Swarnav 0 Posted July 23, 2019 Report Share Posted July 23, 2019 My files got encrypted with .TODAR and .LAPOI extension . Please Help Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 Quote .todar and .lapoi extensions Hello This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. You need to attach a ransom note _readme.txt to the message, or farther act by himself. @Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. The .todar and .lapoi extensions is added to encrypted files. These variants were not added to the decrypter a few days ago, because they appeared only yesterday. Download STOP Decrypter now >>> I recommend to you start decrypt with a small group of files, but first you need to make copies of these files. If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:https://kb.gt500.org/stopdecrypter Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it. Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 (edited) This is what I got after running STOP Decrypter +] Loaded 59 offline keys Please archive the following info in case of future decryption: [*] ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw [*] ID: mneaFv6qsoloG3BSRWuiOULjQBJDJLQHrQuadMpl [*] ID: ZivCxija0GBwtwtwD0q4JRy80spT6lUyybPYhot1 [*] MACs: 4C:ED:FB:11:77:1B, 88:78:73:9E:5D:82, 8A:78:73:9E:5D:81, 88:78:73:9E:5D:81 This info has also been logged to STOPDecrypter-log.txt Selected directory: C:\Users\dasba\OneDrive\Desktop\New folder Starting decryption... [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-03-03-09-57-02-734.jpg.todar [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar ) [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-03-11-00-06-25-558.jpg.todar [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar ) [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-06-20-14-40-29-599.jpg.todar [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar ) [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-07-15-34-29-971.jpg.todar [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar ) [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-07-15-39-33-310.jpg.todar [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar ) [+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-10-15-49-11-156.jpg.todar [-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar ) Decrypted 0 files! Skipped 6 files. [!] No keys were found for the following IDs: [*] ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: 4C:ED:FB:11:77:1B, 88:78:73:9E:5D:82, 8A:78:73:9E:5D:81, 88:78:73:9E:5D:81 This info has also been logged to STOPDecrypter-log.txt STOPDecrypter-log.txt _readme.txt Edited July 23, 2019 by Swarnav I have added the ransomware note Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 The variant that used the .lapoi extension should be first. Do you have files with the extension .lapoi now? Or are they on another PC? Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 Yes...There are some. Both the extensions are there in the same PC Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 Look for files _readme.txt where in instead numbers under 'Your personal ID: 124***' will be written 'Your personal ID: 123***' These files and ID refer to files with .lapoi extension and should be in folders with files, which having such a new extension. Find a few, compare, and if they are the same, attach one file _readme.txt to the message. Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 i am attaching some suspicious files while i searched for the files you told about....I couldnt find one. .escheck.tmp.lapoi .8f2998.todar feature_table.bin.lapoi metadatastore.bin.lapoi .nomedia.lapoi med-res-frame-448185439754432.jpg.lapoi med-res-frame-448185473289432.jpg.lapoi med-res-frame-448185507054432.jpg.lapoi Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 Need a file _readme.txt, in which the ID will contain at the beginning of the number 123. This is necessary for files that have received an .lapoi extension. Perhaps the encryption process replaced them with new ones with numbers 124. Perhaps they may have been renamed to _readme1.txt or _readme2.txt These 'readme' files should be in folders with files, which having a .lapoi extension. Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 The folder where .lapoi files are present...there is no _readme.txt file Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 OK. We will transfer your case to the developer. Perhaps he already knows what to do. In his time zone is now earlier morning. It will be a little later. Now it's best to check and make sure that no malware components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 Please help me solve this problem sir.. I have pictures of my grand mom who died recently which i would never again get. Please sir... Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 I have already sent a message to the STOP Decrypter's developer (Demonslay335). Make a FRST log. https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Do not remove anything yourself. Perhaps the harmful file is still in the system and the STOP Decrypter's developer will need a sample of it. Perhaps this is the only chance for you. Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 These are the FRST log. FRST.txt Addition.txt Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 Sir .. I sent the log files and some suspicious files. I backed up all the necessary encrypted files and i will store it in my F drive.I have also zipped them using Win Zip. But now I have to use the laptop so can i perform a clean installation of the OS and also clean all other drives except the drive containing the infected files??? Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 SIR I FINALLY FOUND _readme file WHOSE ID STARTS WITH 123*** I HAVE ATTACHED DIFFERENT FILES FROM DIFFERENT FOLDERS. _readme.txt _readme.txt _readme.txt _readme.txt _readme.txt _readme.txt Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 Wait. You will be answered by a support specialist. The logs have information about malicious files. They need to save and transfer to experts. Then you can reinstall the system. --- The 'readme' files with 123 look the same. For now, leave them in the folders where they were found. The decryption specialist will look at the downloaded files here. Quote Link to post Share on other sites
Demonslay335 26 Posted July 23, 2019 Report Share Posted July 23, 2019 Please upload this file to VirusTotal and provide a link here. C:\Users\dasba\AppData\Local\a8402009-cadb-4977-b8d8-209fe362c63a\2.exe Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 (edited) The file you mentioned above is not there..although the folder is present the '2.exe' is not there. I searched it in Malware bytes quarantine but it got deleted. But I am attaching the report. dd.txt Edited July 23, 2019 by Swarnav REPORT ADDED Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 look still Quote C:\Users\dasba\AppData\Roaming\Microsoft\Windows\avbtedar\gtbdurjf.exe Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 This is also empty Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 It could be removed by antivirus. See the quarantine of Windows Defender and others you used. Only do not clean. Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 Yes it might be. Quote Link to post Share on other sites
Amigo-A 136 Posted July 23, 2019 Report Share Posted July 23, 2019 Now my time zone went into the night.. Employees will connect to you. Good luck! Quote Link to post Share on other sites
Swarnav 0 Posted July 23, 2019 Author Report Share Posted July 23, 2019 I did not get the above files.But I got some other files which might help you. "C:\Users\dasba\AppData\Local\Temp\csrss\smb\e7.exe" This is the link https://www.virustotal.com/gui/file/6300fa9fcef55f5064d158c07ef34a46edf721f32dfe9d8437ab82321613a39b/detection Quote Link to post Share on other sites
GT500 853 Posted July 23, 2019 Report Share Posted July 23, 2019 @Swarnav please download the following fixlist.txt file and save it to the Desktop: https://www.gt500.org/emsisoft/fixlist/2019-07July-23/Swarnav/fixlist.txt NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop. Run the FRST download from earlier, and press the Fix button just once and wait. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply. Quote Link to post Share on other sites
Swarnav 0 Posted July 24, 2019 Author Report Share Posted July 24, 2019 Fixlog.txt Quote Link to post Share on other sites
Amigo-A 136 Posted July 24, 2019 Report Share Posted July 24, 2019 13 hours ago, Swarnav said: "C:\Users\dasba\AppData\Local\Temp\csrss\smb\e7.exe" This may be an auxiliary file that was needed to launch an attack and then encrypt the files or it is some other malware. Quote Link to post Share on other sites
Swarnav 0 Posted July 24, 2019 Author Report Share Posted July 24, 2019 Any new update on my problem? Quote Link to post Share on other sites
GT500 853 Posted July 24, 2019 Report Share Posted July 24, 2019 According to the FRST fixlog a lot of the infection had already been removed. FRST appears to have removed the rest, however I recommend running a scan with Emsisoft Emergency Kit to make sure that nothing was missed:http://www.emsisoft.com/en/software/eek/ Quote Link to post Share on other sites
Swarnav 0 Posted July 25, 2019 Author Report Share Posted July 25, 2019 But Sir...Please help me decrypt the files..they were very important to me.😔 Quote Link to post Share on other sites
Amigo-A 136 Posted July 25, 2019 Report Share Posted July 25, 2019 STOPDecryptor has been updated today.https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip /// Alas, I do not have time to check. Quote Link to post Share on other sites
GT500 853 Posted July 26, 2019 Report Share Posted July 26, 2019 16 hours ago, Swarnav said: But Sir...Please help me decrypt the files..they were very important to me.😔 If the creator of STOPDecrypter is able to figure out your decryption key, then he'll send it to you. Otherwise, all you can do is wait. We haven't stopped working on this, however we also have no immediate solution. It's going to take time. Quote Link to post Share on other sites
Swarnav 0 Posted July 26, 2019 Author Report Share Posted July 26, 2019 I tried with the Updated STOPDecrypter ,it did not work. STOPDecrypter-log.txt Quote Link to post Share on other sites
Amigo-A 136 Posted July 26, 2019 Report Share Posted July 26, 2019 Dear @Swarnav We received information from dozens of victims with a similar problem. On their computers as well as you have encrypted files with two .TODAR и .LAPOI extensions. First, the files were encrypted 'online' with a version of the encoder with extension .LAPOI, and then the version of the STOP Ransomware was automatically updated, and the files also 'online' were encrypted with extension .TODAR. Thus, the one and same ransomware has caused you double harm. Michael, the developer of the STOPDecrypter yesterday again updated this software. If now there is no possibility to decrypt your files, then you should wait for the next update of decrypter. Michael makes the STOPDecrypter from December 2018. Sometimes he manages to add keys for previous versions, but so far not yet possible to decrypt in some other way. If the files are encrypted with an online key, then it is almost impossible to pick up the key and decrypt the files. You got double encryption, if it becomes possible to decrypt a part of the files, it will tell you. But so far there is no such possibility. And Michael do not have a "magic wand" to correct the situation. We can only hope together for a happy occasion. Sometimes it happens... Quote Link to post Share on other sites
Swarnav 0 Posted July 26, 2019 Author Report Share Posted July 26, 2019 Can I now perform a clean installation of my system? Quote Link to post Share on other sites
GT500 853 Posted July 26, 2019 Report Share Posted July 26, 2019 11 hours ago, Swarnav said: I tried with the Updated STOPDecrypter ,it did not work. That's because your encrypted files don't have an offline ID. The only way to decrypt your files is to supply the proper decryption key, and you'll have to wait until the creator of STOPDecrypter is able to figure out your decryption key and send it to you before you'll be able to do that. 5 hours ago, Swarnav said: Can I now perform a clean installation of my system? With this particular ransomware it's safe to do that, however please be sure to make backups of all of your files (encrypted or otherwise) as well as the ransom notes and the files in C:\SystemID (there should at least be a file named "PersonalID"). Quote Link to post Share on other sites
Amigo-A 136 Posted July 27, 2019 Report Share Posted July 27, 2019 12 hours ago, Swarnav said: Can I now perform a clean installation of my system? Yes of course. Just need to know to make it really clean install, need to use the official Microsoft Windows software and license key to activate online. All other methods will lead to analogical unpleasant consequences. For example, if there is a legitimate activation key for this PC, but there is no distribution kit, then you can download the image from the Microsoft website, using the key to check the validity and legitimacy. Quote Link to post Share on other sites
Swarnav 0 Posted August 21, 2019 Author Report Share Posted August 21, 2019 Sir Any update on my problem.. Can I get my files decrypted?? Quote Link to post Share on other sites
GT500 853 Posted August 22, 2019 Report Share Posted August 22, 2019 8 hours ago, Swarnav said: Sir Any update on my problem.. No, unfortunately there's been no new developments with this ransomware. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.