Luwie

.gerosan file encrypted, Please help

Recommended Posts

On 6/15/2019 at 3:12 AM, Din said:

THANK YOU SO MUCH. ITS REALLY WORK. MY DATA HAS BACK NOW

You're welcome.

Please stay away from pirated software in the future, so that this doesn't happen again. ;)

Share this post


Link to post
Share on other sites
On 6/15/2019 at 4:56 AM, Tucker said:

@GT500 Same issue too, Please help. Thank you so much.

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] MACs: 60:A4:4C:35:39:2A, 40:9B:CD:96:F2:D8
This info has also been logged to STOPDecrypter-log.txt


By the way, is it normal to not having ID? If yes, how to find it?

I don't see any evidence in your logs that you were hit by ransomware. No ransom notes, no encrypted files, etc.

Did you run STOPDecrypter and FRST on the infected system, or on another computer?

Share this post


Link to post
Share on other sites
On 6/15/2019 at 7:44 AM, Rachwell said:

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

 

As for the FRST logs, please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/rachwell/2019-06June-17/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

Share this post


Link to post
Share on other sites
On 6/15/2019 at 12:11 PM, Mohamad Ajmal said:
Good night,

My files are infected with .gerosan.
I read the forum topics and tried most of the solutions here, but nothing works. What should I do? I need ur kind support.

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites
On 6/15/2019 at 8:18 PM, Rachwell said:

@Amigo-A and @GT500

Hi,

Is attached the result of the Emsisoft emergency kit

I have already discovered the possible source of ransomware, if you want to send the .zip file or the download link, maybe this information will help us
scan_190615-205306.txt 16.28 kB · 3 downloads

It looks like that's deleted a lot of the stuff I put in the fixlist already, so the fixlog should show a lot of errors, but go ahead and run the FRST fix just to be sure and let me see the fixlog so that I know everything was removed properly.

Share this post


Link to post
Share on other sites
On 6/14/2019 at 1:22 PM, Abichandra said:

Hi.. I've managed to decrypt some of my files..

But if I tried to open it, it says that my files are damaged

Are yours like that too ?

yeah...same here...!!

 

On 6/15/2019 at 7:27 AM, GT500 said:

There's only one offline ID and key for each version of the STOP/Djvu ransomware. You have an online ID and key, and thus will need to wait until the creator of STOPDecrypter is able to figure out your decryption key for you.

so is there a next step that must be done ???

Share this post


Link to post
Share on other sites
17 hours ago, bangjonijoni said:

[!] No keys were found for the following IDs:
[*] ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 20:68:9D:EE:6F:72, 08:60:6E:8B:55:73, 20:68:9D:EE:29:B8
This info has also been logged to STOPDecrypter-log.txt

The creator of STOPDecrypter let me know that he already archived your information. Just give him some time, and he'll let you know if he's able to figure out your decryption key.

Share this post


Link to post
Share on other sites
8 minutes ago, Rizkifebian said:

so is there a next step that must be done ???

Yes, you need to wait until the creator of STOPDecrypter can figure out your decryption key. It'll take some time, so please try to be patient.

Share this post


Link to post
Share on other sites

No key for ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
Unidentified ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
MACs: 20:68:9D:EE:6F:72, 08:60:6E:8B:55:73, 20:68:9D:EE:29:B8
Decrypted 408 files, skipped 390

Share this post


Link to post
Share on other sites
17 hours ago, bangjonijoni said:

No key for ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
Unidentified ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
MACs: 20:68:9D:EE:6F:72, 08:60:6E:8B:55:73, 20:68:9D:EE:29:B8
Decrypted 408 files, skipped 390

Repeatedly posting your information won't help get your files decrypted faster. Right now all you need to do is give us time, and we'll do what we can to help you.

Share this post


Link to post
Share on other sites

help 

[+] Loaded 52 offline keys
Please archive the following info in case of future decryption:
[*] MACs: 00:FF:4F:C1:E3:97, 00:25:4B:CB:11:C0
This info has also been logged to STOPDecrypter-log.txt
Selected directory: C:\Users\NRPC\Desktop\wetransfer-ba5743
Starting decryption...

[+] File: C:\Users\NRPC\Desktop\wetransfer-ba5743\guru.jpg.gerosan
[-] No key for ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )

[+] File: C:\Users\NRPC\Desktop\wetransfer-ba5743\IMG_7230.jpg.gerosan
[-] No key for ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )

[+] File: C:\Users\NRPC\Desktop\wetransfer-ba5743\IMG_7275.jpg.gerosan
[-] No key for ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )

[+] File: C:\Users\NRPC\Desktop\wetransfer-ba5743\IMG_7360.jpg.gerosan
[-] No key for ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )

Decrypted 0 files!
Skipped 4 files.

[!] No keys were found for the following IDs:
[*] ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:FF:4F:C1:E3:97, 00:25:4B:CB:11:C0
This info has also been logged to STOPDecrypter-log.txt

Share this post


Link to post
Share on other sites

@Naineesh1

A malicious program can leave Trojans and stealers of personal information on your PC after its work.

It is configured to cause the most harm and can work secretly for a long time.

Check PC with Emsisoft Emergency Kit to exclude re-encryption: 
http://www.emsisoft.com/en/software/eek/

Only do not select the option to delete files in quarantine, so that experts can see the result later.

Share this post


Link to post
Share on other sites

@Amigo-A @GT500

still waiting for...

still waiting for....

[!] No keys were found for the following IDs:
[*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )
[*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.cdr )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F
This info has also been logged to STOPDecrypter-log.txt

Share this post


Link to post
Share on other sites

@EricN

I can not help you. 

The information for the decryption is collected Demonslay335 (this is developer of STOPDecryptor) or the GT500 transmitted it, when has time.
You can send this information to Demonslay335 on Twitter or post on the BleepingComputer forum, where he come more often.
Believe me, very many affected users from all over the world send him messages. I do not know how he processes information, where he takes so much strength and energy for this hard work. 

Share this post


Link to post
Share on other sites
On 7/7/2019 at 5:00 AM, Naineesh1 said:

[!] No keys were found for the following IDs:
[*] ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:FF:4F:C1:E3:97, 00:25:4B:CB:11:C0
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites
On 7/7/2019 at 8:49 PM, EricN said:

still waiting for...

still waiting for....

Unfortunately with this ransomware the solutions aren't quick, however if you can give us time then we should be able to help you.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.