MadHawk

.gerosan decryption ransomware

Recommended Posts

When is it expected that .gerosan ransomware's decryption will be possible? Should we keep our affected files as is for some time?

Share this post


Link to post
Share on other sites

Yes. Only leave all ransom notes in folders with files, in which they were at the time of encryption. Files can be encrypted with different keys.

Transfer it all to free disk space or external drive and reinstall Windows.

You should know that this is not a simple infection that is easy to delete and unlock files with one click of the mouse.

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017.
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected.

Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files.

A positive result and a lucky chance are not always possible.

Share this post


Link to post
Share on other sites

Hi

My folders got encrypted by .gerosan

The log of Stopencryptor as follows

[+] Loaded 44 offline keys
Please archive the following info in case of future decryption:
[*] MACs: 2C:41:38:B7:DC:9D
This info has also been logged to STOPDecrypter-log.txt
Selected directory: C:\Users\Parvathy\Downloads
Starting decryption...

[+] File: C:\Users\Parvathy\Downloads\1921-19-RV1_Revised.doc.gerosan
[-] No key for ID: ehq5Lt7hTny3rHq6jqiAnNIcwbiBzwZ6a6JmwjrM (.gerosan )

Pls help

_readme.txt

Share this post


Link to post
Share on other sites
17 hours ago, anjali said:

[+] Loaded 44 offline keys
Please archive the following info in case of future decryption:
[*] MACs: 2C:41:38:B7:DC:9D
This info has also been logged to STOPDecrypter-log.txt
Selected directory: C:\Users\Parvathy\Downloads
Starting decryption...

[+] File: C:\Users\Parvathy\Downloads\1921-19-RV1_Revised.doc.gerosan
[-] No key for ID: ehq5Lt7hTny3rHq6jqiAnNIcwbiBzwZ6a6JmwjrM (.gerosan )

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites
On 6/13/2019 at 5:42 AM, MadHawk said:

When is it expected that .gerosan ransomware's decryption will be possible? Should we keep our affected files as is for some time?

.gerosan is just a variant of the STOP/Djvu ransomware, and decryption is currently only possible once the creator of STOPDecrypter is able to figure out your decryption key. As for how long that takes, there's a short period of time when a new variant first comes out where it can be done very quickly, however after that period of time is over it's not possible to estimate how long it will take. That being said, it should be possible for your files to be decrypted eventually, it'll just take some time.

Share this post


Link to post
Share on other sites

No key for ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.gerosan )
Unidentified ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.gerosan )
MACs: 50:9A:4C:17:3D:F1
Decrypted 0 files, skipped 110
No key for ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.docx )
Unidentified ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.gerosan )
Unidentified ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.docx )
MACs: 50:9A:4C:17:3D:F1
Decrypted 0 files, skipped 110

Plz Help this is an educational institute plz …….

Share this post


Link to post
Share on other sites
16 hours ago, shahab said:

Decrypted 0 files, skipped 110
No key for ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.docx )
Unidentified ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.gerosan )
Unidentified ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.docx )
MACs: 50:9A:4C:17:3D:F1
Decrypted 0 files, skipped 110

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.