sanico

.HERAD Extension File Ransom Virus

Recommended Posts

Hi,

         All my computer files have been infected and the .heard extension has been added to all files.
Attached to the corrupted file and the text file created by the malware was sent for review.
Please help to resolve the problem.
Thank you

_readme1.txt UpdateLock.exe.herad

Share this post


Link to post
Share on other sites

That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:
https://id-ransomware.malwarehunterteam.com/

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean.

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites
15 hours ago, sanico said:

The results of your proposed methods are as follows:

1. id-ransomware

2. STOPDecrypter v2.1.0.18

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites
17 hours ago, sanico said:

Your computer appears to be clean, however I did see signs that an activation bypass for either Windows or Office had previously been installed. I highly recommend removing anything like this, as this particular ransomware comes bundled with things like that.

Also, I noticed software from several different Anti-Virus software companies installed on the computer. I recommend removing all of the software except for one, since having more than one installed can cause issues. Feel free to try free trials from various companies to decide what you like best of course, but I highly recommend only keeping one installed at a time.

Feel free to run a scan with Emsisoft Emergency Kit as well:
http://www.emsisoft.com/en/software/eek/

Share this post


Link to post
Share on other sites

 

Thanks to your efforts and other colleagues,
After getting infected with malware, I tried to use the various recommended software on the same forum for cleanup, and now, according to your advice, I will remove all antiviruses from my computer and install Emsisoft Emergency Kit for the first time.
I hope that you will be able to return my files in the shortest possible time.
Good luck

Share this post


Link to post
Share on other sites

Hello @sanico

So that in the future you will not make such a mistake, you need to read my recommendations. 

This is from your logs.

SpyHunter - this tool will not decrypt files and will not protect against ransomware attacks. Remove first.

Kaspersky Anti-Ransomware Tool for Business 4 is a good tool, it should prevent some ransomware attacks targeted at business users. Installing it after an attack is useless. In any case, it will not replace a full-fledged comprehensive antivirus product. So far I see more PR about him than real work are. Home users need to use Kaspersky Internet Security or Total Security.

HitmanPro is an anti-virus scanner for checking according to your desire, can be used as an additional tool. Will not replace the full comprehensive antivirus product.

GridinSoft Anti-Malware is an anti-virus utility for trial use, in the paid version it is Gridinsoft Internet Security. Fairly weak anti-virus protection, so that I not can be recommended it for full protection against ransomware. So far I see more PR about him than real work are. 

ESET Security - can be recommended as a full-fledged antivirus product, if the protection is legally purchased on the official website or in the online store partners. It is necessary to use only the latest legal version and annually renew the license for use. On the official English website, legal users are helped to decrypt files after the attack of the encryptors.

Zemana AntiMalware is a cloud anti-virus scanner that uses several engines and detection technologies to remove complex threats. Not will replace the full-fledged comprehensive antivirus product.

Malwarebytes Free will not replace a full-fledged comprehensive anti-virus product. You need to upgrade to the paid version of Malwarebytes Premium, which allows you to protect your PC in real time.

6 hours ago, sanico said:

install Emsisoft Emergency Kit for the first time.

Emsisoft Emergency Kit is needed to scan your PC for malware and files. For real-time security, you need to use Emsisoft Anti-Ransomware.

Share this post


Link to post
Share on other sites

@sanico  This is from your logs.

Quote

decrypt_HKCrypt.exe
decrypt_MegaLocker.exe
decrypt_GetCrypt.exe
Anti-CryptorBit
CoinVaultDecryptor 
cryptomix_decryptor.exe

You have tried different decryptors. It is not recommended to use decryptors, that are designed to decrypt files after other crypto-ransomware. It is useless or may damage files.

 

Quote

Kaspersky.Reset.Trial
Kaspersky.Antivirus.2015

Just two mistakes: 
1) using hacking tools to provide AV-protection.
2) using an outdated antivirus product.

Share this post


Link to post
Share on other sites

@sanico  This is from your logs.

Quote

Stellar.Phoenix.Photo.Recovery
MiniTool.Power.Data.Recovery
Stellar Data Recovery Professional
R-Studio
EaseUS Data Recovery
Ontrack EasyRecovery

After the attack of the crypto-ransomware who overwrites the original files with junk or zeros removes shadow copies of the files and the recovery points, of these programs will not help. Moreover, you set (install) the recovery programs on the same disk, where you have the system and where the original files were. This is the most popular mistake.

@sanico 

I hope you will remember it or copy this text, so you don’t make the same mistakes in the future. If you need personal advice, now or in the future, then I'm in touch.

Share this post


Link to post
Share on other sites
6 hours ago, sanico said:

extension .herad

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

Share this post


Link to post
Share on other sites
2 hours ago, Amigo-A said:

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

          Thank you very much for the information you sent. As I said in the previous post, all software related to the recovery, as well as the Trojan, was removed and I only use the Emsisoft Emergency Kit software, and I also installed Emsisoft Anti-Malware software.
Could I hope that damaged files will be retrieved in the near future by your achievements?

Share this post


Link to post
Share on other sites
6 hours ago, sanico said:

Could I hope that damaged files will be retrieved in the near future by your achievements?

Rather, it refers to the developer Demonslay335 >>>

8 hours ago, Amigo-A said:

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

He has already updated the STOPDecrypter for the herad-variant with OFFLINE ID: jkO9OpMIRJ4FHeGDM7eK5FwJTcY40YKkizu7Zgt1
I do not see your ID here  that I can say something.
If it contains jkO9OpMIRJ4FHeGDM7eK5FwJTcY40YKkizu7Zgt1, then the files can now be decrypted.
If you have a different ID, then decryption is postponed indefinitely.

Share this post


Link to post
Share on other sites
36 minutes ago, Amigo-A said:

Rather, it refers to the developer Demonslay335 >>>

He has already updated the STOPDecrypter for the herad-variant with OFFLINE ID: jkO9OpMIRJ4FHeGDM7eK5FwJTcY40YKkizu7Zgt1
I do not see your ID here  that I can say something.
If it contains jkO9OpMIRJ4FHeGDM7eK5FwJTcY40YKkizu7Zgt1, then the files can now be decrypted.
If you have a different ID, then decryption is postponed indefinitely.

STOPDecrypter v2.1.0.18
OS Microsoft Windows NT 6.2.9200.0, .NET Framework Version 4.0.30319.42000
----------------------------------------
 
No key for ID: l8W6QXRo2iHXkh0b9xJHq1nBTLlIbeGnxD7av9Y6 (.herad)
Unidentified ID: l8W6QXRo2iHXkh0b9xJHq1nBTLlIbeGnxD7av9Y6 (.herad)
MACs: 30: 85: A9: 9B: BE: 1B, 00: 15: 83: 15: A3: 10
 
Your personal ID:
116Asd3768237Ihsdfl8W6QXRo2iHXkh0b9xJHq1nBTLlIbeGnxD7av9Y6

Share this post


Link to post
Share on other sites
1 hour ago, sanico said:

Your personal ID:
116Asd3768237Ihsdfl8W6QXRo2iHXkh0b9xJHq1nBTLlIbeGnxD7av9Y6

...decryption is postponed indefinitely.  Alas. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.