Renzo 0 Posted May 15, 2019 Report Share Posted May 15, 2019 Hi, please i need help, my computer is infected with the .bufas ramsonware, i just clean but i need a decryption tool for .bufas Thanks a lot Quote Link to post Share on other sites
stapp 152 Posted May 16, 2019 Report Share Posted May 16, 2019 It is recommended to upload a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with to this site here:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply so that one of our experts can review them. Quote Link to post Share on other sites
Amigo-A 136 Posted May 16, 2019 Report Share Posted May 16, 2019 Extension .bufas - this is the result of the attack of new variant Stop Ransomware This was confirmed yesterday. Quote Link to post Share on other sites
GT500 853 Posted May 16, 2019 Report Share Posted May 16, 2019 Note that while STOPDecrypter more than likely won't be able to decrypt your files, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:https://kb.gt500.org/stopdecrypter Quote Link to post Share on other sites
nhamed 0 Posted May 17, 2019 Report Share Posted May 17, 2019 My files are decrypted by this bufas, too. I tried STOPDecrypter but did't worked. Quote Link to post Share on other sites
GT500 853 Posted May 17, 2019 Report Share Posted May 17, 2019 11 hours ago, nhamed said: I tried STOPDecrypter but did't worked. That's expected. Did STOPDecrypter give you the information described at the following link?https://kb.gt500.org/stopdecrypter If so, please copy and paste it into a reply, and I'll forward it to the creator of STOPDecrypter so that he archive it in case he is able to figure out your decryption key at some point in the future. Quote Link to post Share on other sites
Surya dinata 1 Posted May 18, 2019 Report Share Posted May 18, 2019 My files are decrypted by this bufas, too.. pleasee.. help me, i try STOPDecrypter v2.1.0.4 [!] No keys were found for the following IDs: [*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas ) [*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.rar ) [*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.exe ) [*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.xlsx ) [*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.docx ) [*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.jpg ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: D0:50:99:4B:9B:84 Quote Link to post Share on other sites
Amigo-A 136 Posted May 18, 2019 Report Share Posted May 18, 2019 Renzo Surya dinata Before you decrypt the files, you need to make sure that there is neither this infection nor any other infection on the PC. We have seen cases when those who suffered from previous versions successfully decrypted files, but then they were attacked by the same encryptor, which encrypted files with a different extension, and used an encryption key that cannot be calculated. In punishment for haste and complacency, the user lost his files a second time and, possibly, forever. As experience shows, very often after encryption on a PC, this or another infection remains, which you could get together with the encryptor. Malicious programs often work in groups: trojans of a different type, password hijackers, backdoors, dormant malware, dangerous browser plugins. Therefore, I advise you to check your PC for active and dormant malware. This can be done here in the forum in the next section. Quote Link to post Share on other sites
Surya dinata 1 Posted May 19, 2019 Report Share Posted May 19, 2019 I have done a scaning process with several antiviruses and I am sure it is free of malware. I have also run stopdecripter v2.1.0.5, but the results remain the same. [!] No keys were found for the following IDs:[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas )[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.rar )[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.exe )[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.xlsx )[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.docx )[*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.jpg )Please archive these IDs and the following MAC addresses in case of future decryption:[*] MACs: D0:50:99:4B:9B:84 please help me... Quote Link to post Share on other sites
Amigo-A 136 Posted May 19, 2019 Report Share Posted May 19, 2019 Surya dinata Your data will be recorded. Today is the weekend. Smart heads must sometimes rest in order to work well afterwards. 😊 Quote Link to post Share on other sites
Surya dinata 1 Posted May 20, 2019 Report Share Posted May 20, 2019 okay, thank you for the response. I'm waiting for the solution. Quote Link to post Share on other sites
GT500 853 Posted May 20, 2019 Report Share Posted May 20, 2019 On 5/18/2019 at 5:23 AM, Surya dinata said: [*] ID: iE5qxqT7ffEzQqdUb0LtnCPwfn0YDkpVZumwVgt1 (.bufas ) At first glance, that looks like an offline ID. It's possible that support for it hasn't been added to STOPDecrypter yet. I'll ask the creator of STOPDecrypter about it. Quote Link to post Share on other sites
GT500 853 Posted May 20, 2019 Report Share Posted May 20, 2019 2 minutes ago, GT500 said: I'll ask the creator of STOPDecrypter about it. He told me he hasn't been able to get his hands on a copy of this variant of STOP/Djvu yet, but as soon as he does he'll be able to pull the offline ID and key from it and add them to STOPDecrypter. Quote Link to post Share on other sites
Surya dinata 1 Posted May 21, 2019 Report Share Posted May 21, 2019 8 hours ago, GT500 said: He told me he hasn't been able to get his hands on a copy of this variant of STOP/Djvu yet, but as soon as he does he'll be able to pull the offline ID and key from it and add them to STOPDecrypter. Thank you very much for the response. I will still be waiting for the new version them STOPDescrypter. Quote Link to post Share on other sites
Amigo-A 136 Posted May 21, 2019 Report Share Posted May 21, 2019 Many victims managed to find and download malicious files for Demonslay335. This is possible even in spite of the fact that the STOP Ransomware does a wipe of its files. You can carefully and safely collect malware files from temporary directories and (only do not run anything!) and put into a common archive with a password. Probably, experts Emsisoft could make instructions for manual collection or expand the functionality of the Emsisoft Emergency Kit program for collecting such files in hot pursuit from temporary directories, to put them in a special archive, and not in Quarantine. Something like Temp Files Collector.. Quote Link to post Share on other sites
Surya dinata 1 Posted May 21, 2019 Report Share Posted May 21, 2019 I have use Emsisoft Emergency Kit program, and has removed detected malware. Now I want to restore my files are decrypted by this bufas. Please.... help me Mr... Quote Link to post Share on other sites
Amigo-A 136 Posted May 21, 2019 Report Share Posted May 21, 2019 Surya dinata When using the tool Emsisoft Emergency Kit, detected threats can be quarantined or deleted. Emsisoft recommends quarantining threats. In this case, the threat will not be active and will not cause harm, but will be useful for recovery, if it is a false detection, or for research, as in your case. But if you chose to delete, the files were safely deleted without the possibility of recovery. Quote Link to post Share on other sites
Surya dinata 1 Posted May 21, 2019 Report Share Posted May 21, 2019 detected threats, i'mquarantined Quote Link to post Share on other sites
GT500 853 Posted May 22, 2019 Report Share Posted May 22, 2019 9 hours ago, Surya dinata said: Now I want to restore my files are decrypted by this bufas. Would you happen to know where the infection came from? If you can send us a copy of the source for the infection, we can take a look at it. If we can get our hands on this variant of the ransomware and forward it to the guy who makes STOPDecrypter, then he'd be able to take a look at it as well. If I'm right about your ID being an offline ID, then your files would be decryptable. Quote Link to post Share on other sites
Surya dinata 1 Posted May 22, 2019 Report Share Posted May 22, 2019 1 hour ago, GT500 said: Would you happen to know where the infection came from? If you can send us a copy of the source for the infection, we can take a look at it. If we can get our hands on this variant of the ransomware and forward it to the guy who makes STOPDecrypter, then he'd be able to take a look at it as well. If I'm right about your ID being an offline ID, then your files would be decryptable. I don't know the source of the infection MR, By the why the contents quarantina has ben delete by the avast boots scan. Here I'm attach the log from EEK, i don't know whether this can help. sory my bad english... 1 Quote Link to post Share on other sites
Amigo-A 136 Posted May 22, 2019 Report Share Posted May 22, 2019 Only candidate in this list - TrojanGenericKD.31967470 in CupVAUuPRKt.dll In my list him is not. But my list is also not complete, it is only what I was able to collect. Quote BitDefender -> Gen:Heur.Ransom.RTH.1, Trojan.Ransom.Stop.A, DeepScan:Generic.Ransom.Stop.*, Trojan.GenericKD.31342714, *.31369885, *.31500621, *.31514824, *.31517950, *.31534187, *.31534080, *.31575808, .31691360, *.31787961, *.31789478, *.31806757, *.31809991, *.31822410, *.31823954, *.31838431, *.40765609, *.40841043, *.40878732, *.40887380, *.41139976, *.41149918, *.41197210, *.41257217, *.41271436 Quote Link to post Share on other sites
Amigo-A 136 Posted May 22, 2019 Report Share Posted May 22, 2019 Surya dinata You have shown the "Logs" tab. Are there objects in the "Quarantine" tab? In this case, your need export the TrojanGenericKD.31967470 file for expert analysis. Quote Link to post Share on other sites
Surya dinata 1 Posted May 22, 2019 Report Share Posted May 22, 2019 no object in quarantine (quarantine tap is empty) Quote Link to post Share on other sites
GT500 853 Posted May 22, 2019 Report Share Posted May 22, 2019 @Surya dinata when you look at your logs in EEK, there's an Export button in the lower-left that will allow you to save a copy of the log. Could you please save it somewhere easy to find, and then attach it to a reply for me? Quote Link to post Share on other sites
GT500 853 Posted May 22, 2019 Report Share Posted May 22, 2019 FYI: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it. Quote Link to post Share on other sites
Surya dinata 1 Posted May 23, 2019 Report Share Posted May 23, 2019 5 hours ago, GT500 said: @Surya dinata when you look at your logs in EEK, there's an Export button in the lower-left that will allow you to save a copy of the log. Could you please save it somewhere easy to find, and then attach it to a reply for me? dear @GT500 Here I attach the results of export logs in EEK, thank you.. Forensics_190523-115240.txt logs.db3 Quote Link to post Share on other sites
Surya dinata 1 Posted May 23, 2019 Report Share Posted May 23, 2019 I also attach the following download link for example files that are encrypted by malware, key ID and mac address https://t.co/71cKY58CTA Quote Link to post Share on other sites
Surya dinata 1 Posted May 23, 2019 Report Share Posted May 23, 2019 Here I attach the results of export logs in FRST, thank you.. Addition_23-05-2019 13.24.30.txt FRST_23-05-2019 13.24.30.txt Quote Link to post Share on other sites
GT500 853 Posted May 23, 2019 Report Share Posted May 23, 2019 18 hours ago, Surya dinata said: I also attach the following download link for example files that are encrypted by malware, key ID and mac address https://t.co/71cKY58CTA It looks like you had already posted the ID's and MAC addresses. Is this from another computer, or the same one? Quote Link to post Share on other sites
GT500 853 Posted May 23, 2019 Report Share Posted May 23, 2019 17 hours ago, Surya dinata said: Here I attach the results of export logs in FRST, thank you.. Addition_23-05-2019 13.24.30.txt 18.56 kB · 1 download FRST_23-05-2019 13.24.30.txt 67.11 kB · 1 download It looks like there's no active infection. I've forwarded what I can think might be helpful from your logs to the creator of STOPDecrypter so that he can try to figure out where the ransomware came from and hopefully get the offline ID and key from it. Quote Link to post Share on other sites
Surya dinata 1 Posted May 24, 2019 Report Share Posted May 24, 2019 10 hours ago, GT500 said: It looks like you had already posted the ID's and MAC addresses. Is this from another computer, or the same one? it is the same computer ID and MAC address Quote Link to post Share on other sites
Surya dinata 1 Posted May 24, 2019 Report Share Posted May 24, 2019 9 hours ago, GT500 said: It looks like there's no active infection. I've forwarded what I can think might be helpful from your logs to the creator of STOPDecrypter so that he can try to figure out where the ransomware came from and hopefully get the offline ID and key from it. thank you mr I'm waiting for the results, I really hope for help from the masters here, hopefully the offline ID and quick key are found Quote Link to post Share on other sites
GT500 853 Posted May 25, 2019 Report Share Posted May 25, 2019 Hopefully it won't be much longer before he's able to find the offline ID and key for this variant of STOP/Djvu. Quote Link to post Share on other sites
Surya dinata 1 Posted May 25, 2019 Report Share Posted May 25, 2019 Thank you mr.. Hope It's not long.. Quote Link to post Share on other sites
Surya dinata 1 Posted June 12, 2019 Report Share Posted June 12, 2019 Hello Mr. @GT500 I want to ask, have you found a solution about ransomware that infects my computer? thanks before Quote Link to post Share on other sites
GT500 853 Posted June 12, 2019 Report Share Posted June 12, 2019 15 hours ago, Surya dinata said: I want to ask, have you found a solution about ransomware that infects my computer? We're still working on it. It's going to take a bit more time. Quote Link to post Share on other sites
Surya dinata 1 Posted June 13, 2019 Report Share Posted June 13, 2019 ok thank you, i will still waiting, ooh Mr @GT500, I want to ask again, while waiting, can I reinstall the mycomputer?? Quote Link to post Share on other sites
Amigo-A 136 Posted June 13, 2019 Report Share Posted June 13, 2019 Surya dinata We wait and hope together with you. Quote Link to post Share on other sites
Surya dinata 1 Posted June 13, 2019 Report Share Posted June 13, 2019 @Amigo-A while waiting, can I reinstall the mycomputer? Quote Link to post Share on other sites
Amigo-A 136 Posted June 13, 2019 Report Share Posted June 13, 2019 Of course. Leave all ransom notes in folders with files. Send to free disk space or external drive and reinstall Windows. Quote Link to post Share on other sites
GT500 853 Posted June 14, 2019 Report Share Posted June 14, 2019 19 hours ago, Surya dinata said: ooh Mr @GT500, I want to ask again, while waiting, can I reinstall the mycomputer?? In addition to making backups of all encrypted files and the ransom notes, I recommend making a backup copy of the following folder before reinstalling Windows: C:\SystemID The information contained in this folder is technically redundant (it's in all of the ransom notes as well), however it makes it faster for the decrypter to find your ID. Once you made backup copies of everything you need to keep, then feel free to reinstall Windows. Quote Link to post Share on other sites
GT500 853 Posted October 19, 2019 Report Share Posted October 19, 2019 We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quote Link to post Share on other sites
Surya dinata 1 Posted October 22, 2019 Report Share Posted October 22, 2019 dear @GT500 the results still can't be encripted Quote Link to post Share on other sites
GT500 853 Posted October 22, 2019 Report Share Posted October 22, 2019 We may not have the offline key for the .bufas variant. In that case, you'll need to follow the instructions in the BleepingComputer article for submitting proper file pairs so that the decryption service can figure out how to decrypt your files.https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/ Quote Link to post Share on other sites
GT500 853 Posted October 24, 2019 Report Share Posted October 24, 2019 I've confirmed that we don't have the offline key for the .bufas variant. If you can supply file pairs, then you should still be able to decrypt most of your files. Quote Link to post Share on other sites
Amigo-A 136 Posted October 24, 2019 Report Share Posted October 24, 2019 9 hours ago, GT500 said: If you can supply file pairs, then you should still be able to decrypt most of your files. @Surya dinata With the new decryption service, you need to find the largest encrypted files of different formats (PNG, JPG, JPEG, PDF, DOC, DOCX, MP3, MP4 ...) and the original unencrypted file for each type. Then upload it to the service. If the decryption service will found the decryption key, then all files of this type can be decrypted. Also you need to do with each file type (PNG, JPG, JPEG, PDF, DOC, DOCX, MP3, MP4 ...) that you need to decrypt. At first glance it seems that it is impossible to find a pair of encrypted + original files, but this is not so. Here is a sample list where you can find the originals of the encrypted files : 1) on flash drives, external drives, CD / DVD, memory cards of the camera, phone; 2) in attachments of emails sent or received by you; 3) among the copies of shared photos of friends, relatives (in their PC) that you gave; 4) among the uploaded photos in the social. networks, including via smartphone and tablet; 5) among the uploaded photos to cloud services (Google Disk, OneDrive, Yandex Disk etc.); 6) on the sites of ads, forums, where you could previously send photos or images; 7) among unencrypted files, copies, renamed files on your PC; 8 ) on an old PC or disk, from where you transferred photos and documents to a new PC; 9) you can re-upload from the Internet previously downloaded photos, pictures, etc .; 10) you can use sample images supplied with Windows; 11) take photos or pictures that you previously posted on the avatar on the forums. 12) extract previously deleted files from the Recycle Bin or restore it with a special program. If decryption failed ... It is possible that the original file was an inaccurate copy of the encrypted. This could be due to the fact that earlier you yourself reduced or corrected it in the editor, or uploaded to social networks, cloud services, and there the file was somehow automatically changed. Look for more files and try different pairs of encrypted and original files with the same name. Very often files can have the same name, but are not a copy of each other. Vocabulary used in any language is limited. The possibilities of PCs, cameras and other devices for taking photos are also limited. In cameras and mobile devices, names for photos are given automatically according to a specific format, so photos with the name from IMG_0001.JPG to IMG_9999.JPG can be quite a lot in different years. Smartphones can give photos more original names, such as IMG_20171012_170451.jpg - here and the date of shooting, and the sequence number, thus the repetition of the name is unlikely. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.