Abichandra 1 Report post Posted June 14 2 hours ago, Rizkifebian said: THANK U VERY MUCH...ALL THE DATA HAS BACK NOW 😍 Hi.. I've managed to decrypt some of my files.. But if I tried to open it, it says that my files are damaged Are yours like that too ? Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 14 5 hours ago, Mostafa Sayed said: [+] File:designer.jpg.gerosan [-] No key for ID: BKVV8ha08vR69G3Q56QeBziitayvnpRTuVH6MRaO (.gerosan ) We need the MAC addresses that STOPDecrypter lists as well. Make sure you run it on the computer that was infected, and make sure all of the drivers for your networking devices (wireless and Bluetooth included) before you run it again so that STOPDecrypter can get the MAC addresses for all of them. 3 hours ago, EricN said: [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F This info has also been logged to STOPDecrypter-log.txt One of your ID's is an offline ID, however the other one isn't. This means that some of your files are probably decryptable now, but not all of them. Go ahead and run STOPDecrypter again, and see what it is able to decrypt. As for the rest, I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. 3 hours ago, Rizkifebian said: THANK U VERY MUCH...ALL THE DATA HAS BACK NOW 😍 You're welcome. Make sure your system is clean, otherwise it may happen again. 1 hour ago, Abichandra said: [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] ID: HgUNhAuveBRDLf4pEKIYrn6MGAEdovUjLQ4RNz9Z [*] MACs: 00:FF:15:DB:D5:11, 50:B7:C3:BB:37:96, 50:B7:C3:BB:37:95, 50:B7:C3:82:92:98 This info has also been logged to STOPDecrypter-log.txt One of your ID's is an offline ID, however the other one isn't. That being said, STOPDecrypter doesn't appear to have been able to decrypt any of your files. I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 14 38 minutes ago, Abichandra said: Hi.. I've managed to decrypt some of my files.. But if I tried to open it, it says that my files are damaged Are yours like that too ? That's because your files weren't decrypted. You need an actual decryption key from the creator of STOPDecrypter to decrypt your files, or you'll just end up with corrupt files. The only exception to this are files encrypted with an offline key. Quote Share this post Link to post Share on other sites
Sg123 0 Report post Posted June 14 On 6/13/2019 at 11:41 AM, Sg123 said: [!] No keys were found for the following IDs: [*] ID: Ys6AMqyvxA6taF8tEp1OOr9eH3ZmFTXvTorRSCjp (.gerosan ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: 50:9A:4C:BF:80:1C, AC:ED:5C:A7:94:C4, AE:ED:5C:A7:94:C3, AC:ED:5C:A7:94:C3, AC:ED:5C:A7:94:C7 This info has also been logged to STOPDecrypter-log.txt Please help me. These are the ID and MAC addresses. My really important files got encrypted. Thank you so much Please help me. I've lost all my data. Is there any information I haven't added? Quote Share this post Link to post Share on other sites
bennybern 0 Report post Posted June 14 [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] ID: wCOzbtsKUAWfTXtvxk9DDqe3wSgNhDEFuM91MmdP [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: 02:30:B8:9D:09:01, 74:E5:0B:7C:19:46, F0:DE:F1:D8:C2:19, 60:D8:19:B1:E1:37 This info has also been logged to STOPDecrypter-log.txt Please help me all my data infected. Quote Share this post Link to post Share on other sites
Abichandra 1 Report post Posted June 14 1 hour ago, GT500 said: That's because your files weren't decrypted. You need an actual decryption key from the creator of STOPDecrypter to decrypt your files, or you'll just end up with corrupt files. The only exception to this are files encrypted with an offline key. So do i need to wait until all of the offline keys are available ? Cause 1 key is available, that’s why I can decrypt some of my files. But still that files that were decrypted are corrupted. Thanks Quote Share this post Link to post Share on other sites
shinichi 0 Report post Posted June 14 Please Help Me. [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] ID: gRxtj6aMliPt1CHZsPHY7wtdEegoaPifRdnP61s1 [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: 26:FD:52:B4:DC:07, 24:FD:52:B4:DC:07, AC:22:0B:6E:78:BC, 24:FD:52:B5:49:67 This info has also been logged to STOPDecrypter-log.txt Addition.txt FRST.txt Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 14 @EricN You will need the help of a support professional to clean your PC. I do not have the authority to cure PC. There are some malicious elements in the logs that can cause harm again. But I can help in more secure use of your PC. There are many free or cheaper programs that can be replaced by programs that you installed from unofficial sites. I will not list them, you yourself know. If you need to prepare a list of safe replacement programs, tell me in PM. --- I did a selective review of what is installed in your PC. This is not a complete list, but only important. Norton Security Scan is a quick scan tool, instead you need to use Norton Security, which protects your PC from modern threats. Norton Security would be a great choice! I recommend! ---ShadowExplorer - it need to install long before the attack, so that it periodically saves shadow copies of files. It is useless to set after encryption. -------------------- These programs will not protect your PC from encryptors (You can safely remove them!): Smadav Software - a doubtful tool GridinSoft Anti-Malware - a doubtful tool SpyHunter - a dubious tool --- Windows Defender - he deleted 2 files of STOP Ransomware, but the third one has penetrated and encrypted files. This should prove that it will not protect against encryptors! --- RansomwareFileDecryptor - a dubious tool for decrypt Ransom_Decryptor - a dubious tool for decrypt --- iCare Data Recovery Pro - in this case will not help recover data ParetoLogic Data Recovery Pro - in this case will not help recover data /// I know all these programs well, but in this deed their use does not be benefit you. Quote Share this post Link to post Share on other sites
MadHawk 0 Report post Posted June 14 (edited) 9 hours ago, GT500 said: @EricN, @MadHawk, @Abichandra if you could follow the instructions at the link below and post the information they direct you to get in a reply for us, then I can forward it to the creator of STOPDecrypter:https://kb.gt500.org/stopdecrypter It doesnt give me the "extract" option and directly shows the faq dialog box.An error from Microsoft.net framework comes though but when I stil continue it just shows [+] loaded 43 offline keys EDIT: my net framework was of prevous version and updated it which made it work. Uploaded all the information in another answer Edited June 14 by MadHawk Quote Share this post Link to post Share on other sites
MadHawk 0 Report post Posted June 14 (edited) On 6/12/2019 at 4:06 AM, GT500 said: That is a variant of the STOP/Djvu ransomware. STOPDecrypter can't recover your files yet, however it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:https://kb.gt500.org/stopdecrypter While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it. okay i did all the steps. The stopdecrpter is showing this- [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] ID: JVA5cC4uyeRWfgWlNCYNWypgIU9MQA2IvURCi81p [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: 00:E0:4C:1C:17:29 This info has also been logged to STOPDecrypter-log.txt Attached the 2 files I am really getting desperate when will my problem be solved?? please tell Addition.txt FRST.txt Edited June 14 by MadHawk Quote Share this post Link to post Share on other sites
Mostafa Sayed 0 Report post Posted June 14 @GT500 No key for ID: BKVV8ha08vR69G3Q56QeBziitayvnpRTuVH6MRaO (.gerosan ) Unidentified ID: BKVV8ha08vR69G3Q56QeBziitayvnpRTuVH6MRaO (.gerosan ) MACs: 00:24:E8:22:7A:B6 Decrypted 4 files, skipped 4129 Quote Share this post Link to post Share on other sites
EricN 0 Report post Posted June 14 5 hours ago, Amigo-A said: @EricN You will need the help of a support professional to clean your PC. I do not have the authority to cure PC. There are some malicious elements in the logs that can cause harm again. But I can help in more secure use of your PC. There are many free or cheaper programs that can be replaced by programs that you installed from unofficial sites. I will not list them, you yourself know. If you need to prepare a list of safe replacement programs, tell me in PM. --- I did a selective review of what is installed in your PC. This is not a complete list, but only important. Norton Security Scan is a quick scan tool, instead you need to use Norton Security, which protects your PC from modern threats. Norton Security would be a great choice! I recommend! ---ShadowExplorer - it need to install long before the attack, so that it periodically saves shadow copies of files. It is useless to set after encryption. -------------------- These programs will not protect your PC from encryptors (You can safely remove them!): Smadav Software - a doubtful tool GridinSoft Anti-Malware - a doubtful tool SpyHunter - a dubious tool --- Windows Defender - he deleted 2 files of STOP Ransomware, but the third one has penetrated and encrypted files. This should prove that it will not protect against encryptors! --- RansomwareFileDecryptor - a dubious tool for decrypt Ransom_Decryptor - a dubious tool for decrypt --- iCare Data Recovery Pro - in this case will not help recover data ParetoLogic Data Recovery Pro - in this case will not help recover data /// I know all these programs well, but in this deed their use does not be benefit you. @Amigo-A i was remove some file and soft... my fyle still invected .gerosan please help me... [+] Loaded 42 offline keys Please archive the following info in case of future decryption: [*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F This info has also been logged to STOPDecrypter-log.txt Selected directory: E:\Operator\Yearbook 2019\yearbook 2019 Starting decryption... [+] File: E:\Operator\Yearbook 2019\yearbook 2019\Backup_of_guru &karyawan.cdr.gerosan [-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan ) [+] File: E:\Operator\Yearbook 2019\yearbook 2019\Backup_of_yearbook 2018.cdr.gerosan [-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan ) [+] File: E:\Operator\Yearbook 2019\yearbook 2019\guru &karyawan.cdr.gerosan [-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan ) [+] File: E:\Operator\Yearbook 2019\yearbook 2019\yearbook 2018.cdr.gerosan [-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan ) Decrypted 0 files! Skipped 4 files. [!] No keys were found for the following IDs: [*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F This info has also been logged to STOPDecrypter-log.txt Quote Share this post Link to post Share on other sites
EricN 0 Report post Posted June 14 6 hours ago, GT500 said: We need the MAC addresses that STOPDecrypter lists as well. Make sure you run it on the computer that was infected, and make sure all of the drivers for your networking devices (wireless and Bluetooth included) before you run it again so that STOPDecrypter can get the MAC addresses for all of them. One of your ID's is an offline ID, however the other one isn't. This means that some of your files are probably decryptable now, but not all of them. Go ahead and run STOPDecrypter again, and see what it is able to decrypt. As for the rest, I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. You're welcome. Make sure your system is clean, otherwise it may happen again. One of your ID's is an offline ID, however the other one isn't. That being said, STOPDecrypter doesn't appear to have been able to decrypt any of your files. I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. @GT500 my file still invected by gerosan.. please help me.... i really need the all file,... [+] Loaded 42 offline keys Please archive the following info in case of future decryption: [*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F This info has also been logged to STOPDecrypter-log.txt Selected directory: E:\Operator\Yearbook 2019\yearbook 2019 Starting decryption... [+] File: E:\Operator\Yearbook 2019\yearbook 2019\Backup_of_guru &karyawan.cdr.gerosan [-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan ) [+] File: E:\Operator\Yearbook 2019\yearbook 2019\Backup_of_yearbook 2018.cdr.gerosan [-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan ) [+] File: E:\Operator\Yearbook 2019\yearbook 2019\guru &karyawan.cdr.gerosan [-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan ) [+] File: E:\Operator\Yearbook 2019\yearbook 2019\yearbook 2018.cdr.gerosan [-] No key for ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan ) Decrypted 0 files! Skipped 4 files. [!] No keys were found for the following IDs: [*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F This info has also been logged to STOPDecrypter-log.txt Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 14 27 minutes ago, EricN said: my fyle still invected .gerosan please help me... Of course, they are not yet deciphered. These were safety recommendations for the future. But you need to clean the system thoroughly. In many cases, we have observed re-encryption of decrypted files. Therefore, while specialists are trying to update the STOP Decrypter and find a positive solution, you need to prepare your PC for safe use. Or all efforts will be in vain ... Quote Share this post Link to post Share on other sites
Sg123 0 Report post Posted June 14 Please help me. I really cannot afford to lose my files. All my data is encrypted. [!] No keys were found for the following IDs: [*] ID: Ys6AMqyvxA6taF8tEp1OOr9eH3ZmFTXvTorRSCjp (.gerosan ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: 50:9A:4C:BF:80:1C, AC:ED:5C:A7:94:C4, AE:ED:5C:A7:94:C3, AC:ED:5C:A7:94:C3, AC:ED:5C:A7:94:C7 This info has also been logged to STOPDecrypter-log.txt Quote Share this post Link to post Share on other sites
Rachwell 0 Report post Posted June 14 Good night, My files are infected with .gerosan and CryptXXX. I also did lock the malware in Windows system32, but I can not recover the .gerosan files. I read the forum topics and tried most of the solutions here, but nothing works. What should I do? Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 14 16 hours ago, bennybern said: [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] ID: wCOzbtsKUAWfTXtvxk9DDqe3wSgNhDEFuM91MmdP [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: 02:30:B8:9D:09:01, 74:E5:0B:7C:19:46, F0:DE:F1:D8:C2:19, 60:D8:19:B1:E1:37 This info has also been logged to STOPDecrypter-log.txt I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 14 15 hours ago, shinichi said: [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] ID: gRxtj6aMliPt1CHZsPHY7wtdEegoaPifRdnP61s1 [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: 26:FD:52:B4:DC:07, 24:FD:52:B4:DC:07, AC:22:0B:6E:78:BC, 24:FD:52:B5:49:67 This info has also been logged to STOPDecrypter-log.txt I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 14 13 hours ago, MadHawk said: [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] ID: JVA5cC4uyeRWfgWlNCYNWypgIU9MQA2IvURCi81p [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: 00:E0:4C:1C:17:29 This info has also been logged to STOPDecrypter-log.txt I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you 13 hours ago, MadHawk said: I am really getting desperate when will my problem be solved?? .Your files will only be decryptable once the creator of STOPDecrypter is able to figure out your decryption key. Unfortunately there is no way to know when that might happen, so it's not possible for me to give you an ETA. For now just try your best to be patient, and trust that work is progressing on dealing with this ransomware. Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 14 11 hours ago, Mostafa Sayed said: No key for ID: BKVV8ha08vR69G3Q56QeBziitayvnpRTuVH6MRaO (.gerosan ) Unidentified ID: BKVV8ha08vR69G3Q56QeBziitayvnpRTuVH6MRaO (.gerosan ) MACs: 00:24:E8:22:7A:B6 Decrypted 4 files, skipped 4129 I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 14 10 hours ago, EricN said: @GT500 my file still invected by gerosan.. please help me.... i really need the all file,... I understand it can be frustrating, however figuring out your decryption key is going to take some time. Please try your best to be patient, and we'll do what we can to help you. 1 Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 14 4 hours ago, Sg123 said: Please help me. I really cannot afford to lose my files. All my data is encrypted. Please do your best to be patient, and we'll do what we can for you. It's just going to take some time. Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 14 1 hour ago, Rachwell said: Good night, My files are infected with .gerosan and CryptXXX. I also did lock the malware in Windows system32, but I can not recover the .gerosan files. I read the forum topics and tried most of the solutions here, but nothing works. What should I do? While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:https://kb.gt500.org/stopdecrypter While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it. Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 14 16 hours ago, Abichandra said: So do i need to wait until all of the offline keys are available ? Cause 1 key is available, that’s why I can decrypt some of my files. But still that files that were decrypted are corrupted. Thanks There's only one offline ID and key for each version of the STOP/Djvu ransomware. You have an online ID and key, and thus will need to wait until the creator of STOPDecrypter is able to figure out your decryption key for you. Quote Share this post Link to post Share on other sites
EricN 0 Report post Posted June 14 20 minutes ago, GT500 said: I understand it can be frustrating, however figuring out your decryption key is going to take some time. Please try your best to be patient, and we'll do what we can to help you. @GT500 thankyou very much boss... This ransomeware make very frustrating... please helpme boss... I'm begging you boss... Quote Share this post Link to post Share on other sites
Golfdemon 0 Report post Posted June 15 Please Help [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] ID: zhCQs53TUKxhx3SDzpRxMbRYTbLhA09OwpCnPSa6 [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: FC:AA:14:E9:01:20, 00:FF:8C:0E:0A:01 This info has also been logged to STOPDecrypter-log.txt Quote Share this post Link to post Share on other sites
trio 0 Report post Posted June 15 Please, Help me to recover my files, I really need them for work, I'm a teacher and I really need my files back to teach my students, thanks Here is my info : ecrypted 206 files! Skipped 5713 files. [!] No keys were found for the following IDs: [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.doc ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.gerosan ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.docx ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.ssl ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.jpg ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.xlsx ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.pdf ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.rtf ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.flv ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.rar ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.exe ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.zip ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.xlsm ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.mp4 ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.0_full_intl ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.pptx ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.ogg ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.JPG ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.mp3 ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.ppt ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.Mp3 ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.com] ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.MP3 ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.m4a ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.one ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.xls ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.tda ) [*] ID: rPoDyVD8y0XdNUeWYUmpDbrTglzsOrFMHZGom5jB (.tdz ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: 00:FF:AE:8E:70:3E, 1A:CF:5E:EC:A4:83, 18:CF:5E:EC:A4:83, 18:CF:5E:EC:A4:84, 28:D2:44:BC:60:D5 This info has also been logged to STOPDecrypter-log.txt Quote Share this post Link to post Share on other sites
Din 1 Report post Posted June 15 On 6/14/2019 at 6:42 AM, GT500 said: @Yassine, @Luwie, @Rizkifebian, @Din please note that your ID's (PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1) is an offline ID, and support for it was added to STOPDecrypter this afternoon. Simply download STOPDecrypter again and run it, and then new version should be able to decrypt your files:https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip THANK YOU SO MUCH. ITS REALLY WORK. MY DATA HAS BACK NOW Quote Share this post Link to post Share on other sites
Tucker 0 Report post Posted June 15 @GT500 Same issue too, Please help. Thank you so much. [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] MACs: 60:A4:4C:35:39:2A, 40:9B:CD:96:F2:D8 This info has also been logged to STOPDecrypter-log.txt By the way, is it normal to not having ID? If yes, how to find it? STOPDecrypter-log.txt FRST.txt Addition.txt Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 15 @Din I sent you a message even earlier. 😃 Quote Share this post Link to post Share on other sites
Rachwell 0 Report post Posted June 15 @GT500 Here are the files. Addition.txt FRST.txt stopdecrypterlog.txt Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 15 @Rachwell There are malicious files in the logs! Be careful! Wait for a response of a support service Emsisoft. Quote Share this post Link to post Share on other sites
Rachwell 0 Report post Posted June 15 @Amigo-A Ok, thanks. But is something that i can do? I'm trying to recovery my files with "recuva", but the most still broke. Quote Share this post Link to post Share on other sites
Mohamad Ajmal 0 Report post Posted June 15 Hi Quote Share this post Link to post Share on other sites
Mohamad Ajmal 0 Report post Posted June 15 Good night, My files are infected with .gerosan. I read the forum topics and tried most of the solutions here, but nothing works. What should I do? I need ur kind support. Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 15 6 hours ago, Rachwell said: But is something that i can do? I'm trying to recovery my files with "recuva", but the most still broke. @Rachwell No. First you need to get rid of malware. Otherwise, encryption may be repeated or restarted with other components. I did not look deeply, but all the anti-virus programs and on-demand scanners that are on your PC, as it became clear, turned out to be useless. You can remove them all and install them to fully check the "Emsisoft Emergency Kit". Check PC and agree to send quarantined malware files. Attach the results to the message for the Emsisoft experts to see. Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 15 @Mohamad Ajmal See the answer to your request. Quote Share this post Link to post Share on other sites
Rachwell 0 Report post Posted June 16 @Amigo-A and @GT500 Hi, Is attached the result of the Emsisoft emergency kit I have already discovered the possible source of ransomware, if you want to send the .zip file or the download link, maybe this information will help us scan_190615-205306.txt Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 16 @Rachwell Gorblimy! Here are files from several encryptors and other malicious files. It is better to wait for the answer of the Emsisoft specialist @GT500, since it's their tool. It may be necessary to take samples of encryptor from Quarantine. Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 16 8 hours ago, Rachwell said: if you want to send the .zip file or the download link, maybe this information will help us Yes, use the site www.sendspace.com to upload such an archive. It is advisable to set an password 'infected' so that the service does not delete it. Quote Share this post Link to post Share on other sites
Rachwell 0 Report post Posted June 16 4 hours ago, Amigo-A said: @Rachwell Gorblimy! Here are files from several encryptors and other malicious files. It is better to wait for the answer of the Emsisoft specialist @GT500, since it's their tool. It may be necessary to take samples of encryptor from Quarantine. Ok, many thanks for all the help! I have to return the infected PC tonight, and i've recover some files with recuva yesterday. I'll not format the computer, but left running the Emsisoft Anti-Malware, notification the owner about that ransonware's infection. There's some copy files .gerosan with me that i'll keep for help and I'm waiting for the @GT500's tool. Quote Share this post Link to post Share on other sites
kiki 0 Report post Posted June 17 On 14/6/2019 at 06.46, GT500 said: Saya telah meneruskan ID dan alamat MAC Anda ke pembuat STOPDecrypter sehingga ia dapat mengarsipkannya jika ia dapat mengetahui kunci dekripsi Anda di beberapa titik di masa mendatang. Yang harus Anda lakukan sekarang adalah memberi kami waktu, dan kami akan melakukan apa yang kami bisa untuk Anda. Thank you, Hopefully it can solve the problem with a not too long time Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 17 @kiki While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components for encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Quote Share this post Link to post Share on other sites
bangjonijoni 0 Report post Posted June 17 Decrypted 0 files! Skipped 1 files. [!] No keys were found for the following IDs: [*] ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: 20:68:9D:EE:6F:72, 08:60:6E:8B:55:73, 20:68:9D:EE:29:B8 This info has also been logged to STOPDecrypter-log.txt aspalt.xlsx.gerosan Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 17 @bangjonijoni While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components for encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Quote Share this post Link to post Share on other sites
kiki 0 Report post Posted June 17 4 hours ago, Amigo-A said: @kiki Sementara sebagian besar ransomwares akan secara otomatis menghapus diri mereka sendiri setelah mereka selesai mengenkripsi file, beberapa sekarang meninggalkan komponen untuk mengenkripsi file baru yang disimpan dan akan mengenkripsi file yang Anda kelola untuk mendekripsi . Yang terbaik adalah memeriksa dan memastikan bahwa tidak ada komponen yang tertinggal, jadi saya sarankan mengikuti petunjuk di tautan di bawah ini untuk mendapatkan kami log dari FRST sehingga salah satu pakar kami dapat memastikan tidak ada yang berbahaya masih ada di komputer Anda ( silakan lampirkan file log yang disimpan FRST ke balasan untuk topik ini di forum): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ That is My FRST file FRST.txt Quote Share this post Link to post Share on other sites
Amigo-A 38 Report post Posted June 17 1 hour ago, kiki said: That is My FRST file There are several suspicious files, also check with the Emsisoft Emergency Kithttps://www.emsisoft.com/en/home/emergencykit/ Do not delete the quarantine until you show the results or a screenshot. Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 17 On 6/14/2019 at 7:57 PM, EricN said: @GT500 thankyou very much boss... This ransomeware make very frustrating... please helpme boss... I'm begging you boss... There's currently no way to speed up the process. Just give us time, and we'll do what we can. Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 17 On 6/14/2019 at 11:01 PM, Golfdemon said: [+] Loaded 43 offline keys Please archive the following info in case of future decryption: [*] ID: zhCQs53TUKxhx3SDzpRxMbRYTbLhA09OwpCnPSa6 [*] ID: PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 [*] MACs: FC:AA:14:E9:01:20, 00:FF:8C:0E:0A:01 This info has also been logged to STOPDecrypter-log.txt I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. Quote Share this post Link to post Share on other sites
GT500 582 Report post Posted June 17 On 6/15/2019 at 12:12 AM, trio said: Please, Help me to recover my files, I really need them for work, I'm a teacher and I really need my files back to teach my students, thanks Here is my info : I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you Note: This will take time. Unfortunately there's no way around that at the moment. Quote Share this post Link to post Share on other sites
