Jump to content

Ransomware .Neras

João Victor
 Share

Recommended Posts

GT500

GT500

Posted
Posted

That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:
https://id-ransomware.malwarehunterteam.com/

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean.

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Link to comment
Share on other sites
Yuri

Yuri

Posted
Posted

[+] Loaded 46 offline keys
Please archive the following info in case of future decryption:
[*] ID: yOKj7Yiy7zHqLNoay4dKKiXUvAs2CZxQlXVXfKkk
[*] ID: fl1QN31tuQBZKd6Q43Bemee0EycF0HBYEjwpQTt1
[*] MACs: A8:1E:84:52:11:BB, 3E:A0:67:7C:50:75, 4E:A0:67:7C:50:75, 3C:A0:67:7C:50:75, 3C:A0:67:7C:50:76
This info has also been logged to STOPDecrypter-log.txt

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
On 6/23/2019 at 12:10 PM, Yuri said:

[+] Loaded 46 offline keys
Please archive the following info in case of future decryption:
[*] ID: yOKj7Yiy7zHqLNoay4dKKiXUvAs2CZxQlXVXfKkk
[*] ID: fl1QN31tuQBZKd6Q43Bemee0EycF0HBYEjwpQTt1
[*] MACs: A8:1E:84:52:11:BB, 3E:A0:67:7C:50:75, 4E:A0:67:7C:50:75, 3C:A0:67:7C:50:75, 3C:A0:67:7C:50:76
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Link to comment
Share on other sites
  • 3 months later...
GT500

GT500

Posted
Posted

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 09/17/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...