Recommended Posts

Hi, please i need help, my computer is infected with the .bufas ramsonware, i just clean but i need a decryption tool for .bufas

Thanks a lot

 

 

Share this post


Link to post
Share on other sites

It is recommended to upload a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with to this site here:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply so that one of our experts can review them.

Share this post


Link to post
Share on other sites

Note that while STOPDecrypter more than likely won't be able to decrypt your files, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

Share this post


Link to post
Share on other sites
11 hours ago, nhamed said:

I tried STOPDecrypter but did't worked.

That's expected.

Did STOPDecrypter give you the information described at the following link?
https://kb.gt500.org/stopdecrypter

If so, please copy and paste it into a reply, and I'll forward it to the creator of STOPDecrypter so that he archive it in case he is able to figure out your decryption key at some point in the future.

Share this post


Link to post
Share on other sites

My files are decrypted by this bufas, too..

pleasee.. help me, i try STOPDecrypter v2.1.0.4

 

[!] No keys were found for the following IDs:
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.rar )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.exe )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.xlsx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.docx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.jpg )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: D0:50:99:4B:9B:84

Share this post


Link to post
Share on other sites

Renzo

Surya dinata

Before you decrypt the files, you need to make sure that there is neither this infection nor any other infection on the PC. We have seen cases when those who suffered from previous versions successfully decrypted files, but then they were attacked by the same encryptor, which encrypted files with a different extension, and used an encryption key that cannot be calculated. In punishment for haste and complacency, the user lost his files a second time and, possibly, forever.

As experience shows, very often after encryption on a PC, this or another infection remains, which you could get together with the encryptor.
Malicious programs often work in groups: trojans of a different type, password hijackers, backdoors, dormant malware, dangerous browser plugins.
Therefore, I advise you to check your PC for active and dormant malware. This can be done here in the forum in the next section.

Share this post


Link to post
Share on other sites

I have done a scaning process with several antiviruses and I am sure it is free of malware.
I have also run stopdecripter v2.1.0.5, but the results remain the same.

[!] No keys were found for the following IDs:
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.rar )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.exe )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.xlsx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.docx )
[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.jpg )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: D0:50:99:4B:9B:84

 

please help me...

Share this post


Link to post
Share on other sites

Surya dinata

Your data will be recorded. Today is the weekend.

Smart heads must sometimes rest in order to work well afterwards. 😊

Share this post


Link to post
Share on other sites
On 5/18/2019 at 5:23 AM, Surya dinata said:

[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas )

At first glance, that looks like an offline ID. It's possible that support for it hasn't been added to STOPDecrypter yet. I'll ask the creator of STOPDecrypter about it.

Share this post


Link to post
Share on other sites
2 minutes ago, GT500 said:

I'll ask the creator of STOPDecrypter about it.

He told me he hasn't been able to get his hands on a copy of this variant of STOP/Djvu yet, but as soon as he does he'll be able to pull the offline ID and key from it and add them to STOPDecrypter.

Share this post


Link to post
Share on other sites
8 hours ago, GT500 said:

He told me he hasn't been able to get his hands on a copy of this variant of STOP/Djvu yet, but as soon as he does he'll be able to pull the offline ID and key from it and add them to STOPDecrypter.

Thank you very much for the response.

I will still be waiting for the new version them STOPDescrypter.

Share this post


Link to post
Share on other sites

Many victims managed to find and download malicious files for Demonslay335. This is possible even in spite of the fact that the STOP Ransomware does a wipe of its files. You can carefully and safely collect malware files from temporary directories and (only do not run anything!) and put into a common archive with a password.

Probably, experts Emsisoft could make instructions for manual collection or expand the functionality of the Emsisoft Emergency Kit program for collecting such files in hot pursuit from temporary directories, to put them in a special archive, and not in Quarantine. Something like Temp Files Collector..

Share this post


Link to post
Share on other sites

Surya dinata

When using the tool Emsisoft Emergency Kit, detected threats can be quarantined or deleted.
Emsisoft recommends quarantining threats. In this case, the threat will not be active and will not cause harm, but will be useful for recovery, if it is a false detection, or for research, as in your case.

But if you chose to delete, the files were safely deleted without the possibility of recovery.

Share this post


Link to post
Share on other sites
9 hours ago, Surya dinata said:

Now I want to restore my files are decrypted by this bufas.

Would you happen to know where the infection came from? If you can send us a copy of the source for the infection, we can take a look at it. If we can get our hands on this variant of the ransomware and forward it to the guy who makes STOPDecrypter, then he'd be able to take a look at it as well. If I'm right about your ID being an offline ID, then your files would be decryptable.

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

Would you happen to know where the infection came from? If you can send us a copy of the source for the infection, we can take a look at it. If we can get our hands on this variant of the ransomware and forward it to the guy who makes STOPDecrypter, then he'd be able to take a look at it as well. If I'm right about your ID being an offline ID, then your files would be decryptable.

I don't know the source of the infection MR, By the why the contents quarantina has ben delete by the avast boots scan. Here I'm attach the log from EEK, i don't know  whether this can help.

sory my bad english... 

1.jpg
Download Image

  • Upvote 1

Share this post


Link to post
Share on other sites

Only candidate in this list - TrojanGenericKD.31967470 in CupVAUuPRKt.dll

In my list him is not. But my list is also not complete, it is only what I was able to collect

Quote

BitDefender -> Gen:Heur.Ransom.RTH.1, Trojan.Ransom.Stop.A, DeepScan:Generic.Ransom.Stop.*,

Trojan.GenericKD.31342714, *.31369885, *.31500621, *.31514824, *.31517950, *.31534187, *.31534080, *.31575808, .31691360, *.31787961, *.31789478, *.31806757, *.31809991, *.31822410, *.31823954, *.31838431, *.40765609, *.40841043, *.40878732, *.40887380, *.41139976, *.41149918, *.41197210, *.41257217, *.41271436 

list7.png.c7f36fa2c8a4a12abfa36336ffc56a4f.png
Download Image

Share this post


Link to post
Share on other sites

Surya dinata

You have shown the "Logs" tab. Are there objects in the "Quarantine" tab?

In this case, your need export the TrojanGenericKD.31967470 file for expert analysis.

 

 

Share this post


Link to post
Share on other sites

@Surya dinata when you look at your logs in EEK, there's an Export button in the lower-left that will allow you to save a copy of the log. Could you please save it somewhere easy to find, and then attach it to a reply for me?

Share this post


Link to post
Share on other sites

FYI: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites
5 hours ago, GT500 said:

@Surya dinata when you look at your logs in EEK, there's an Export button in the lower-left that will allow you to save a copy of the log. Could you please save it somewhere easy to find, and then attach it to a reply for me?

dear @GT500 

Here I attach the results of export logs in EEK, thank you..

Forensics_190523-115240.txt logs.db3

Share this post


Link to post
Share on other sites
18 hours ago, Surya dinata said:

I also attach the following download link for example files that are encrypted by malware, key ID and mac address

https://t.co/71cKY58CTA

It looks like you had already posted the ID's and MAC addresses. Is this from another computer, or the same one?

Share this post


Link to post
Share on other sites
17 hours ago, Surya dinata said:

It looks like there's no active infection. I've forwarded what I can think might be helpful from your logs to the creator of STOPDecrypter so that he can try to figure out where the ransomware came from and hopefully get the offline ID and key from it.

Share this post


Link to post
Share on other sites
9 hours ago, GT500 said:

It looks like there's no active infection. I've forwarded what I can think might be helpful from your logs to the creator of STOPDecrypter so that he can try to figure out where the ransomware came from and hopefully get the offline ID and key from it.

thank you mr
I'm waiting for the results,
I really hope for help from the masters here, hopefully the offline ID and quick key are found

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.