IDXearo

Nusar files encryption

Recommended Posts

Hi All, 

Currently my friend has a severe virus or so on his pc and almost all of this workfiles are encrypted when he tried to make backup. 

From what I can tell it is nusar extension on his files. The "StopDecyrpter" tool we found does not resolve this. 

Let me know if I should attach one of the files to this post. 

Share this post


Link to post
Share on other sites
Quote

extension (.nusar)

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible.

Download STOP Decrypter again >>>

First you need to try to decrypt a small group of files, but first you need to make copies of these files.

If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter 

Share this post


Link to post
Share on other sites

Thank you very much for following up. 

I have looked at Stop Decrypter and I did try it. It did recover 100 out of 1000 files so that was a good start, at least there is some hope. I posted my information to the forum post. While I don't know how long an answer will take it doesn't seem like there are any other viable solution, including paid ones. I did try one excel file recovery solution and it said "file is severely corrupted" and we wouldn't have even mind paying for it, if it would have worked. 

Share this post


Link to post
Share on other sites
8 hours ago, IDXearo said:

I posted my information to the forum post.

I assume you mean the STOP ransomware forum topic at BleepingComputer?

Share this post


Link to post
Share on other sites
Just now, GT500 said:

I assume you mean the STOP ransomware forum topic at BleepingComputer?

Yes that is correct. 

Overall I am looking around for any alternate options including paid. 

Share this post


Link to post
Share on other sites

@IDXearo

At the moment, STOPDecrypter is the only main and alternative solution to the problem with decryption. We are trying to support this work in various ways that we can provide, including informing the affected users from different countries in world.

The paid solution - only paying the ransom.

None of the antivirus companies and their partners declared decryption of files after STOP Ransomware. 
This does not mean that they can not do it. Just this task is not on the business plan of their working week. Their main task is to prevent and eliminate attacks and infections. They a priori do not decrypt files, although they could certainly organize a special anti-encryption departament.

Share this post


Link to post
Share on other sites
5 hours ago, Amigo-A said:

@IDXearo

At the moment, STOPDecrypter is the only main and alternative solution to the problem with decryption. We are trying to support this work in various ways that we can provide, including informing the affected users from different countries in world.

The paid solution - only paying the ransom.

None of the antivirus companies and their partners declared decryption of files after STOP Ransomware. 
This does not mean that they can not do it. Just this task is not on the business plan of their working week. Their main task is to prevent and eliminate attacks and infections. They a priori do not decrypt files, although they could certainly organize a special anti-encryption departament.

 

Wow, I'm totally surprised this free solution is really the only solution. Completely blown away by this because after some searching there is really no viable paid solution. Thanks for your response!

Share this post


Link to post
Share on other sites

😄

When searching, you can find many sites that offer to download some kind of "one-stop solution". But this is all a deception.

Share this post


Link to post
Share on other sites
12 hours ago, IDXearo said:

Wow, I'm totally surprised this free solution is really the only solution. Completely blown away by this because after some searching there is really no viable paid solution. Thanks for your response!

The only "paid" solution at the moment is one where a company negotiates with the criminals for you to try to get you a lower price for decryption.

There are also some companies that will claim they can decrypt files after a ransomware attack without paying the criminals, however a number of independent investigations have found that such companies are merely paying the criminals at a discounted rate, and then charging the victim an inflated fee to make a profit.

My recommendation for now is to wait. You can also get us the information asked for at the following link so that in can be archived, in case the creator of STOPDecrypter is able to figure out your decryption key:
https://kb.gt500.org/stopdecrypter

Share this post


Link to post
Share on other sites
52 minutes ago, GT500 said:

The only "paid" solution at the moment is one where a company negotiates with the criminals for you to try to get you a lower price for decryption.

There are also some companies that will claim they can decrypt files after a ransomware attack without paying the criminals, however a number of independent investigations have found that such companies are merely paying the criminals at a discounted rate, and then charging the victim an inflated fee to make a profit.

My recommendation for now is to wait. You can also get us the information asked for at the following link so that in can be archived, in case the creator of STOPDecrypter is able to figure out your decryption key:
https://kb.gt500.org/stopdecrypter

 

To be fair, even if paying the ransom was an option, we won't do that because we assume they will just encrypt our stuff again, or try to trick us in some form. 

Thanks for the clarity. I did already post on the forum topic with stopdecrypter so I will wait as you suggested. I can at least relay most of what every one is saying.

My only question is if you are familiar with the time frame for Stopdecrypter. I imagine they receive many many requests so my request ( I imagine ) can take some months? Or is it on the scale of days? 

This is my information below. 

No key for ID: AA1yhLWVkYziTvILkY0F8fkO2jfw544OnU31Xm7T (.nusar )
No key for ID: AA1yhLWVkYziTvILkY0F8fkO2jfw544OnU31Xm7T (.xlsx )
Unidentified ID: AA1yhLWVkYziTvILkY0F8fkO2jfw544OnU31Xm7T (.nusar )
Unidentified ID: AA1yhLWVkYziTvILkY0F8fkO2jfw544OnU31Xm7T (.xlsx )
MACs: 70:85:C2:8D:A2:74
Decrypted 123 files, skipped 5871

Share this post


Link to post
Share on other sites
22 hours ago, IDXearo said:

I did already post on the forum topic with stopdecrypter so I will wait as you suggested.

If you've already posted your information on BleepingComputer, then Demonslay335 (the creator of STOPDecrypter) has probably already archived your information. I've asked him just to be certain.

 

22 hours ago, IDXearo said:

My only question is if you are familiar with the time frame for Stopdecrypter. I imagine they receive many many requests so my request ( I imagine ) can take some months? Or is it on the scale of days? 

This ransomware is a bit funny. Quickly figuring out decryption keys can only be done for roughly the first day that a new variant is out. After that, it becomes extremely more difficult. Most people have to wait for a while. For some the creator of STOPDecrypter is able to figure out the keys quicker, but this is completely random, so we can't give a time frame.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.