Luwie

.gerosan file encrypted, Please help

Recommended Posts

On 6/15/2019 at 3:12 AM, Din said:

THANK YOU SO MUCH. ITS REALLY WORK. MY DATA HAS BACK NOW

You're welcome.

Please stay away from pirated software in the future, so that this doesn't happen again. ;)

Share this post


Link to post
Share on other sites
On 6/15/2019 at 4:56 AM, Tucker said:

@GT500 Same issue too, Please help. Thank you so much.

[+] Loaded 43 offline keys
Please archive the following info in case of future decryption:
[*] MACs: 60:A4:4C:35:39:2A, 40:9B:CD:96:F2:D8
This info has also been logged to STOPDecrypter-log.txt


By the way, is it normal to not having ID? If yes, how to find it?

I don't see any evidence in your logs that you were hit by ransomware. No ransom notes, no encrypted files, etc.

Did you run STOPDecrypter and FRST on the infected system, or on another computer?

Share this post


Link to post
Share on other sites
On 6/15/2019 at 7:44 AM, Rachwell said:

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

 

As for the FRST logs, please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/rachwell/2019-06June-17/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

Share this post


Link to post
Share on other sites
On 6/15/2019 at 12:11 PM, Mohamad Ajmal said:
Good night,

My files are infected with .gerosan.
I read the forum topics and tried most of the solutions here, but nothing works. What should I do? I need ur kind support.

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites
On 6/15/2019 at 8:18 PM, Rachwell said:

@Amigo-A and @GT500

Hi,

Is attached the result of the Emsisoft emergency kit

I have already discovered the possible source of ransomware, if you want to send the .zip file or the download link, maybe this information will help us
scan_190615-205306.txt 16.28 kB · 3 downloads

It looks like that's deleted a lot of the stuff I put in the fixlist already, so the fixlog should show a lot of errors, but go ahead and run the FRST fix just to be sure and let me see the fixlog so that I know everything was removed properly.

Share this post


Link to post
Share on other sites
On 6/14/2019 at 1:22 PM, Abichandra said:

Hi.. I've managed to decrypt some of my files..

But if I tried to open it, it says that my files are damaged

Are yours like that too ?

yeah...same here...!!

 

On 6/15/2019 at 7:27 AM, GT500 said:

There's only one offline ID and key for each version of the STOP/Djvu ransomware. You have an online ID and key, and thus will need to wait until the creator of STOPDecrypter is able to figure out your decryption key for you.

so is there a next step that must be done ???

Share this post


Link to post
Share on other sites
17 hours ago, bangjonijoni said:

[!] No keys were found for the following IDs:
[*] ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 20:68:9D:EE:6F:72, 08:60:6E:8B:55:73, 20:68:9D:EE:29:B8
This info has also been logged to STOPDecrypter-log.txt

The creator of STOPDecrypter let me know that he already archived your information. Just give him some time, and he'll let you know if he's able to figure out your decryption key.

Share this post


Link to post
Share on other sites
8 minutes ago, Rizkifebian said:

so is there a next step that must be done ???

Yes, you need to wait until the creator of STOPDecrypter can figure out your decryption key. It'll take some time, so please try to be patient.

Share this post


Link to post
Share on other sites

No key for ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
Unidentified ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
MACs: 20:68:9D:EE:6F:72, 08:60:6E:8B:55:73, 20:68:9D:EE:29:B8
Decrypted 408 files, skipped 390

Share this post


Link to post
Share on other sites
17 hours ago, bangjonijoni said:

No key for ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
Unidentified ID: bdq0AAasBwkQPXS021RM1yFTm3a7SElwnVsi7yVY (.gerosan )
MACs: 20:68:9D:EE:6F:72, 08:60:6E:8B:55:73, 20:68:9D:EE:29:B8
Decrypted 408 files, skipped 390

Repeatedly posting your information won't help get your files decrypted faster. Right now all you need to do is give us time, and we'll do what we can to help you.

Share this post


Link to post
Share on other sites

help 

[+] Loaded 52 offline keys
Please archive the following info in case of future decryption:
[*] MACs: 00:FF:4F:C1:E3:97, 00:25:4B:CB:11:C0
This info has also been logged to STOPDecrypter-log.txt
Selected directory: C:\Users\NRPC\Desktop\wetransfer-ba5743
Starting decryption...

[+] File: C:\Users\NRPC\Desktop\wetransfer-ba5743\guru.jpg.gerosan
[-] No key for ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )

[+] File: C:\Users\NRPC\Desktop\wetransfer-ba5743\IMG_7230.jpg.gerosan
[-] No key for ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )

[+] File: C:\Users\NRPC\Desktop\wetransfer-ba5743\IMG_7275.jpg.gerosan
[-] No key for ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )

[+] File: C:\Users\NRPC\Desktop\wetransfer-ba5743\IMG_7360.jpg.gerosan
[-] No key for ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )

Decrypted 0 files!
Skipped 4 files.

[!] No keys were found for the following IDs:
[*] ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:FF:4F:C1:E3:97, 00:25:4B:CB:11:C0
This info has also been logged to STOPDecrypter-log.txt

Share this post


Link to post
Share on other sites

@Naineesh1

A malicious program can leave Trojans and stealers of personal information on your PC after its work.

It is configured to cause the most harm and can work secretly for a long time.

Check PC with Emsisoft Emergency Kit to exclude re-encryption: 
http://www.emsisoft.com/en/software/eek/

Only do not select the option to delete files in quarantine, so that experts can see the result later.

Share this post


Link to post
Share on other sites

@Amigo-A @GT500

still waiting for...

still waiting for....

[!] No keys were found for the following IDs:
[*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.gerosan )
[*] ID: 4HPyKBFsnsZT5KqtZV4L5VkeBtOK4qQ9lrdK6BAt (.cdr )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 98:28:A6:21:A5:DC, 32:D1:6B:DE:FA:9F, 42:D1:6B:DE:FA:9F, 30:D1:6B:DE:FA:9F
This info has also been logged to STOPDecrypter-log.txt

Share this post


Link to post
Share on other sites

@EricN

I can not help you. 

The information for the decryption is collected Demonslay335 (this is developer of STOPDecryptor) or the GT500 transmitted it, when has time.
You can send this information to Demonslay335 on Twitter or post on the BleepingComputer forum, where he come more often.
Believe me, very many affected users from all over the world send him messages. I do not know how he processes information, where he takes so much strength and energy for this hard work. 

Share this post


Link to post
Share on other sites
On 7/7/2019 at 5:00 AM, Naineesh1 said:

[!] No keys were found for the following IDs:
[*] ID: vk270TR723IC8wfHFKNR7FxEEtHLHIlTK0YPIdQT (.gerosan )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:FF:4F:C1:E3:97, 00:25:4B:CB:11:C0
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites
On 7/7/2019 at 8:49 PM, EricN said:

still waiting for...

still waiting for....

Unfortunately with this ransomware the solutions aren't quick, however if you can give us time then we should be able to help you.

Share this post


Link to post
Share on other sites
14 hours ago, Abichandra said:

Hi !

Any news for my key ? Thanks !

Not yet.

Share this post


Link to post
Share on other sites

Hi GT500,

My system was also affected by the new DJVU Ransomware and now my files are showing encrypted with .gerosan, .gero & .hese extensions.

I have attached the log files from STOPDecryptor as well as FRST scanner.

Thank you for the steps you have shared to run those tools.

Please also help me and let me know how I can get my official data back as it is very important!!

Thanks,

Vaibhav

Logs_2.zip

Share this post


Link to post
Share on other sites

@Vaibhav please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2019-08August-29/Vaibhav/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

Share this post


Link to post
Share on other sites
On 9/2/2019 at 2:02 AM, Vaibhav said:

Hi GT500,

 

I had run the scan again and attaching the report for same.

It says that it detected some trojanhorse. Please suggest what should I do next.

Go ahead and let it delete everything except STOPDecrypter. That false positive should be resolved by now anyway, so if you run another scan after checking for updates in Emsisoft Emergency Kit, then it shouldn't detect it again.

Share this post


Link to post
Share on other sites
14 hours ago, chinh said:

Hi, 

Please help me. 

 
My Mac ID: 40-B0-76-DC-BB-73
 
Thank you very much

That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:
https://id-ransomware.malwarehunterteam.com/

 

Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean.

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites
39 minutes ago, GT500 said:

Go ahead and let it delete everything except STOPDecrypter. That false positive should be resolved by now anyway, so if you run another scan after checking for updates in Emsisoft Emergency Kit, then it shouldn't detect it again.

@GT500 Sure, will do and post an update.

So for now there is no way to decrypt the files?

We will have to wait for the STOPDecryptor's developer to update the tool.

Share this post


Link to post
Share on other sites
19 hours ago, Vaibhav said:

So for now there is no way to decrypt the files?

Correct. The .gero and .gerosan variants of STOP/Djvu are a bit different, and STOPDecrypter won't be effective against files that were encrypted by the .gero variant.

If you want to report this ransomware infection to law enforcement so that they are more fully aware of how many victims there have been, and have further motivation to further investigate, then here is a link to a list of national law enforcement agencies that includes every country collaborating with the No More Ransom project:
https://www.nomoreransom.org/en/report-a-crime.html

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

Correct. The .gero and .gerosan variants of STOP/Djvu are a bit different, and STOPDecrypter won't be effective against files that were encrypted by the .gero variant.

If you want to report this ransomware infection to law enforcement so that they are more fully aware of how many victims there have been, and have further motivation to further investigate, then here is a link to a list of national law enforcement agencies that includes every country collaborating with the No More Ransom project:
https://www.nomoreransom.org/en/report-a-crime.html

@GT500 Thank you for the link. I'll keep an eye on updates regarding STOPDecryptor tool.

Also thanks to the Developers who are working on this and helping people like me. I just hope they are able to crack the code soon.

Share this post


Link to post
Share on other sites

Hello @Mar2297

This is the result of the STOP-Djvu Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

Extension .gero - this is new variant of STOP Ransomware. Until recently, it was possible to collect some information and add it to STOP-Decrypter. Now this does not help. We expect changes in the decryption method. But so far there is no such news and the victims remain with encrypted files.

I repeat, there is no way to decrypt files yet. Any site that offers decryption for this variant may be a scam site. Be careful.

Share this post


Link to post
Share on other sites
2 hours ago, Mar2297 said:

But may I know if there's other solution for this except for the stopDecrypter.

There is currently no way to decrypt files that have been encrypted by the .gero variant of STOP/Djvu. We recommend backup up encrypted files and waiting until a solution presents itself.

Share this post


Link to post
Share on other sites
5 hours ago, Mar2297 said:

But may I know if there's other solution for this except for the stopDecrypter.

There is no other decoder (decryptor) for this variant  STOP-Djvu Ransomware and for all STOP variants in general.

Some anti-virus companies could decrypt 2-3 variants, but this was long ago and does not apply to modern variants.

Any site that offers decryption for this variant may be a scam site or they conspires with ransomware in order to extract its own benefit from the deal.

Share this post


Link to post
Share on other sites
On 6/14/2019 at 6:22 AM, Abichandra said:

Hi.. I've managed to decrypt some of my files..

But if I tried to open it, it says that my files are damaged

Are yours like that too ?

 ID: D4EEFkwc2cVKEjBlc68vCKEqcBCY8pL6ptsq5oe2 (.gero ) can u help me ive got gero extension that is my id pls email me ****** if have cure for this gero

 

Share this post


Link to post
Share on other sites

 ID: D4EEFkwc2cVKEjBlc68vCKEqcBCY8pL6ptsq5oe2 (.gero ) this my id for the gero virus extension i ope u could help me i need to decrypt the files docx and xls pls let me know if there is a solution email me at ****

Share this post


Link to post
Share on other sites
15 hours ago, tonyjr said:

 ID: D4EEFkwc2cVKEjBlc68vCKEqcBCY8pL6ptsq5oe2 (.gero ) this my id for the gero virus extension i ope u could help me i need to decrypt the files docx and xls pls let me know if there is a solution email me at ****

It's not safe to publish your e-mail address publicly, especially when asking for help for a ransomware infection. Criminals who make ransomware do monitor our forums, and they may try to contact you to extort you for money.

As for the ransomware your computer was infected with, .gero is usually associated with a newer variant of STOP/Djvu, and is a bit different from files that have .gerosan added to their names. The encryption has changed recently, and decryption of files that have had .gero added to the end of their name is not currently possible.

Share this post


Link to post
Share on other sites
16 hours ago, Abichandra said:

Hi,

been months, any news for my key ?

Thanks !

Work is still progressing on you case. Hopefully it won't be too much longer.

Share this post


Link to post
Share on other sites

Hi, 

Please help for .gerosan Ransomware

No key for ID: xJMLVksJMtp73YliiPsKq4wsJtjnna8uiXjaeqXu (.gerosan )

I have used stopdecrypter but It does nothing.

Edited by retep1978
Wrong

Share this post


Link to post
Share on other sites
18 hours ago, retep1978 said:

No key for ID: xJMLVksJMtp73YliiPsKq4wsJtjnna8uiXjaeqXu (.gerosan )

I have used stopdecrypter but It does nothing.

That's because STOP/Djvu was able to connect to its command and control server when it encrypted your files, meaning the server generated a new encryption key for your files, and STOPDecrypter has no way of knowing what that key is.

Work is progressing on something that may help. Please give us some time, and we'll see what we can do for you.

Share this post


Link to post
Share on other sites
2 hours ago, GT500 said:

That's because STOP/Djvu was able to connect to its command and control server when it encrypted your files, meaning the server generated a new encryption key for your files, and STOPDecrypter has no way of knowing what that key is.

Work is progressing on something that may help. Please give us some time, and we'll see what we can do for you.

Thanks.

Share this post


Link to post
Share on other sites

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.