Jump to content

Files encrypted by .TODAR and .LAPOI

Swarnav

By Swarnav,
in Help, my files are encrypted!

 Share Followers 2

Recommended Posts

Amigo-A

Amigo-A 136

Posted
Posted
Quote

.todar and .lapoi extensions

Hello

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

You need to attach a ransom note _readme.txt  to the message, or farther act by himself.

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

The .todar and .lapoi extensions is added to encrypted files.

These variants were not added to the decrypter a few days ago, because they appeared only yesterday.

Download STOP Decrypter now >>>

I recommend to you start decrypt with a small group of files, but first you need to make copies of these files.

If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter 

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Link to post
Share on other sites
Swarnav

Swarnav 0

Posted
  • Author
Posted (edited)

This is what I got after running STOP Decrypter

 

+] Loaded 59 offline keys
Please archive the following info in case of future decryption:
[*] ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw
[*] ID: mneaFv6qsoloG3BSRWuiOULjQBJDJLQHrQuadMpl
[*] ID: ZivCxija0GBwtwtwD0q4JRy80spT6lUyybPYhot1
[*] MACs: 4C:ED:FB:11:77:1B, 88:78:73:9E:5D:82, 8A:78:73:9E:5D:81, 88:78:73:9E:5D:81
This info has also been logged to STOPDecrypter-log.txt
Selected directory: C:\Users\dasba\OneDrive\Desktop\New folder
Starting decryption...

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-03-03-09-57-02-734.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-03-11-00-06-25-558.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-06-20-14-40-29-599.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-07-15-34-29-971.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-07-15-39-33-310.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-10-15-49-11-156.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

Decrypted 0 files!
Skipped 6 files.

[!] No keys were found for the following IDs:
[*] ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 4C:ED:FB:11:77:1B, 88:78:73:9E:5D:82, 8A:78:73:9E:5D:81, 88:78:73:9E:5D:81
This info has also been logged to STOPDecrypter-log.txt

STOPDecrypter-log.txt

_readme.txt

Edited by Swarnav
I have added the ransomware note
Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

Look for files _readme.txt where in instead numbers under 'Your personal ID: 124***' will be written 'Your personal ID: 123***'

These files and ID refer to files with .lapoi extension and should be in folders with files, which having such a new extension.

Find a few, compare, and if they are the same, attach one file _readme.txt to the message.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

Need a file _readme.txt, in which the ID will contain at the beginning of the number 123.

This is necessary for files that have received an .lapoi extension.

Perhaps the encryption process replaced them with new ones with numbers 124.
Perhaps they may have been renamed to _readme1.txt or _readme2.txt

These 'readme' files should be in folders with files, which having a .lapoi extension.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

OK. We will transfer your case to the developer. Perhaps he already knows what to do. In his time zone is now earlier morning. It will be a little later.

Now it's best to check and make sure that no malware  components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

I have already sent a message to the STOP Decrypter's developer (Demonslay335).

Make a FRST log.

https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Do not remove anything yourself. Perhaps the harmful file is still in the system and the STOP Decrypter's developer will need a sample of it.

Perhaps this is the only chance for you.

Link to post
Share on other sites
Swarnav

Swarnav 0

Posted
  • Author
Posted

Sir ..

I sent the log files and some suspicious files.

I backed up all the necessary encrypted files and i will store it in my F drive.I have also zipped them using Win Zip.

But now I have to use the laptop so can i perform a clean installation of the OS and also clean all other drives except the drive containing the infected files???

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

Wait. You will be answered by a support specialist.

The logs have information about malicious files. They need to save and transfer to experts. Then you can reinstall the system.

---

The 'readme' files with 123 look the same. For now, leave them in the folders where they were found. The decryption specialist will look at the downloaded files here.

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted

@Swarnav please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2019-07July-23/Swarnav/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted
13 hours ago, Swarnav said:

"C:\Users\dasba\AppData\Local\Temp\csrss\smb\e7.exe"

This may be an auxiliary file that was needed to launch an attack and then encrypt the files or it is some other malware.

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
16 hours ago, Swarnav said:

But Sir...Please help me decrypt the files..they were very important to me.😔

If the creator of STOPDecrypter is able to figure out your decryption key, then he'll send it to you. Otherwise, all you can do is wait.

We haven't stopped working on this, however we also have no immediate solution. It's going to take time.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

Dear @Swarnav

We received information from dozens of victims with a similar problem. On their computers as well as you have encrypted files with two .TODAR и .LAPOI extensions. First, the files were encrypted 'online' with a version of the encoder with extension .LAPOI, and then the version of the STOP Ransomware was automatically updated, and the files also 'online' were encrypted with extension .TODAR.

Thus, the one and same ransomware has caused you double harm. 

Michael, the developer of the STOPDecrypter yesterday again updated this software. If now there is no possibility to decrypt your files, then you should wait for the next update of decrypter. 
Michael makes the STOPDecrypter from December 2018. Sometimes he manages to add keys for previous versions, but so far not yet possible to decrypt in some other way. 
If the files are encrypted with an online key, then it is almost impossible to pick up the key and decrypt the files. 
You got double encryption, if it becomes possible to decrypt a part of the files, it will tell you. But so far there is no such possibility. And Michael do not have a "magic wand" to correct the situation.

We can only hope together for a happy occasion. Sometimes it happens...

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
11 hours ago, Swarnav said:

I tried with the Updated STOPDecrypter ,it did not work.

That's because your encrypted files don't have an offline ID. The only way to decrypt your files is to supply the proper decryption key, and you'll have to wait until the creator of STOPDecrypter is able to figure out your decryption key and send it to you before you'll be able to do that.

 

5 hours ago, Swarnav said:

Can I now perform a clean installation of my system?

With this particular ransomware it's safe to do that, however please be sure to make backups of all of your files (encrypted or otherwise) as well as the ransom notes and the files in C:\SystemID (there should at least be a file named "PersonalID").

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted
12 hours ago, Swarnav said:

Can I now perform a clean installation of my system?

Yes of course. Just need to know to make it really clean install, need to use the official Microsoft Windows software and license key to activate online. All other methods will lead to analogical unpleasant consequences. For example, if there is a legitimate activation key for this PC, but there is no distribution kit, then you can download the image from the Microsoft website, using the key to check the validity and legitimacy.

Link to post
Share on other sites
  • 4 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Followers 2
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 01/16/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...