MadHawk 0 Posted June 13, 2019 Report Share Posted June 13, 2019 When is it expected that .gerosan ransomware's decryption will be possible? Should we keep our affected files as is for some time? Quote Link to post Share on other sites
Amigo-A 136 Posted June 13, 2019 Report Share Posted June 13, 2019 Yes. Only leave all ransom notes in folders with files, in which they were at the time of encryption. Files can be encrypted with different keys. Transfer it all to free disk space or external drive and reinstall Windows. You should know that this is not a simple infection that is easy to delete and unlock files with one click of the mouse. This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. Quote Link to post Share on other sites
Amigo-A 136 Posted June 13, 2019 Report Share Posted June 13, 2019 New version of STOP Decrypter releasedhttps://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip Quote Link to post Share on other sites
anjali 0 Posted June 17, 2019 Report Share Posted June 17, 2019 Hi My folders got encrypted by .gerosan The log of Stopencryptor as follows [+] Loaded 44 offline keys Please archive the following info in case of future decryption: [*] MACs: 2C:41:38:B7:DC:9D This info has also been logged to STOPDecrypter-log.txt Selected directory: C:\Users\Parvathy\Downloads Starting decryption... [+] File: C:\Users\Parvathy\Downloads\1921-19-RV1_Revised.doc.gerosan [-] No key for ID: ehq5Lt7hTny3rHq6jqiAnNIcwbiBzwZ6a6JmwjrM (.gerosan ) Pls help _readme.txt Quote Link to post Share on other sites
GT500 873 Posted June 17, 2019 Report Share Posted June 17, 2019 17 hours ago, anjali said: [+] Loaded 44 offline keys Please archive the following info in case of future decryption: [*] MACs: 2C:41:38:B7:DC:9D This info has also been logged to STOPDecrypter-log.txt Selected directory: C:\Users\Parvathy\Downloads Starting decryption... [+] File: C:\Users\Parvathy\Downloads\1921-19-RV1_Revised.doc.gerosan [-] No key for ID: ehq5Lt7hTny3rHq6jqiAnNIcwbiBzwZ6a6JmwjrM (.gerosan ) I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. Quote Link to post Share on other sites
GT500 873 Posted June 17, 2019 Report Share Posted June 17, 2019 On 6/13/2019 at 5:42 AM, MadHawk said: When is it expected that .gerosan ransomware's decryption will be possible? Should we keep our affected files as is for some time? .gerosan is just a variant of the STOP/Djvu ransomware, and decryption is currently only possible once the creator of STOPDecrypter is able to figure out your decryption key. As for how long that takes, there's a short period of time when a new variant first comes out where it can be done very quickly, however after that period of time is over it's not possible to estimate how long it will take. That being said, it should be possible for your files to be decrypted eventually, it'll just take some time. Quote Link to post Share on other sites
shahab 0 Posted June 21, 2019 Report Share Posted June 21, 2019 No key for ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.gerosan ) Unidentified ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.gerosan ) MACs: 50:9A:4C:17:3D:F1 Decrypted 0 files, skipped 110 No key for ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.docx ) Unidentified ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.gerosan ) Unidentified ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.docx ) MACs: 50:9A:4C:17:3D:F1 Decrypted 0 files, skipped 110 Plz Help this is an educational institute plz ……. Quote Link to post Share on other sites
GT500 873 Posted June 21, 2019 Report Share Posted June 21, 2019 16 hours ago, shahab said: Decrypted 0 files, skipped 110 No key for ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.docx ) Unidentified ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.gerosan ) Unidentified ID: fwqCdbnLkBYWyTPHhmrlXaTRmFh8LyOODOFaAdvw (.docx ) MACs: 50:9A:4C:17:3D:F1 Decrypted 0 files, skipped 110 I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. Quote Link to post Share on other sites
Anas02 0 Posted July 31, 2019 Report Share Posted July 31, 2019 My files (documents) were affected by .access (ransomware) encryption. Need some help. And what if i have original copies of similar files saved somewhere else? Can it helps in decryption? Quote Link to post Share on other sites
GT500 873 Posted August 1, 2019 Report Share Posted August 1, 2019 21 hours ago, Anas02 said: My files (documents) were affected by .access (ransomware) encryption. Need some help. That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:https://id-ransomware.malwarehunterteam.com/ While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:https://kb.gt500.org/stopdecrypter Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it. 21 hours ago, Anas02 said: And what if i have original copies of similar files saved somewhere else? Can it helps in decryption? There's nothing publicly available right now that could help you using file pairs like that. Keep them saved somewhere safe though, as there's always the possibility a decrypter requiring file pairs may be possible in the future. Quote Link to post Share on other sites
GT500 873 Posted October 19, 2019 Report Share Posted October 19, 2019 We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.