Recommended Posts

Please follow the instructions in the link ID Ransomware gave you to provide the information needed to archive your case.

In addition, we still need the malware executable itself. Check your Task Scheduler for a suspicious task running every 5 minutes or so - go to Properties and find the executable it points to, and upload it to VirusTotal, then provide us the link.

Share this post


Link to post
Share on other sites
6 hours ago, Demonslay335 said:

Please follow the instructions in the link ID Ransomware gave you to provide the information needed to archive your case.

In addition, we still need the malware executable itself. Check your Task Scheduler for a suspicious task running every 5 minutes or so - go to Properties and find the executable it points to, and upload it to VirusTotal, then provide us the link.

I removed everything using Malwarebytes. What can I do now?

Share this post


Link to post
Share on other sites
4 hours ago, Arx said:

I removed everything using Malwarebytes. What can I do now?

STOPDecrypter can be used to get information that may be able to help its creator (Demonslay355) figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites

I was also encrypted by .muslat

Please help me. Thank you!

Content StopDecrypter-log:

STOPDecrypter v2.1.0.9
OS Microsoft Windows NT 6.2.9200.0, .NET Framework Version 4.0.30319.42000
----------------------------------------
No key for ID: wQToJ6OEdUqTmZ8i7WMI0zv85BeDelxg9XejrIIl (.muslat )
No key for ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.muslat )
Unidentified ID: wQToJ6OEdUqTmZ8i7WMI0zv85BeDelxg9XejrIIl (.muslat )
Unidentified ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.muslat )
MACs: 10:7D:1A:37:D1:8D, AC:ED:5C:A8:40:9A, AE:ED:5C:A8:40:99, 00:FF:AF:B5:4A:64, AC:ED:5C:A8:40:99, AC:ED:5C:A8:40:9D

1.jpg.muslat 4.jpg.muslat

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

STOPDecrypter can be used to get information that may be able to help its creator (Demonslay355) figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

 

15 hours ago, Demonslay335 said:

Please follow the instructions in the link ID Ransomware gave you to provide the information needed to archive your case.

In addition, we still need the malware executable itself. Check your Task Scheduler for a suspicious task running every 5 minutes or so - go to Properties and find the executable it points to, and upload it to VirusTotal, then provide us the link.

Here is the STOPDecrypter log and the FRST scan log.

STOPDecrypter-log.txt Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

i had a malware "the goodcaster", i installed malware bytes and spyhunter and some other programs when i lost hope i reinstalled my windows OS, 
then surprised the all my files was incrypted with " .muslat "
that was the virused link that started the problem http://ec2-52-11-193-193.us-west-2.compute.amazonaws.com/?clickid=3c2abgxj6b4c8d10
 

virus's message ID

personal ID: 
100bgdfFy6dusrVc7Y9zI7x5JccUALwxhwXoswVVMNLzSUxPCVuzX

STOPDECRYPTER's  log:

[!] No keys were found for the following IDs:
[*] ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.muslat )
[*] ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.rar )
[*] ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.exe )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 3C:07:71:57:F2:07, BA:76:3F:B9:93:51, BA:76:3F:B9:9B:51, B8:76:3F:B9:93:51, B8:76:3F:B9:93:52
This info has also been logged to STOPDecrypter-log.txt



 

18 hours ago, Demonslay335 said:

Please follow the instructions in the link ID Ransomware gave you to provide the information needed to archive your case.

In addition, we still need the malware executable itself. Check your Task Scheduler for a suspicious task running every 5 minutes or so - go to Properties and find the executable it points to, and upload it to VirusTotal, then provide us the link.

 

_readme'virus message'.txt STOPDECRYPTER LOG.txt

Share this post


Link to post
Share on other sites
13 hours ago, Arx said:

Here is the STOPDecrypter log and the FRST scan log.

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

As for your FRST logs, please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/arx/2019-06June-11/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

  • Like 1

Share this post


Link to post
Share on other sites
10 hours ago, Ahmad Mohsen said:

[*] ID: dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 (.muslat )

That's an offline ID. Support for it should be added to STOPDecrypter soon, and once that happens it should be possible for you to decrypt your files.

  • Like 2

Share this post


Link to post
Share on other sites
2 hours ago, GT500 said:

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

As for your FRST logs, please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/arx/2019-06June-11/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

 

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

 

Here is the fixlog

Fixlog.txt

Share this post


Link to post
Share on other sites
22 hours ago, Arx said:

Here is the fixlog

OK, it looks like any infection had already been removed. Your computer should be OK for now.

  • Upvote 1

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

OK, it looks like any infection had already been removed. Your computer should be OK for now.

Thank you. I'm looking forward to find a decrypter. 

Share this post


Link to post
Share on other sites
On 6/12/2019 at 12:21 AM, GT500 said:

That's an offline ID. Support for it should be added to STOPDecrypter soon, and once that happens it should be possible for you to decrypt your files.

thank you for help, i;m waiting for the next update.

Share this post


Link to post
Share on other sites
19 hours ago, Ahmad Mohsen said:

thank you for help, i;m waiting for the next update.

The offline ID and Key for .muslat has been added to STOPDecrypter. Just download a fresh copy of STOPDecrypter, and it should be able to decrypt any files that were encrypted using the offline key for the .muslat variant of STOP/Djvu.

 

  • Like 1

Share this post


Link to post
Share on other sites
16 hours ago, Arx said:

The decrypter is not working

That's because you have an online ID, which is very different from an offline ID. The offline ID's and keys are built right into the ransomware to be used when it isn't able to connect to its command and control server, and since they can be pulled from the ransomware its easy to decrypt files that have been encrypted using offline keys.

Online ID's on the other hand mean that the ransomware was able to connect to its command and control server and generate random keys for your computer, meaning that you won't be able to decrypt your files until the creator of STOPDecrypter is able to figure out your decryption key.

Share this post


Link to post
Share on other sites
7 hours ago, GT500 said:

meaning that you won't be able to decrypt your files until the creator of STOPDecrypter is able to figure out your decryption key.

This operation can take a lot of time. Theoretically, even as much as we (we all) can not imagine. 

Share this post


Link to post
Share on other sites
17 hours ago, Amigo-A said:

This operation can take a lot of time. Theoretically, even as much as we (we all) can not imagine. 

Okay, is it possible only to make a decryption key for .jpg files only? I don't want anything else. I am willing to pay for that.

Share this post


Link to post
Share on other sites
On 6/15/2019 at 4:54 AM, GT500 said:

That's because you have an online ID, which is very different from an offline ID. The offline ID's and keys are built right into the ransomware to be used when it isn't able to connect to its command and control server, and since they can be pulled from the ransomware its easy to decrypt files that have been encrypted using offline keys.

Online ID's on the other hand mean that the ransomware was able to connect to its command and control server and generate random keys for your computer, meaning that you won't be able to decrypt your files until the creator of STOPDecrypter is able to figure out your decryption key.

Should I have left the ransomware to encrypt my files properly?

Share this post


Link to post
Share on other sites
8 minutes ago, Arx said:

Okay, is it possible only to make a decryption key for .jpg files only? I don't want anything else. I am willing to pay for that.

Possibly in the future, just give us some time. 😉

  • Upvote 1

Share this post


Link to post
Share on other sites
9 hours ago, Demonslay335 said:

Possibly in the future, just give us some time. 😉

Oh thanks man. I'm looking forward to the future! 😊

Share this post


Link to post
Share on other sites
On 6/16/2019 at 6:29 AM, Demonslay335 said:

Possibly in the future, just give us some time. 😉

What happens if I run the ransomware this time on purpose, will it leave with an offline id?

Share this post


Link to post
Share on other sites

Do NOT do that. Your files will just get re-encrypted with the offline key, which STOPDecrypter already has. So it's just a complete waste of time and won't accomplish anything but possibly causing more damage to your system.

Share this post


Link to post
Share on other sites
3 hours ago, Arx said:

What happens if I run the ransomware this time on purpose, will it leave with an offline id?

Nothing good will happen. As Demonslay335 said, your files will just be encrypted a second time.

Share this post


Link to post
Share on other sites
17 hours ago, Demonslay335 said:

Do NOT do that. Your files will just get re-encrypted with the offline key, which STOPDecrypter already has. So it's just a complete waste of time and won't accomplish anything but possibly causing more damage to your system.

You mean my files have been re-encrypted by STOPDecrypter?

Share this post


Link to post
Share on other sites
3 minutes ago, Demonslay335 said:

No, the malware would re-encrypt them...

So is there any chance I can get my files decrypted?

Share this post


Link to post
Share on other sites
8 hours ago, Arx said:

So is there any chance I can get my files decrypted?

Not the way you're thinking of.

I don't know if it will help, but here's an analogy that might explain what Demonslay335 is trying to tell you. Let's say you have a safe with something important in it, and you forget the combination, so you put the first safe inside another safe and lock it up. Will that help you recover the combination for the first safe, even if you remember the combination for the second safe?

Likewise, if you run the malware again, it isn't going to decrypt your files just to encrypt them using the offline key. The malware has no clue how to do that. All it's going to do is apply a second layer of encryption (just like a putting a safe inside another safe). It doesn't matter whether or not you can decrypt that second layer of encryption, because that first layer of encryption will still be there.

Right now there's nothing you can do to recover your files. Give us time, and we'll do what we can to help you.

If you panic and try random "solutions" to recover your files, you'll either waste your time, or make things worse for yourself. There's also the possibility that you may do something that makes decrypting your files impossible later on.

Share this post


Link to post
Share on other sites
11 hours ago, GT500 said:

Not the way you're thinking of.

I don't know if it will help, but here's an analogy that might explain what Demonslay335 is trying to tell you. Let's say you have a safe with something important in it, and you forget the combination, so you put the first safe inside another safe and lock it up. Will that help you recover the combination for the first safe, even if you remember the combination for the second safe?

Likewise, if you run the malware again, it isn't going to decrypt your files just to encrypt them using the offline key. The malware has no clue how to do that. All it's going to do is apply a second layer of encryption (just like a putting a safe inside another safe). It doesn't matter whether or not you can decrypt that second layer of encryption, because that first layer of encryption will still be there.

Right now there's nothing you can do to recover your files. Give us time, and we'll do what we can to help you.

If you panic and try random "solutions" to recover your files, you'll either waste your time, or make things worse for yourself. There's also the possibility that you may do something that makes decrypting your files impossible later on.

I get what you say but that's not what I meant. I mean will it be possible to get a online decrypter?

Share this post


Link to post
Share on other sites
7 hours ago, Arx said:

I mean will it be possible to get a online decrypter?

Right now the only way is paying the ransom, but if you give us time then we will most likely be able to come up with a solution for you. It won't be quick, but it also won't put money into the hands of criminals.

Share this post


Link to post
Share on other sites
5 hours ago, Arx said:

Any updates so far?

None yet. Hopefully it won't be too much longer.

Share this post


Link to post
Share on other sites

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post


Link to post
Share on other sites
On 10/27/2019 at 2:18 AM, Arx said:

Sadly it's the same ID I had before.

It's an online ID, which means the decrypter will need some help figuring out how to decrypt your files. You'll need to submit what we call "file pairs" (an original unencrypted file and an encrypted copy of the same file) to our submission site so that the decryption service can "learn" how to decrypt your files. More information and instructions are available at the following link:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/

The submission form for file pairs can be found at the following link:
https://decrypter.emsisoft.com/submit/stopdjvu/

Important note: You will need to supply file pairs for each type of file you want to decrypt. For instance, if you submit a file pair for an MP3 file, then the decrypter should be able to decrypt all MP3 files that have the same ID. There are a few odd files where a single file pair won't be enough (JPEG/JPG images for instance), and there are a few types of files that are essentially just ZIP archives and won't need extra files pairs if you've already supplied one of them (Office documents such as DOCX and XLSX files for instance).

Share this post


Link to post
Share on other sites

Thanks! I decrypted most of the files using this 'training'. Nice example of AI's :) But the problem is, I only wanted to decrypt my .jpg files and most of them had no backup still managed to get some of them. Is it possible to recover all of them in a try?

Share this post


Link to post
Share on other sites
40 minutes ago, Arx said:

But the problem is, I only wanted to decrypt my .jpg files and most of them had no backup still managed to get some of them. Is it possible to recover all of them in a try?

JPG files have a slight difference in formatting compared to other files that causes file pairs for them to be specific to the source of the files. As an example, if you have pictures from two different cameras then you will need file pairs of JPG files from each camera. If you only have a file pair for JPG files from one camera, then you won't be able to decrypt files from the other camera.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.