0]

Hi, please i need help, my computer is infected with the .bufas ramsonware, i just clean but i need a decryption tool for .bufas

Thanks a lot

 

 

[stapp 130]

It is recommended to upload a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with to this site here:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply so that one of our experts can review them.

[Amigo-A 44]

Extension .bufas - this is the result of the attack of new variant Stop Ransomware

This was confirmed yesterday.

[GT500 593]

Note that while STOPDecrypter more than likely won't be able to decrypt your files, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

[nhamed 0]

My files are decrypted by this bufas, too. I tried STOPDecrypter but did't worked.

 

 

 

[GT500 593]

11 hours ago, nhamed said:

I tried STOPDecrypter but did't worked.

That's expected.

Did STOPDecrypter give you the information described at the following link?
https://kb.gt500.org/stopdecrypter

If so, please copy and paste it into a reply, and I'll forward it to the creator of STOPDecrypter so that he archive it in case he is able to figure out your decryption key at some point in the future.

[Surya dinata 1]

My files are decrypted by this bufas, too..

pleasee.. help me, i try STOPDecrypter v2.1.0.4

 

[!] No keys were found for the following IDs:
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.rar )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.exe )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.xlsx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.docx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.jpg )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: D0:50:99:4B:9B:84

[Amigo-A 44]

Renzo

Surya dinata

Before you decrypt the files, you need to make sure that there is neither this infection nor any other infection on the PC. We have seen cases when those who suffered from previous versions successfully decrypted files, but then they were attacked by the same encryptor, which encrypted files with a different extension, and used an encryption key that cannot be calculated. In punishment for haste and complacency, the user lost his files a second time and, possibly, forever.

As experience shows, very often after encryption on a PC, this or another infection remains, which you could get together with the encryptor.
Malicious programs often work in groups: trojans of a different type, password hijackers, backdoors, dormant malware, dangerous browser plugins.
Therefore, I advise you to check your PC for active and dormant malware. This can be done here in the forum in the next section.

[Surya dinata 1]

I have done a scaning process with several antiviruses and I am sure it is free of malware.
I have also run stopdecripter v2.1.0.5, but the results remain the same.

[!] No keys were found for the following IDs:
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.rar )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.exe )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.xlsx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.docx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.jpg )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: D0:50:99:4B:9B:84

 

please help me...

[Amigo-A 44]

Surya dinata

Your data will be recorded. Today is the weekend.

Smart heads must sometimes rest in order to work well afterwards. 😊

[Surya dinata 1]

okay, thank you for the response.
I'm waiting for the solution.

 

[GT500 593]

On 5/18/2019 at 5:23 AM, Surya dinata said:

[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas )

At first glance, that looks like an offline ID. It's possible that support for it hasn't been added to STOPDecrypter yet. I'll ask the creator of STOPDecrypter about it.

[GT500 593]

2 minutes ago, GT500 said:

I'll ask the creator of STOPDecrypter about it.

He told me he hasn't been able to get his hands on a copy of this variant of STOP/Djvu yet, but as soon as he does he'll be able to pull the offline ID and key from it and add them to STOPDecrypter.

[Surya dinata 1]

8 hours ago, GT500 said:

He told me he hasn't been able to get his hands on a copy of this variant of STOP/Djvu yet, but as soon as he does he'll be able to pull the offline ID and key from it and add them to STOPDecrypter.

Thank you very much for the response.

I will still be waiting for the new version them STOPDescrypter.

[Amigo-A 44]

Many victims managed to find and download malicious files for Demonslay335. This is possible even in spite of the fact that the STOP Ransomware does a wipe of its files. You can carefully and safely collect malware files from temporary directories and (only do not run anything!) and put into a common archive with a password.

Probably, experts Emsisoft could make instructions for manual collection or expand the functionality of the Emsisoft Emergency Kit program for collecting such files in hot pursuit from temporary directories, to put them in a special archive, and not in Quarantine. Something like Temp Files Collector..

[Surya dinata 1]

I have use Emsisoft Emergency Kit program, and has removed detected malware. Now I want to restore my files are decrypted by this bufas.

Please.... help me Mr...

[Amigo-A 44]

Surya dinata

When using the tool Emsisoft Emergency Kit, detected threats can be quarantined or deleted.
Emsisoft recommends quarantining threats. In this case, the threat will not be active and will not cause harm, but will be useful for recovery, if it is a false detection, or for research, as in your case.

But if you chose to delete, the files were safely deleted without the possibility of recovery.

[Surya dinata 1]

detected threats, i'mquarantined

[GT500 593]

9 hours ago, Surya dinata said:

Now I want to restore my files are decrypted by this bufas.

Would you happen to know where the infection came from? If you can send us a copy of the source for the infection, we can take a look at it. If we can get our hands on this variant of the ransomware and forward it to the guy who makes STOPDecrypter, then he'd be able to take a look at it as well. If I'm right about your ID being an offline ID, then your files would be decryptable.

[Surya dinata 1]

1 hour ago, GT500 said:

Would you happen to know where the infection came from? If you can send us a copy of the source for the infection, we can take a look at it. If we can get our hands on this variant of the ransomware and forward it to the guy who makes STOPDecrypter, then he'd be able to take a look at it as well. If I'm right about your ID being an offline ID, then your files would be decryptable.

I don't know the source of the infection MR, By the why the contents quarantina has ben delete by the avast boots scan. Here I'm attach the log from EEK, i don't know  whether this can help.

sory my bad english... 

Download Image

[Amigo-A 44]

Only candidate in this list - TrojanGenericKD.31967470 in CupVAUuPRKt.dll

In my list him is not. But my list is also not complete, it is only what I was able to collect. 

Quote

BitDefender -> Gen:Heur.Ransom.RTH.1, Trojan.Ransom.Stop.A, DeepScan:Generic.Ransom.Stop.*,

Trojan.GenericKD.31342714, *.31369885, *.31500621, *.31514824, *.31517950, *.31534187, *.31534080, *.31575808, .31691360, *.31787961, *.31789478, *.31806757, *.31809991, *.31822410, *.31823954, *.31838431, *.40765609, *.40841043, *.40878732, *.40887380, *.41139976, *.41149918, *.41197210, *.41257217, *.41271436 

Download Image

[Amigo-A 44]

Surya dinata

You have shown the "Logs" tab. Are there objects in the "Quarantine" tab?

In this case, your need export the TrojanGenericKD.31967470 file for expert analysis.

 

 

[Surya dinata 1]

no object in quarantine (quarantine tap is empty)

[GT500 593]

@Surya dinata when you look at your logs in EEK, there's an Export button in the lower-left that will allow you to save a copy of the log. Could you please save it somewhere easy to find, and then attach it to a reply for me?

[GT500 593]

FYI: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

[Surya dinata 1]

5 hours ago, GT500 said:

@Surya dinata when you look at your logs in EEK, there's an Export button in the lower-left that will allow you to save a copy of the log. Could you please save it somewhere easy to find, and then attach it to a reply for me?

dear @GT500 

Here I attach the results of export logs in EEK, thank you..

Forensics_190523-115240.txt logs.db3

[Surya dinata 1]

I also attach the following download link for example files that are encrypted by malware, key ID and mac address

https://t.co/71cKY58CTA

[Surya dinata 1]

Here I attach the results of export logs in FRST, thank you..

 

Addition_23-05-2019 13.24.30.txt FRST_23-05-2019 13.24.30.txt

[GT500 593]

18 hours ago, Surya dinata said:

I also attach the following download link for example files that are encrypted by malware, key ID and mac address

https://t.co/71cKY58CTA

It looks like you had already posted the ID's and MAC addresses. Is this from another computer, or the same one?

[GT500 593]

17 hours ago, Surya dinata said:

Here I attach the results of export logs in FRST, thank you..

Addition_23-05-2019 13.24.30.txt 18.56 kB · 1 download FRST_23-05-2019 13.24.30.txt 67.11 kB · 1 download

It looks like there's no active infection. I've forwarded what I can think might be helpful from your logs to the creator of STOPDecrypter so that he can try to figure out where the ransomware came from and hopefully get the offline ID and key from it.

[Surya dinata 1]

10 hours ago, GT500 said:

It looks like you had already posted the ID's and MAC addresses. Is this from another computer, or the same one?

it is the same computer ID and MAC address

[Surya dinata 1]

9 hours ago, GT500 said:

It looks like there's no active infection. I've forwarded what I can think might be helpful from your logs to the creator of STOPDecrypter so that he can try to figure out where the ransomware came from and hopefully get the offline ID and key from it.

thank you mr
I'm waiting for the results,
I really hope for help from the masters here, hopefully the offline ID and quick key are found

[GT500 593]

Hopefully it won't be much longer before he's able to find the offline ID and key for this variant of STOP/Djvu.

[Surya dinata 1]

Thank you mr.. Hope It's not long..

[Surya dinata 1]

Hello Mr. @GT500

I want to ask, have you found a solution about ransomware that infects my computer?

thanks before

[GT500 593]

15 hours ago, Surya dinata said:

I want to ask, have you found a solution about ransomware that infects my computer?

We're still working on it. It's going to take a bit more time.

[Surya dinata 1]

ok thank you, i will still waiting,

ooh Mr @GT500, I want to ask again, while waiting, can I reinstall the mycomputer??

 

[Amigo-A 44]

Surya dinata

We wait and hope together with you.

[Surya dinata 1]

@Amigo-A while waiting, can I reinstall the mycomputer?

[Amigo-A 44]

Of course.

Leave all ransom notes in folders with files.

Send to free disk space or external drive and reinstall Windows.

[GT500 593]

19 hours ago, Surya dinata said:

ooh Mr @GT500, I want to ask again, while waiting, can I reinstall the mycomputer??

In addition to making backups of all encrypted files and the ransom notes, I recommend making a backup copy of the following folder before reinstalling Windows:

C:\SystemID

The information contained in this folder is technically redundant (it's in all of the ransom notes as well), however it makes it faster for the decrypter to find your ID.

Once you made backup copies of everything you need to keep, then feel free to reinstall Windows.

[GT500 593]

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

[Surya dinata 1]

 dear @GT500

the results still can't be encripted

Download Image

[GT500 593]

We may not have the offline key for the .bufas variant. In that case, you'll need to follow the instructions in the BleepingComputer article for submitting proper file pairs so that the decryption service can figure out how to decrypt your files.
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/

[GT500 593]

I've confirmed that we don't have the offline key for the .bufas variant. If you can supply file pairs, then you should still be able to decrypt most of your files.

[Amigo-A 44]

9 hours ago, GT500 said:

If you can supply file pairs, then you should still be able to decrypt most of your files.

@Surya dinata

With the new decryption service, you need to find the largest encrypted files of different formats (PNG, JPG, JPEG, PDF, DOC, DOCX, MP3, MP4 ...) and the original unencrypted file for each type. Then upload it to the service. If the decryption service will found the decryption key, then all files of this type can be decrypted.
Also you need to do with each file type (PNG, JPG, JPEG, PDF, DOC, DOCX, MP3, MP4 ...) that you need to decrypt.

At first glance it seems that it is impossible to find a pair of encrypted + original files, but this is not so.

Here is a sample list where you can find the originals of the encrypted files :

1) on flash drives, external drives, CD / DVD, memory cards of the camera, phone;
2) in attachments of emails sent or received by you;
3) among the copies of shared photos of friends, relatives (in their PC) that you gave;
4) among the uploaded photos in the social. networks, including via smartphone and tablet;
5) among the uploaded photos to cloud services (Google Disk,  OneDrive, Yandex Disk etc.);
6) on the sites of ads, forums, where you could previously send photos or images;
7) among unencrypted files, copies, renamed files on your PC;
8 ) on an old PC or disk, from where you transferred photos and documents to a new PC;
9) you can re-upload from the Internet previously downloaded photos, pictures, etc .;
10) you can use sample images supplied with Windows;
11) take photos or pictures that you previously posted on the avatar on the forums.
12) extract previously deleted files from the Recycle Bin or restore it with a special program.
 
If decryption failed ...
 
It is possible that the original file was an inaccurate copy of the encrypted. This could be due to the fact that earlier you yourself reduced or corrected it in the editor, or uploaded to social networks, cloud services, and there the file was somehow automatically changed.
Look for more files and try different pairs of encrypted and original files with the same name. Very often files can have the same name, but are not a copy of each other. Vocabulary used in any language is limited. The possibilities of PCs, cameras and other devices for taking photos are also limited. In cameras and mobile devices, names for photos are given automatically according to a specific format, so photos with the name from IMG_0001.JPG to IMG_9999.JPG can be quite a lot in different years. Smartphones can give photos more original names, such as IMG_20171012_170451.jpg - here and the date of shooting, and the sequence number, thus the repetition of the name is unlikely.