Recommended Posts

My files are encrypted with the extension .HEROSET and I can’t seem to find any decryption tool in this site that decrypts such data

Share this post


Link to post
Share on other sites

This is STOP Djvu Ransomware, and we need a sample of the malware. Can you check Task Scheduler for a suspicious task running very often (like every 5 minutes)? If you find it, please disable it, then go to Properties for it, Actions tab, and select the "Start a program" - click Edit, and note the location the executable is. Find that executable and upload it to VirusTotal, then send me a link to it.

If you need further help with this, I will have a support team member reach out to you for more guided assistance. I do need that malware sample ASAP.

In addition to securing the malware executable, please follow the directions in this article to provide me the Personal ID and MAC addresses of the infected machine.

https://kb.gt500.org/stopdecrypter

  • Upvote 1

Share this post


Link to post
Share on other sites
7 hours ago, Tetto said:

My files are encrypted with the extension .HEROSET and I can’t seem to find any decryption tool in this site that decrypts such data

If you're able to get Demonslay335 the information he needs ASAP, then he should be able to help you get your files decrypted.

Share this post


Link to post
Share on other sites
10 hours ago, Demonslay335 said:

This is STOP Djvu Ransomware, and we need a sample of the malware. Can you check Task Scheduler for a suspicious task running very often (like every 5 minutes)? If you find it, please disable it, then go to Properties for it, Actions tab, and select the "Start a program" - click Edit, and note the location the executable is. Find that executable and upload it to VirusTotal, then send me a link to it.

If you need further help with this, I will have a support team member reach out to you for more guided assistance. I do need that malware sample ASAP.

In addition to securing the malware executable, please follow the directions in this article to provide me the Personal ID and MAC addresses of the infected machine.

https://kb.gt500.org/stopdecrypter

Good day Sir.. 

My PC is also infected with this ransonware turning my files to with extension of .HEROSET. I already suppressed the virus sort of applying System Restore to restore my PC settings. It did get rid of the virus that runs in the background but I can't get my files back since its encryted. So far, only my Drive D partition has been infected. 

Here is the details on the ransonware text file:

To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Our Telegram account:
@datarestore

Your personal ID:
098bnvvbfgfgORedjrTT2I45yfSBLDRGjn8GbdKsV05gI9iwXz35

 

Hopefully, this can help also. From StopDecrypter:

Decrypted 11 files!
Skipped 4853 files.

[!] No keys were found for the following IDs:
[*] ID: ORedjrTT2I45yfSBLDRGjn8GbdKsV05gI9iwXz35 (.xlsx )
[*] ID: ORedjrTT2I45yfSBLDRGjn8GbdKsV05gI9iwXz35 (.heroset )
[*] ID: ORedjrTT2I45yfSBLDRGjn8GbdKsV05gI9iwXz35 (.mkv )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 80:1F:02:CC:88:12, 4C:CC:6A:8F:B8:EE
This info has also been logged to STOPDecrypter-log.txt

Appreciate if you can help me.

-Rex

Share this post


Link to post
Share on other sites

Hello, Vikrant

This is the result of the STOP Ransomware attack. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected.

Demonslay335  (the developer of the decoder) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files.

To identify this Ransomware and confirm my information, you can use the service ID Ransomware.
He will give you a link to the support topic on the BleepingComputer forum, you need to read the first post of the topic and inform the requested information there or here -  Mac-address of network device. 

---

If STOPDecrypter can't recover your files, then it can be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

Also, while most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

The support team will review the logs and tell you what to do.

Do not depart from the topic, it is important for you, wait for the answer of the specialist and the final decision.

Share this post


Link to post
Share on other sites
On 6/7/2019 at 10:29 PM, Fuffee said:

My PC is also infected with this ransonware turning my files to with extension of .HEROSET. I already suppressed the virus sort of applying System Restore to restore my PC settings. It did get rid of the virus that runs in the background but I can't get my files back since its encryted. So far, only my Drive D partition has been infected. 

The creator of STOPDecrypter let me know that he was able to get your decryption key for you. If you need anything else, then please let us know.

 

On 6/9/2019 at 4:36 AM, Vikrant said:

Please suggest any decryptor tool for .heroset ransomware attack

Go ahead and follow Amigo-A's advise. STOPDecrypter will be able to give us information that can be archived in case the creator of STOPDecrypter is able to figure out your decryption key.

Share this post


Link to post
Share on other sites

please help sir my all data is encrypted

Unidentified ID: Ufg2zXZ760lUMOJbtLUf1btmUS8Fmzmp14Ef0aE5
Unidentified ID: xUHIDCdB9IpEd1BBxXWhkitDLMP8oSzQeEYlr0t1
MACs: 04:92:26:11:5D:40, 18:56:80:FD:06:75, 1A:56:80:FD:06:74, 26:E7:D9:E6:67:08, 18:56:80:FD:06:78
----------------------------------------
STOPDecrypter v2.1.0.11
OS Microsoft Windows NT 6.2.9200.0, .NET Framework Version 4.0.30319.42000
----------------------------------------

No key for ID: Ufg2zXZ760lUMOJbtLUf1btmUS8Fmzmp14Ef0aE5 (.heroset )
No key for ID: Ufg2zXZ760lUMOJbtLUf1btmUS8Fmzmp14Ef0aE5 (.txt )
Unidentified ID: Ufg2zXZ760lUMOJbtLUf1btmUS8Fmzmp14Ef0aE5 (.heroset )
Unidentified ID: Ufg2zXZ760lUMOJbtLUf1btmUS8Fmzmp14Ef0aE5 (.txt )
MACs: 04:92:26:11:5D:40, 18:56:80:FD:06:75, 1A:56:80:FD:06:74, 26:E7:D9:E6:67:08, 18:56:80:FD:06:78
Decrypted 2 files, skipped 61
Unidentified ID: Ufg2zXZ760lUMOJbtLUf1btmUS8Fmzmp14Ef0aE5
Unidentified ID: xUHIDCdB9IpEd1BBxXWhkitDLMP8oSzQeEYlr0t1
MACs: 04:92:26:11:5D:40, 18:56:80:FD:06:75, 1A:56:80:FD:06:74, 26:E7:D9:E6:67:08, 18:56:80:FD:06:78
----------------------------------------
STOPDecrypter v2.1.0.11
OS Microsoft Windows NT 6.2.9200.0, .NET Framework Version 4.0.30319.42000
----------------------------------------

No key for ID: Ufg2zXZ760lUMOJbtLUf1btmUS8Fmzmp14Ef0aE5 (.heroset )
Unidentified ID: Ufg2zXZ760lUMOJbtLUf1btmUS8Fmzmp14Ef0aE5 (.heroset )
MACs: 04:92:26:11:5D:40, 18:56:80:FD:06:75, 1A:56:80:FD:06:74, 26:E7:D9:E6:67:08, 18:56:80:FD:06:78
Decrypted 2 files, skipped 32
 

Share this post


Link to post
Share on other sites
11 hours ago, RKOGENESIS said:

No key for ID: Ufg2zXZ760lUMOJbtLUf1btmUS8Fmzmp14Ef0aE5 (.heroset )
Unidentified ID: Ufg2zXZ760lUMOJbtLUf1btmUS8Fmzmp14Ef0aE5 (.heroset )
MACs: 04:92:26:11:5D:40, 18:56:80:FD:06:75, 1A:56:80:FD:06:74, 26:E7:D9:E6:67:08, 18:56:80:FD:06:78
Decrypted 2 files, skipped 32

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.