sunny parmar

MY PC INFECTED *.FORDAN RANSOMWARE

By sunny parmar, in Help, my files are encrypted!

Recommended Posts

Amigo-A    124

Amigo-A
Posted

If your files are encrypted and now have an .fordan  extension, then this is the result of an attack from the STOP Ransomware

STOP Ransomware encrypts files of users in many countries due to the fact that they download and run hacked software (MS Windows, MS Office, other repacked or patched programs), from which someone removed the activation, making them free and dangerous at the same time due of this malicious code. 

Before you decrypt the files, you need to make sure that there is neither this infection nor any other infection on the PC. We have seen cases when those who suffered from previous versions STOP Ransomware successfully decrypted files, but then they were attacked by the same encryptor, which encrypted files with a different extension, and used an encryption key that cannot be calculated. In punishment for haste and complacency, the user lost his files a second time and, possibly, forever.

As experience shows, very often after encryption on a PC, this or another infection remains, which you could get together with the encryptor.
Malicious programs often work in groups: trojans of a different type, password hijackers, backdoors, dormant malware, dangerous browser plugins.

 If you need help checking your PC for malware, you can make a request  in the next section.

You can also download the free tool Emsisoft Emergency Kit yourself and check the computer.

Share this post

Link to post
Share on other sites

Amigo-A    124

Amigo-A
Posted

After checking the PC and folders with encrypted files, you can use the free tool to decrypt files - STOPDecrypter (link)

This process should be approached with caution. Read the attached text file.
Due to the nature of encryption, only files that are encrypted with offline keys can be decrypted.
We recommend that you make a test decryption of a small number of encrypted files and make copies of them in advance.

Share this post

Link to post
Share on other sites

GT500    787

GT500
Posted

That is more than likely a variant of the STOP ransomware. ID Ransomware can confirm that, and can let you know if STOPDecrypter can recover your files. Here's a link to ID Ransomware:
https://id-ransomware.malwarehunterteam.com/

If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

Share this post

Link to post
Share on other sites

Amigo-A    124

Amigo-A
Posted

Dear sunny parmar

The solution is possible, but not immediately. You can view other topics to familiarize yourself with the process.

First, the Ransomware is created, then it is distributed through the sites, then the user downloads something, starts it.., then malware infects the PC and encrypts the files. After that, the user discovers that the files are encrypted. Then he turns for help ...

How to help him if the files are his PC and encryption occur on his side?
Specialists are ready to help, but they need to examine the encrypted files and get the keys for decrypt in order to make decryption possible and more simple. 

This is a more complicated process than to smear an injured finger with antiseptic, iodine and cure it.

Share this post

Link to post
Share on other sites

Amigo-A    124

Amigo-A
Posted

Dear sunny parmar

Above, GT500 wrote you what need to do according to his instructions. This can help to developer of STOPDecrypter, and you, of course.

Quote

If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

Share this post

Link to post
Share on other sites

GT500    787

GT500
Posted
16 hours ago, sunny parmar said:

not solve my problem

Yes, that was expected. First we need your ID and MAC addresses from the infected computer, and they there's a possibility that the creator of STOPDecrypter may be able to figure out your decryption key. Or you could get lucky and have an offline ID, so that when support for the variant of STOP/Djvu that encrypted your files is added to STOPDecrypter it will be able to decrypt them on its own.

 

49 minutes ago, shoaib said:

how can i know is key offline or online?

Attach a copy of the ransom note to a reply and I'll let you know if it looks like an offline ID.

You can also follow the instructions at the link below for getting your ID and MAC addresses with STOPDecrypter, which may help in figuring out your decryption key if you don't have an offline ID:
https://kb.gt500.org/stopdecrypter

Share this post

Link to post
Share on other sites

GT500    787

GT500
Posted

FYI: While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post

Link to post
Share on other sites

sunny parmar    0

sunny parmar
Posted

sir

I send my files details

Decrypted 0 files!
Skipped 5 files.

[!] No keys were found for the following IDs:
[*] ID: qOYn1VNGsvBEwqldLg6QzqQVTpWLpN9U0xdyJC4n (.teamxpart )
[*] ID: qOYn1VNGsvBEwqldLg6QzqQVTpWLpN9U0xdyJC4n (.fordan )
[*] ID: qOYn1VNGsvBEwqldLg6QzqQVTpWLpN9U0xdyJC4n (.txt )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:11:22:98:76:54, 0C:9D:92:80:F0:3E
This info has also been logged to STOPDecrypter-log.txt

Share this post

Link to post
Share on other sites

GT500    787

GT500
Posted
13 hours ago, sunny parmar said:

I send my files details

OK, I've forwarded your information to the creator of STOPDecrypter, and he will archive it in case he is able to figure out your key at some point in the future.

Share this post

Link to post
Share on other sites

Amigo-A    124

Amigo-A
Posted

sunny parmar


Please, be patient. Support specialists  may not respond during the weekend. This is indicated in the forum rules.
The solution of the problem may come not very quickly.
Do not depart from the topic, it is important for you, wait for the answer of the specialist and the final decision.

Share this post

Link to post
Share on other sites

GT500    787

GT500
Posted
19 hours ago, sunny parmar said:

please solve my problem sir.....

No one has an immediate solution for this. If you can give the analysts a little time, they may be able to come up with a way for you to decrypt your files.

Share this post

Link to post
Share on other sites

sunny parmar    0

sunny parmar
Posted

please help sir

I again send you

[!] No keys were found for the following IDs:
[*] ID: qOYn1VNGsvBEwqldLg6QzqQVTpWLpN9U0xdyJC4n (.teamxpart )
[*] ID: qOYn1VNGsvBEwqldLg6QzqQVTpWLpN9U0xdyJC4n (.fordan )
[*] ID: qOYn1VNGsvBEwqldLg6QzqQVTpWLpN9U0xdyJC4n (.txt )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:11:22:98:76:54, 0C:9D:92:80:F0:3E

1.ai.fordan

Share this post

Link to post
Share on other sites

GT500    787

GT500
Posted
On 6/1/2019 at 12:49 AM, sunny parmar said:

I again send you

There's no need to send the information again. It's already been archived. ;)

Share this post

Link to post
Share on other sites

GT500    787

GT500
Posted
18 hours ago, sunny parmar said:

sir my problem not solve...please help me...

Just give us some time, and we'll come up with a solution for you. ;)

Share this post

Link to post
Share on other sites

GT500    787

GT500
Posted
12 hours ago, sunny parmar said:

sir please solve my problem

It's not possible to speed up the process. Figuring out decryption keys is random, so we just have to wait.

Share this post

Link to post
Share on other sites

GT500    787

GT500
Posted

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.