Luwie

.gerosan file encrypted, Please help

Recommended Posts

2 hours ago, Rizkifebian said:

THANK U VERY MUCH...ALL THE DATA HAS BACK NOW 😍

Hi.. I've managed to decrypt some of my files..

But if I tried to open it, it says that my files are damaged

Are yours like that too ?

Share this post


Link to post
Share on other sites
5 hours ago, Mostafa Sayed said:

[+] File:designer.jpg.gerosan
[-] No key for ID: BKVV8ha08vR69G3Q56QeBziitayvnpRTuVH6MRaO (.gerosan )

We need the MAC addresses that STOPDecrypter lists as well. Make sure you run it on the computer that was infected, and make sure all of the drivers for your networking devices (wireless and Bluetooth included) before you run it again so that STOPDecrypter can get the MAC addresses for all of them.

 

3 hours ago, EricN said:

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F
This info has also been logged to STOPDecrypter-log.txt

One of your ID's is an offline ID, however the other one isn't. This means that some of your files are probably decryptable now, but not all of them.

Go ahead and run STOPDecrypter again, and see what it is able to decrypt. As for the rest, I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

 

3 hours ago, Rizkifebian said:

THANK U VERY MUCH...ALL THE DATA HAS BACK NOW 😍

You're welcome. Make sure your system is clean, otherwise it may happen again.

 

1 hour ago, Abichandra said:

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] ID: HgUNhAuveBRDLf4pEKIYrn6MGAEdovUjLQ4RNz9Z
[*] MACs: 00:FF:15:DB:D5:11, 50:B7:C3:BB:37:96, 50:B7:C3:BB:37:95, 50:B7:C3:82:92:98
This info has also been logged to STOPDecrypter-log.txt

One of your ID's is an offline ID, however the other one isn't. That being said, STOPDecrypter doesn't appear to have been able to decrypt any of your files.

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites
38 minutes ago, Abichandra said:

Hi.. I've managed to decrypt some of my files..

But if I tried to open it, it says that my files are damaged

Are yours like that too ?

That's because your files weren't decrypted. You need an actual decryption key from the creator of STOPDecrypter to decrypt your files, or you'll just end up with corrupt files.

The only exception to this are files encrypted with an offline key.

Share this post


Link to post
Share on other sites
On 6/13/2019 at 11:41 AM, Sg123 said:

[!] No keys were found for the following IDs:

[*] ID: Ys6AMqyvxA6taF8tEp1OOr9eH3ZmFTXvTorRSCjp (.gerosan )

Please archive these IDs and the following MAC addresses in case of future decryption:

[*] MACs: 50:9A:4C:BF:80:1C, AC:ED:5C:A7:94:C4, AE:ED:5C:A7:94:C3, AC:ED:5C:A7:94:C3, AC:ED:5C:A7:94:C7

This info has also been logged to STOPDecrypter-log.txt

Please help me. These are the ID and MAC addresses. My really important files got encrypted. Thank you so much

Please help me. I've lost all my data. Is there any information I haven't added? 

Share this post


Link to post
Share on other sites

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] ID: wCOzbtsKUAWfTXtvxk9DDqe3wSgNhDEFuM91MmdP
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: 02:30:B8:9D:09:01, 74:E5:0B:7C:19:46, F0:DE:F1:D8:C2:19, 60:D8:19:B1:E1:37
This info has also been logged to STOPDecrypter-log.txt

 

Please help me all my data infected.

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

That's because your files weren't decrypted. You need an actual decryption key from the creator of STOPDecrypter to decrypt your files, or you'll just end up with corrupt files.

The only exception to this are files encrypted with an offline key.

So do i need to wait until all of the offline keys are available ? Cause 1 key is available, that’s why I can decrypt some of my files. But still that files that were decrypted are corrupted.

Thanks

Share this post


Link to post
Share on other sites

Please Help Me. 

 

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] ID: gRxtj6aMliPt1CHZsPHY7wtdEegoaPifRdnP61s1
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: 26:FD:52:B4:DC:07, 24:FD:52:B4:DC:07, AC:22:0B:6E:78:BC, 24:FD:52:B5:49:67
This info has also been logged to STOPDecrypter-log.txt

 

 

 

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

@EricN

You will need the help of a support professional to clean your PC. I do not have the authority to cure PC. 
There are some malicious elements in the logs that can cause harm again.
But I can help in more secure use of your PC. There are many free or cheaper programs that can be replaced by programs that you installed from unofficial sites. I will not list them, you yourself know. If you need to prepare a list of safe replacement programs, tell me in PM.

---

I did a selective review of what is installed in your PC. This is not a complete list, but only important.

Norton Security Scan is a quick scan tool, instead you need to use Norton Security, which protects your PC from modern threats. Norton Security would be a great choice! I recommend!
---
ShadowExplorer - it need to install long before the attack, so that it periodically saves shadow copies of files. It is useless to set after encryption.
--------------------

These programs will not protect your PC from encryptors (You can safely remove them!):
Smadav Software - a doubtful tool
GridinSoft Anti-Malware - a doubtful tool
SpyHunter - a dubious tool
---
Windows Defender - he deleted 2 files of STOP Ransomware, but the third one has penetrated and encrypted files. This should prove that it will not protect against encryptors!
---
RansomwareFileDecryptor - a dubious tool for decrypt
Ransom_Decryptor - a dubious tool for decrypt
---
iCare Data Recovery Pro - in this case will not help recover data
ParetoLogic Data Recovery Pro - in this case will not help recover data

/// I know all these programs well, but in this deed their use does not be benefit you.

Share this post


Link to post
Share on other sites
9 hours ago, GT500 said:

@EricN, @MadHawk, @Abichandra if you could follow the instructions at the link below and post the information they direct you to get in a reply for us, then I can forward it to the creator of STOPDecrypter:
https://kb.gt500.org/stopdecrypter

It doesnt give me the "extract" option and directly shows the faq dialog box.An error from Microsoft.net framework comes though but when I stil continue it just shows [+] loaded 43 offline keys

EDIT: my net framework was of prevous version and updated it which made it work. Uploaded all the information in another answer

Edited by MadHawk

Share this post


Link to post
Share on other sites
On 6/12/2019 at 4:06 AM, GT500 said:

That is a variant of the STOP/Djvu ransomware.

STOPDecrypter can't recover your files yet, however it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

okay i did all the steps. The stopdecrpter is showing this-

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] ID: JVA5cC4uyeRWfgWlNCYNWypgIU9MQA2IvURCi81p
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: 00:E0:4C:1C:17:29
This info has also been logged to STOPDecrypter-log.txt
 

Attached the 2 files

I am really getting desperate when will my problem be solved??

please tell

 

Addition.txt FRST.txt

Edited by MadHawk

Share this post


Link to post
Share on other sites

@GT500

 

No key for ID: BKVV8ha08vR69G3Q56QeBziitayvnpRTuVH6MRaO (.gerosan )
Unidentified ID: BKVV8ha08vR69G3Q56QeBziitayvnpRTuVH6MRaO (.gerosan )
MACs: 00:24:E8:22:7A:B6
Decrypted 4 files, skipped 4129

Share this post


Link to post
Share on other sites
5 hours ago, Amigo-A said:

@EricN

You will need the help of a support professional to clean your PC. I do not have the authority to cure PC. 
There are some malicious elements in the logs that can cause harm again.
But I can help in more secure use of your PC. There are many free or cheaper programs that can be replaced by programs that you installed from unofficial sites. I will not list them, you yourself know. If you need to prepare a list of safe replacement programs, tell me in PM.

---

I did a selective review of what is installed in your PC. This is not a complete list, but only important.

Norton Security Scan is a quick scan tool, instead you need to use Norton Security, which protects your PC from modern threats. Norton Security would be a great choice! I recommend!
---
ShadowExplorer - it need to install long before the attack, so that it periodically saves shadow copies of files. It is useless to set after encryption.
--------------------

These programs will not protect your PC from encryptors (You can safely remove them!):
Smadav Software - a doubtful tool
GridinSoft Anti-Malware - a doubtful tool
SpyHunter - a dubious tool
---
Windows Defender - he deleted 2 files of STOP Ransomware, but the third one has penetrated and encrypted files. This should prove that it will not protect against encryptors!
---
RansomwareFileDecryptor - a dubious tool for decrypt
Ransom_Decryptor - a dubious tool for decrypt
---
iCare Data Recovery Pro - in this case will not help recover data
ParetoLogic Data Recovery Pro - in this case will not help recover data

/// I know all these programs well, but in this deed their use does not be benefit you.

@Amigo-A i was remove some file and soft... my fyle still invected .gerosan please help me... 

 

[+] Loaded 42 offline keys
Please archive the following info in case of future decryption:
[*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F
This info has also been logged to STOPDecrypter-log.txt
Selected directory: E:\Operator\Yearbook 2019\yearbook 2019
Starting decryption...

[+] File: E:\Operator\Yearbook 2019\yearbook 2019\Backup_of_guru &karyawan.cdr.gerosan
[-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )

[+] File: E:\Operator\Yearbook 2019\yearbook 2019\Backup_of_yearbook 2018.cdr.gerosan
[-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )

[+] File: E:\Operator\Yearbook 2019\yearbook 2019\guru &karyawan.cdr.gerosan
[-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )

[+] File: E:\Operator\Yearbook 2019\yearbook 2019\yearbook 2018.cdr.gerosan
[-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )

Decrypted 0 files!
Skipped 4 files.

[!] No keys were found for the following IDs:
[*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F
This info has also been logged to STOPDecrypter-log.txt
 

Share this post


Link to post
Share on other sites
6 hours ago, GT500 said:

We need the MAC addresses that STOPDecrypter lists as well. Make sure you run it on the computer that was infected, and make sure all of the drivers for your networking devices (wireless and Bluetooth included) before you run it again so that STOPDecrypter can get the MAC addresses for all of them.

 

One of your ID's is an offline ID, however the other one isn't. This means that some of your files are probably decryptable now, but not all of them.

Go ahead and run STOPDecrypter again, and see what it is able to decrypt. As for the rest, I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

 

You're welcome. Make sure your system is clean, otherwise it may happen again.

 

One of your ID's is an offline ID, however the other one isn't. That being said, STOPDecrypter doesn't appear to have been able to decrypt any of your files.

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

@GT500  my file still invected by gerosan.. please help me.... i really need the all file,...

 

[+] Loaded 42 offline keys
Please archive the following info in case of future decryption:
[*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F
This info has also been logged to STOPDecrypter-log.txt
Selected directory: E:\Operator\Yearbook 2019\yearbook 2019
Starting decryption...

[+] File: E:\Operator\Yearbook 2019\yearbook 2019\Backup_of_guru &karyawan.cdr.gerosan
[-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )

[+] File: E:\Operator\Yearbook 2019\yearbook 2019\Backup_of_yearbook 2018.cdr.gerosan
[-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )

[+] File: E:\Operator\Yearbook 2019\yearbook 2019\guru &karyawan.cdr.gerosan
[-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )

[+] File: E:\Operator\Yearbook 2019\yearbook 2019\yearbook 2018.cdr.gerosan
[-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )

Decrypted 0 files!
Skipped 4 files.

[!] No keys were found for the following IDs:
[*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F
This info has also been logged to STOPDecrypter-log.txt
 

Share this post


Link to post
Share on other sites
27 minutes ago, EricN said:

my fyle still invected .gerosan please help me... 

Of course, they are not yet deciphered. These were safety recommendations for the future. But you need to clean the system thoroughly.

In many cases, we have observed re-encryption of decrypted files. Therefore, while specialists are trying to update the STOP Decrypter and find a positive solution, you need to prepare your PC for safe use.

Or all efforts will be in vain ...

Share this post


Link to post
Share on other sites

Please help me. I really cannot afford to lose my files. All my data is encrypted.

[!] No keys were found for the following IDs:

[*] ID: Ys6AMqyvxA6taF8tEp1OOr9eH3ZmFTXvTorRSCjp (.gerosan )

Please archive these IDs and the following MAC addresses in case of future decryption:

[*] MACs: 50:9A:4C:BF:80:1C, AC:ED:5C:A7:94:C4, AE:ED:5C:A7:94:C3, AC:ED:5C:A7:94:C3, AC:ED:5C:A7:94:C7

This info has also been logged to STOPDecrypter-log.txt

 

Share this post


Link to post
Share on other sites
Good night,

My files are infected with .gerosan and CryptXXX. I also did lock the malware in Windows system32, but I can not recover the .gerosan files.

I read the forum topics and tried most of the solutions here, but nothing works. What should I do?

Share this post


Link to post
Share on other sites
16 hours ago, bennybern said:

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] ID: wCOzbtsKUAWfTXtvxk9DDqe3wSgNhDEFuM91MmdP
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: 02:30:B8:9D:09:01, 74:E5:0B:7C:19:46, F0:DE:F1:D8:C2:19, 60:D8:19:B1:E1:37
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites
15 hours ago, shinichi said:

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] ID: gRxtj6aMliPt1CHZsPHY7wtdEegoaPifRdnP61s1
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: 26:FD:52:B4:DC:07, 24:FD:52:B4:DC:07, AC:22:0B:6E:78:BC, 24:FD:52:B5:49:67
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites
13 hours ago, MadHawk said:

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] ID: JVA5cC4uyeRWfgWlNCYNWypgIU9MQA2IvURCi81p
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: 00:E0:4C:1C:17:29
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you

 

13 hours ago, MadHawk said:

I am really getting desperate when will my problem be solved??

.Your files will only be decryptable once the creator of STOPDecrypter is able to figure out your decryption key. Unfortunately there is no way to know when that might happen, so it's not possible for me to give you an ETA.

For now just try your best to be patient, and trust that work is progressing on dealing with this ransomware.

Share this post


Link to post
Share on other sites
11 hours ago, Mostafa Sayed said:

No key for ID: BKVV8ha08vR69G3Q56QeBziitayvnpRTuVH6MRaO (.gerosan )
Unidentified ID: BKVV8ha08vR69G3Q56QeBziitayvnpRTuVH6MRaO (.gerosan )
MACs: 00:24:E8:22:7A:B6
Decrypted 4 files, skipped 4129

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites
10 hours ago, EricN said:

@GT500  my file still invected by gerosan.. please help me.... i really need the all file,...

I understand it can be frustrating, however figuring out your decryption key is going to take some time. Please try your best to be patient, and we'll do what we can to help you.

  • Thanks 1

Share this post


Link to post
Share on other sites
4 hours ago, Sg123 said:

Please help me. I really cannot afford to lose my files. All my data is encrypted.

Please do your best to be patient, and we'll do what we can for you. It's just going to take some time.

Share this post


Link to post
Share on other sites
1 hour ago, Rachwell said:
Good night,

My files are infected with .gerosan and CryptXXX. I also did lock the malware in Windows system32, but I can not recover the .gerosan files.

I read the forum topics and tried most of the solutions here, but nothing works. What should I do?

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites
16 hours ago, Abichandra said:

So do i need to wait until all of the offline keys are available ? Cause 1 key is available, that’s why I can decrypt some of my files. But still that files that were decrypted are corrupted.

Thanks

There's only one offline ID and key for each version of the STOP/Djvu ransomware. You have an online ID and key, and thus will need to wait until the creator of STOPDecrypter is able to figure out your decryption key for you.

Share this post


Link to post
Share on other sites
20 minutes ago, GT500 said:

I understand it can be frustrating, however figuring out your decryption key is going to take some time. Please try your best to be patient, and we'll do what we can to help you.

@GT500 thankyou very much boss... This ransomeware make very frustrating... please helpme boss... I'm begging you boss... 

Share this post


Link to post
Share on other sites

Please Help

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] ID: zhCQs53TUKxhx3SDzpRxMbRYTbLhA09OwpCnPSa6
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: FC:AA:14:E9:01:20, 00:FF:8C:0E:0A:01
This info has also been logged to STOPDecrypter-log.txt
 

 

Share this post


Link to post
Share on other sites

Please, Help me  to recover my files, I really need them for work, I'm a teacher and I really need my files back to teach my students, thanks 

Here is my info :

 

ecrypted 206 files!
Skipped 5713 files.

[!] No keys were found for the following IDs:
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.doc )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.gerosan )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.docx )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.ssl )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.jpg )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.xlsx )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.pdf )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.rtf )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.flv )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.rar )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.exe )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.zip )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.xlsm )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.mp4 )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.0_full_intl )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.pptx )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.ogg )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.JPG )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.mp3 )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.ppt )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.Mp3 )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.com] )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.MP3 )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.m4a )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.one )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.xls )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.tda )
[*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.tdz )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:FF:AE:8E:70:3E, 1A:CF:5E:EC:A4:83, 18:CF:5E:EC:A4:83, 18:CF:5E:EC:A4:84, 28:D2:44:BC:60:D5


This info has also been logged to STOPDecrypter-log.txt

Share this post


Link to post
Share on other sites
On 6/14/2019 at 6:42 AM, GT500 said:

@Yassine, @Luwie, @Rizkifebian, @Din please note that your ID's (PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1) is an offline ID, and support for it was added to STOPDecrypter this afternoon. Simply download STOPDecrypter again and run it, and then new version should be able to decrypt your files:
https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip

THANK YOU SO MUCH. ITS REALLY WORK. MY DATA HAS BACK NOW 

Share this post


Link to post
Share on other sites

@GT500 Same issue too, Please help. Thank you so much.

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] MACs: 60:A4:4C:35:39:2A, 40:9B:CD:96:F2:D8
This info has also been logged to STOPDecrypter-log.txt


By the way, is it normal to not having ID? If yes, how to find it?

STOPDecrypter-log.txt FRST.txt Addition.txt

Share this post


Link to post
Share on other sites
Good night,

My files are infected with .gerosan.
I read the forum topics and tried most of the solutions here, but nothing works. What should I do? I need ur kind support.

Share this post


Link to post
Share on other sites
6 hours ago, Rachwell said:

But is something that i can do? I'm trying to recovery my files with "recuva", but the most still broke.

@Rachwell

No. First you need to get rid of malware. Otherwise, encryption may be repeated or restarted with other components.

I did not look deeply, but all the anti-virus programs and on-demand scanners that are on your PC, as it became clear, turned out to be useless. You can remove them all and install them to fully check the "Emsisoft Emergency Kit".
Check PC and agree to send quarantined malware files. Attach the results to the message for the Emsisoft experts to see. 

Share this post


Link to post
Share on other sites

@Rachwell

Gorblimy!
Here are files from several encryptors and other malicious files.
It is better to wait for the answer of the Emsisoft specialist @GT500, since it's their tool. 
It may be necessary to take samples of encryptor from Quarantine. 

Share this post


Link to post
Share on other sites
8 hours ago, Rachwell said:

if you want to send the .zip file or the download link, maybe this information will help us

Yes, use the site www.sendspace.com to upload such an archive. It is advisable to set an password 'infected' so that the service does not delete it.

Share this post


Link to post
Share on other sites
4 hours ago, Amigo-A said:

@Rachwell

Gorblimy!
Here are files from several encryptors and other malicious files.
It is better to wait for the answer of the Emsisoft specialist @GT500, since it's their tool. 
It may be necessary to take samples of encryptor from Quarantine. 

Ok, many thanks for all the help!

 I have to return the infected PC tonight, and i've recover some files with recuva yesterday. I'll not format the computer, but left  running the Emsisoft Anti-Malware, notification the owner about that ransonware's infection.
There's some copy files .gerosan with me that i'll keep for help and I'm waiting for the @GT500's  tool.

Share this post


Link to post
Share on other sites
On 14/6/2019 at 06.46, GT500 said:

Saya telah meneruskan ID dan alamat MAC Anda ke pembuat STOPDecrypter sehingga ia dapat mengarsipkannya jika ia dapat mengetahui kunci dekripsi Anda di beberapa titik di masa mendatang.

Yang harus Anda lakukan sekarang adalah memberi kami waktu, dan kami akan melakukan apa yang kami bisa untuk Anda.

Thank you, Hopefully it can solve the problem with a not too long time

Share this post


Link to post
Share on other sites

@kiki

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components for encrypt any new files saved and will encrypt any files you manage to decrypt
It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):

https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Share this post


Link to post
Share on other sites

Decrypted 0 files!
Skipped 1 files.

[!] No keys were found for the following IDs:
[*] ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 20:68:9D:EE:6F:72, 08:60:6E:8B:55:73, 20:68:9D:EE:29:B8
This info has also been logged to STOPDecrypter-log.txt

aspalt.xlsx.gerosan

Share this post


Link to post
Share on other sites

@bangjonijoni

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components for encrypt any new files saved and will encrypt any files you manage to decrypt
It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):

https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Share this post


Link to post
Share on other sites
4 hours ago, Amigo-A said:

@kiki

Sementara sebagian besar ransomwares akan secara otomatis menghapus diri mereka sendiri setelah mereka selesai mengenkripsi file, beberapa sekarang meninggalkan komponen untuk mengenkripsi file baru yang disimpan dan akan mengenkripsi file yang Anda kelola untuk mendekripsi
Yang terbaik adalah memeriksa dan memastikan bahwa tidak ada komponen yang tertinggal, jadi saya sarankan mengikuti petunjuk di tautan di bawah ini untuk mendapatkan kami log dari FRST sehingga salah satu pakar kami dapat memastikan tidak ada yang berbahaya masih ada di komputer Anda ( silakan lampirkan file log yang disimpan FRST ke balasan untuk topik ini di forum):

https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

That is My FRST file

FRST.txt

Share this post


Link to post
Share on other sites
On 6/14/2019 at 7:57 PM, EricN said:

@GT500 thankyou very much boss... This ransomeware make very frustrating... please helpme boss... I'm begging you boss... 

There's currently no way to speed up the process. Just give us time, and we'll do what we can.

Share this post


Link to post
Share on other sites
On 6/14/2019 at 11:01 PM, Golfdemon said:

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] ID: zhCQs53TUKxhx3SDzpRxMbRYTbLhA09OwpCnPSa6
[*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1
[*] MACs: FC:AA:14:E9:01:20, 00:FF:8C:0E:0A:01
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites
On 6/15/2019 at 12:12 AM, trio said:

Please, Help me  to recover my files, I really need them for work, I'm a teacher and I really need my files back to teach my students, thanks 

Here is my info :

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you

Note: This will take time. Unfortunately there's no way around that at the moment.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.