Renzo

.Bufas ramsonware

By Renzo, in Help, my files are encrypted!

Recommended Posts

Renzo    0

Renzo
Posted

Hi, please i need help, my computer is infected with the .bufas ramsonware, i just clean but i need a decryption tool for .bufas

Thanks a lot

 

 

Share this post

Link to post
Share on other sites

stapp    135

stapp
Posted

It is recommended to upload a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with to this site here:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply so that one of our experts can review them.

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted

Note that while STOPDecrypter more than likely won't be able to decrypt your files, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted
11 hours ago, nhamed said:

I tried STOPDecrypter but did't worked.

That's expected.

Did STOPDecrypter give you the information described at the following link?
https://kb.gt500.org/stopdecrypter

If so, please copy and paste it into a reply, and I'll forward it to the creator of STOPDecrypter so that he archive it in case he is able to figure out your decryption key at some point in the future.

Share this post

Link to post
Share on other sites

Surya dinata    1

Surya dinata
Posted

My files are decrypted by this bufas, too..

pleasee.. help me, i try STOPDecrypter v2.1.0.4

 

[!] No keys were found for the following IDs:
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.rar )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.exe )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.xlsx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.docx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.jpg )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: D0:50:99:4B:9B:84

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Renzo

Surya dinata

Before you decrypt the files, you need to make sure that there is neither this infection nor any other infection on the PC. We have seen cases when those who suffered from previous versions successfully decrypted files, but then they were attacked by the same encryptor, which encrypted files with a different extension, and used an encryption key that cannot be calculated. In punishment for haste and complacency, the user lost his files a second time and, possibly, forever.

As experience shows, very often after encryption on a PC, this or another infection remains, which you could get together with the encryptor.
Malicious programs often work in groups: trojans of a different type, password hijackers, backdoors, dormant malware, dangerous browser plugins.
Therefore, I advise you to check your PC for active and dormant malware. This can be done here in the forum in the next section.

Share this post

Link to post
Share on other sites

Surya dinata    1

Surya dinata
Posted

I have done a scaning process with several antiviruses and I am sure it is free of malware.
I have also run stopdecripter v2.1.0.5, but the results remain the same.

[!] No keys were found for the following IDs:
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.rar )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.exe )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.xlsx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.docx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.jpg )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: D0:50:99:4B:9B:84

 

please help me...

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Surya dinata

Your data will be recorded. Today is the weekend.

Smart heads must sometimes rest in order to work well afterwards. 😊

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted
On 5/18/2019 at 5:23 AM, Surya dinata said:

[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas )

At first glance, that looks like an offline ID. It's possible that support for it hasn't been added to STOPDecrypter yet. I'll ask the creator of STOPDecrypter about it.

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted
2 minutes ago, GT500 said:

I'll ask the creator of STOPDecrypter about it.

He told me he hasn't been able to get his hands on a copy of this variant of STOP/Djvu yet, but as soon as he does he'll be able to pull the offline ID and key from it and add them to STOPDecrypter.

Share this post

Link to post
Share on other sites

Surya dinata    1

Surya dinata
Posted
8 hours ago, GT500 said:

He told me he hasn't been able to get his hands on a copy of this variant of STOP/Djvu yet, but as soon as he does he'll be able to pull the offline ID and key from it and add them to STOPDecrypter.

Thank you very much for the response.

I will still be waiting for the new version them STOPDescrypter.

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Many victims managed to find and download malicious files for Demonslay335. This is possible even in spite of the fact that the STOP Ransomware does a wipe of its files. You can carefully and safely collect malware files from temporary directories and (only do not run anything!) and put into a common archive with a password.

Probably, experts Emsisoft could make instructions for manual collection or expand the functionality of the Emsisoft Emergency Kit program for collecting such files in hot pursuit from temporary directories, to put them in a special archive, and not in Quarantine. Something like Temp Files Collector..

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Surya dinata

When using the tool Emsisoft Emergency Kit, detected threats can be quarantined or deleted.
Emsisoft recommends quarantining threats. In this case, the threat will not be active and will not cause harm, but will be useful for recovery, if it is a false detection, or for research, as in your case.

But if you chose to delete, the files were safely deleted without the possibility of recovery.

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted
9 hours ago, Surya dinata said:

Now I want to restore my files are decrypted by this bufas.

Would you happen to know where the infection came from? If you can send us a copy of the source for the infection, we can take a look at it. If we can get our hands on this variant of the ransomware and forward it to the guy who makes STOPDecrypter, then he'd be able to take a look at it as well. If I'm right about your ID being an offline ID, then your files would be decryptable.

Share this post

Link to post
Share on other sites

Surya dinata    1

Surya dinata
Posted
1 hour ago, GT500 said:

Would you happen to know where the infection came from? If you can send us a copy of the source for the infection, we can take a look at it. If we can get our hands on this variant of the ransomware and forward it to the guy who makes STOPDecrypter, then he'd be able to take a look at it as well. If I'm right about your ID being an offline ID, then your files would be decryptable.

I don't know the source of the infection MR, By the why the contents quarantina has ben delete by the avast boots scan. Here I'm attach the log from EEK, i don't know  whether this can help.

sory my bad english... 

1.jpg
Download Image

  • Upvote 1

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Only candidate in this list - TrojanGenericKD.31967470 in CupVAUuPRKt.dll

In my list him is not. But my list is also not complete, it is only what I was able to collect

Quote

BitDefender -> Gen:Heur.Ransom.RTH.1, Trojan.Ransom.Stop.A, DeepScan:Generic.Ransom.Stop.*,

Trojan.GenericKD.31342714, *.31369885, *.31500621, *.31514824, *.31517950, *.31534187, *.31534080, *.31575808, .31691360, *.31787961, *.31789478, *.31806757, *.31809991, *.31822410, *.31823954, *.31838431, *.40765609, *.40841043, *.40878732, *.40887380, *.41139976, *.41149918, *.41197210, *.41257217, *.41271436 

list7.png.c7f36fa2c8a4a12abfa36336ffc56a4f.png
Download Image

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Surya dinata

You have shown the "Logs" tab. Are there objects in the "Quarantine" tab?

In this case, your need export the TrojanGenericKD.31967470 file for expert analysis.

 

 

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted

@Surya dinata when you look at your logs in EEK, there's an Export button in the lower-left that will allow you to save a copy of the log. Could you please save it somewhere easy to find, and then attach it to a reply for me?

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted

FYI: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post

Link to post
Share on other sites

Surya dinata    1

Surya dinata
Posted
5 hours ago, GT500 said:

@Surya dinata when you look at your logs in EEK, there's an Export button in the lower-left that will allow you to save a copy of the log. Could you please save it somewhere easy to find, and then attach it to a reply for me?

dear @GT500 

Here I attach the results of export logs in EEK, thank you..

Forensics_190523-115240.txt logs.db3

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted
18 hours ago, Surya dinata said:

I also attach the following download link for example files that are encrypted by malware, key ID and mac address

https://t.co/71cKY58CTA

It looks like you had already posted the ID's and MAC addresses. Is this from another computer, or the same one?

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted
17 hours ago, Surya dinata said:

Here I attach the results of export logs in FRST, thank you..

Addition_23-05-2019 13.24.30.txt 18.56 kB · 1 download FRST_23-05-2019 13.24.30.txt 67.11 kB · 1 download

It looks like there's no active infection. I've forwarded what I can think might be helpful from your logs to the creator of STOPDecrypter so that he can try to figure out where the ransomware came from and hopefully get the offline ID and key from it.

Share this post

Link to post
Share on other sites

Surya dinata    1

Surya dinata
Posted
10 hours ago, GT500 said:

It looks like you had already posted the ID's and MAC addresses. Is this from another computer, or the same one? 

it is the same computer ID and MAC address

Share this post

Link to post
Share on other sites

Surya dinata    1

Surya dinata
Posted
9 hours ago, GT500 said:

It looks like there's no active infection. I've forwarded what I can think might be helpful from your logs to the creator of STOPDecrypter so that he can try to figure out where the ransomware came from and hopefully get the offline ID and key from it. 

thank you mr
I'm waiting for the results,
I really hope for help from the masters here, hopefully the offline ID and quick key are found

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted

Hopefully it won't be much longer before he's able to find the offline ID and key for this variant of STOP/Djvu. ;)

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted
15 hours ago, Surya dinata said:

I want to ask, have you found a solution about ransomware that infects my computer?

We're still working on it. It's going to take a bit more time.

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Of course.

Leave all ransom notes in folders with files.

Send to free disk space or external drive and reinstall Windows.

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted
19 hours ago, Surya dinata said:

ooh Mr @GT500, I want to ask again, while waiting, can I reinstall the mycomputer??

In addition to making backups of all encrypted files and the ransom notes, I recommend making a backup copy of the following folder before reinstalling Windows: 

C:\SystemID

The information contained in this folder is technically redundant (it's in all of the ransom notes as well), however it makes it faster for the decrypter to find your ID.

Once you made backup copies of everything you need to keep, then feel free to reinstall Windows.

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted

We may not have the offline key for the .bufas variant. In that case, you'll need to follow the instructions in the BleepingComputer article for submitting proper file pairs so that the decryption service can figure out how to decrypt your files.
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/

Share this post

Link to post
Share on other sites

GT500    657

GT500
Posted

I've confirmed that we don't have the offline key for the .bufas variant. If you can supply file pairs, then you should still be able to decrypt most of your files.

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted
9 hours ago, GT500 said:

If you can supply file pairs, then you should still be able to decrypt most of your files.

@Surya dinata

With the new decryption service, you need to find the largest encrypted files of different formats (PNG, JPG, JPEG, PDF, DOC, DOCX, MP3, MP4 ...) and the original unencrypted file for each type. Then upload it to the service. If the decryption service will found the decryption key, then all files of this type can be decrypted.
Also you need to do with each file type (PNG, JPG, JPEG, PDF, DOC, DOCX, MP3, MP4 ...) that you need to decrypt.

At first glance it seems that it is impossible to find a pair of encrypted + original files, but this is not so.

Here is a sample list where you can find the originals of the encrypted files :

1) on flash drives, external drives, CD / DVD, memory cards of the camera, phone;
2) in attachments of emails sent or received by you;
3) among the copies of shared photos of friends, relatives (in their PC) that you gave;
4) among the uploaded photos in the social. networks, including via smartphone and tablet;
5) among the uploaded photos to cloud services (Google Disk,  OneDrive, Yandex Disk etc.);
6) on the sites of ads, forums, where you could previously send photos or images;
7) among unencrypted files, copies, renamed files on your PC;
8 ) on an old PC or disk, from where you transferred photos and documents to a new PC;
9) you can re-upload from the Internet previously downloaded photos, pictures, etc .;
10) you can use sample images supplied with Windows;
11) take photos or pictures that you previously posted on the avatar on the forums.
12) extract previously deleted files from the Recycle Bin or restore it with a special program.
 
If decryption failed ...
 
It is possible that the original file was an inaccurate copy of the encrypted. This could be due to the fact that earlier you yourself reduced or corrected it in the editor, or uploaded to social networks, cloud services, and there the file was somehow automatically changed.
Look for more files and try different pairs of encrypted and original files with the same name. Very often files can have the same name, but are not a copy of each other. Vocabulary used in any language is limited. The possibilities of PCs, cameras and other devices for taking photos are also limited. In cameras and mobile devices, names for photos are given automatically according to a specific format, so photos with the name from IMG_0001.JPG to IMG_9999.JPG can be quite a lot in different years. Smartphones can give photos more original names, such as IMG_20171012_170451.jpg - here and the date of shooting, and the sequence number, thus the repetition of the name is unlikely.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.