Files encrypted by .TODAR and .LAPOI

[Swarnav 0]

My files got encrypted with .TODAR and .LAPOI extension .

Please Help

[Amigo-A 44]

Quote

.todar and .lapoi extensions

Hello

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

You need to attach a ransom note _readme.txt  to the message, or farther act by himself.

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

The .todar and .lapoi extensions is added to encrypted files.

These variants were not added to the decrypter a few days ago, because they appeared only yesterday.

Download STOP Decrypter now >>>

I recommend to you start decrypt with a small group of files, but first you need to make copies of these files.

If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter 

[Amigo-A 44]

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

[Swarnav 0]

This is what I got after running STOP Decrypter

 

+] Loaded 59 offline keys
Please archive the following info in case of future decryption:
[*] ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw
[*] ID: mneaFv6qsoloG3BSRWuiOULjQBJDJLQHrQuadMpl
[*] ID: ZivCxija0GBwtwtwD0q4JRy80spT6lUyybPYhot1
[*] MACs: 4C:ED:FB:11:77:1B, 88:78:73:9E:5D:82, 8A:78:73:9E:5D:81, 88:78:73:9E:5D:81
This info has also been logged to STOPDecrypter-log.txt
Selected directory: C:\Users\dasba\OneDrive\Desktop\New folder
Starting decryption...

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-03-03-09-57-02-734.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-03-11-00-06-25-558.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-06-20-14-40-29-599.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-07-15-34-29-971.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-07-15-39-33-310.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-10-15-49-11-156.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

Decrypted 0 files!
Skipped 6 files.

[!] No keys were found for the following IDs:
[*] ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 4C:ED:FB:11:77:1B, 88:78:73:9E:5D:82, 8A:78:73:9E:5D:81, 88:78:73:9E:5D:81
This info has also been logged to STOPDecrypter-log.txt

STOPDecrypter-log.txt

_readme.txt

Edited July 23 by Swarnav
I have added the ransomware note

[Amigo-A 44]

The variant that used the .lapoi extension should be first. 
Do you have files with the extension .lapoi now?

Or are they on another PC?

[Swarnav 0]

Yes...There are some.

Both the extensions are there in the same PC

[Amigo-A 44]

Look for files _readme.txt where in instead numbers under 'Your personal ID: 124***' will be written 'Your personal ID: 123***'

These files and ID refer to files with .lapoi extension and should be in folders with files, which having such a new extension.

Find a few, compare, and if they are the same, attach one file _readme.txt to the message.

[Swarnav 0]

i am attaching some suspicious files while i searched for the files you told about....I couldnt find one.

.escheck.tmp.lapoi .8f2998.todar feature_table.bin.lapoi metadatastore.bin.lapoi .nomedia.lapoi med-res-frame-448185439754432.jpg.lapoi med-res-frame-448185473289432.jpg.lapoi med-res-frame-448185507054432.jpg.lapoi

[Amigo-A 44]

Need a file _readme.txt, in which the ID will contain at the beginning of the number 123.

This is necessary for files that have received an .lapoi extension.

Perhaps the encryption process replaced them with new ones with numbers 124.
Perhaps they may have been renamed to _readme1.txt or _readme2.txt

These 'readme' files should be in folders with files, which having a .lapoi extension.

[Swarnav 0]

The folder where .lapoi files are present...there is no _readme.txt file

[Amigo-A 44]

OK. We will transfer your case to the developer. Perhaps he already knows what to do. In his time zone is now earlier morning. It will be a little later.

Now it's best to check and make sure that no malware  components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

[Swarnav 0]

Please help me solve this problem sir..

I have pictures of my grand mom who died recently which i would never again get.

Please sir...

[Amigo-A 44]

I have already sent a message to the STOP Decrypter's developer (Demonslay335).

Make a FRST log.

https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Do not remove anything yourself. Perhaps the harmful file is still in the system and the STOP Decrypter's developer will need a sample of it.

Perhaps this is the only chance for you.

[Swarnav 0]

These are the FRST log.

FRST.txt Addition.txt

[Swarnav 0]

Sir ..

I sent the log files and some suspicious files.

I backed up all the necessary encrypted files and i will store it in my F drive.I have also zipped them using Win Zip.

But now I have to use the laptop so can i perform a clean installation of the OS and also clean all other drives except the drive containing the infected files???

[Swarnav 0]

SIR I FINALLY FOUND _readme file  WHOSE ID STARTS WITH 123***

I HAVE ATTACHED DIFFERENT FILES FROM DIFFERENT FOLDERS.

_readme.txt

_readme.txt _readme.txt _readme.txt

_readme.txt

_readme.txt

[Amigo-A 44]

Wait. You will be answered by a support specialist.

The logs have information about malicious files. They need to save and transfer to experts. Then you can reinstall the system.

---

The 'readme' files with 123 look the same. For now, leave them in the folders where they were found. The decryption specialist will look at the downloaded files here.

[Demonslay335 12]

Please upload this file to VirusTotal and provide a link here.

C:\Users\dasba\AppData\Local\a8402009-cadb-4977-b8d8-209fe362c63a\2.exe

 

[Swarnav 0]

The file you mentioned above is not there..although the folder is present the '2.exe'   is not there.

I searched it in Malware bytes quarantine but it got deleted.

But I am attaching the report.

dd.txt

Edited July 23 by Swarnav
REPORT ADDED

[Amigo-A 44]

look still

Quote

C:\Users\dasba\AppData\Roaming\Microsoft\Windows\avbtedar\gtbdurjf.exe

 

[Swarnav 0]

This is also empty

[Amigo-A 44]

It could be removed by antivirus.

See the quarantine of Windows Defender and others you used. Only do not clean.

[Swarnav 0]

Yes it might be.

[Amigo-A 44]

Now my time zone went into the night.. Employees will connect to you. 

Good luck!

[Swarnav 0]

I did not get the above files.But I got some other files which might help you.

"C:\Users\dasba\AppData\Local\Temp\csrss\smb\e7.exe"

This is the link

https://www.virustotal.com/gui/file/6300fa9fcef55f5064d158c07ef34a46edf721f32dfe9d8437ab82321613a39b/detection

[GT500 593]

@Swarnav please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2019-07July-23/Swarnav/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

1. Run the FRST download from earlier, and press the Fix button just once and wait.
2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.
   

[Swarnav 0]

Fixlog.txt

[Amigo-A 44]

13 hours ago, Swarnav said:

"C:\Users\dasba\AppData\Local\Temp\csrss\smb\e7.exe"

This may be an auxiliary file that was needed to launch an attack and then encrypt the files or it is some other malware.

[Swarnav 0]

Any new update on my problem?

[GT500 593]

According to the FRST fixlog a lot of the infection had already been removed. FRST appears to have removed the rest, however I recommend running a scan with Emsisoft Emergency Kit to make sure that nothing was missed:
http://www.emsisoft.com/en/software/eek/

[Swarnav 0]

But Sir...Please help me decrypt the files..they were very important to me.😔

[Amigo-A 44]

STOPDecryptor has been updated today.
https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip

/// Alas, I do not have time to check.

 

[GT500 593]

16 hours ago, Swarnav said:

But Sir...Please help me decrypt the files..they were very important to me.😔

If the creator of STOPDecrypter is able to figure out your decryption key, then he'll send it to you. Otherwise, all you can do is wait.

We haven't stopped working on this, however we also have no immediate solution. It's going to take time.

[Swarnav 0]

I tried with the Updated STOPDecrypter ,it did not work.

 

STOPDecrypter-log.txt

[Amigo-A 44]

Dear @Swarnav

We received information from dozens of victims with a similar problem. On their computers as well as you have encrypted files with two .TODAR и .LAPOI extensions. First, the files were encrypted 'online' with a version of the encoder with extension .LAPOI, and then the version of the STOP Ransomware was automatically updated, and the files also 'online' were encrypted with extension .TODAR.

Thus, the one and same ransomware has caused you double harm. 

Michael, the developer of the STOPDecrypter yesterday again updated this software. If now there is no possibility to decrypt your files, then you should wait for the next update of decrypter. 
Michael makes the STOPDecrypter from December 2018. Sometimes he manages to add keys for previous versions, but so far not yet possible to decrypt in some other way. 
If the files are encrypted with an online key, then it is almost impossible to pick up the key and decrypt the files. 
You got double encryption, if it becomes possible to decrypt a part of the files, it will tell you. But so far there is no such possibility. And Michael do not have a "magic wand" to correct the situation.

We can only hope together for a happy occasion. Sometimes it happens...

[Swarnav 0]

Can I now perform a clean installation of my system?

[GT500 593]

11 hours ago, Swarnav said:

I tried with the Updated STOPDecrypter ,it did not work.

That's because your encrypted files don't have an offline ID. The only way to decrypt your files is to supply the proper decryption key, and you'll have to wait until the creator of STOPDecrypter is able to figure out your decryption key and send it to you before you'll be able to do that.

 

5 hours ago, Swarnav said:

Can I now perform a clean installation of my system?

With this particular ransomware it's safe to do that, however please be sure to make backups of all of your files (encrypted or otherwise) as well as the ransom notes and the files in C:\SystemID (there should at least be a file named "PersonalID").

[Amigo-A 44]

12 hours ago, Swarnav said:

Can I now perform a clean installation of my system?

Yes of course. Just need to know to make it really clean install, need to use the official Microsoft Windows software and license key to activate online. All other methods will lead to analogical unpleasant consequences. For example, if there is a legitimate activation key for this PC, but there is no distribution kit, then you can download the image from the Microsoft website, using the key to check the validity and legitimacy.

[Swarnav 0]

Sir Any update on my problem..

Can I get my files decrypted??

[GT500 593]

8 hours ago, Swarnav said:

Sir Any update on my problem..

No, unfortunately there's been no new developments with this ransomware.