Swarnav

Files encrypted by .TODAR and .LAPOI

Recommended Posts

Quote

.todar and .lapoi extensions

Hello

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

You need to attach a ransom note _readme.txt  to the message, or farther act by himself.

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

The .todar and .lapoi extensions is added to encrypted files.

These variants were not added to the decrypter a few days ago, because they appeared only yesterday.

Download STOP Decrypter now >>>

I recommend to you start decrypt with a small group of files, but first you need to make copies of these files.

If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter 

Share this post


Link to post
Share on other sites

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites

This is what I got after running STOP Decrypter

 

+] Loaded 59 offline keys
Please archive the following info in case of future decryption:
[*] ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw
[*] ID: mneaFv6qsoloG3BSRWuiOULjQBJDJLQHrQuadMpl
[*] ID: ZivCxija0GBwtwtwD0q4JRy80spT6lUyybPYhot1
[*] MACs: 4C:ED:FB:11:77:1B, 88:78:73:9E:5D:82, 8A:78:73:9E:5D:81, 88:78:73:9E:5D:81
This info has also been logged to STOPDecrypter-log.txt
Selected directory: C:\Users\dasba\OneDrive\Desktop\New folder
Starting decryption...

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-03-03-09-57-02-734.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-03-11-00-06-25-558.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-06-20-14-40-29-599.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-07-15-34-29-971.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-07-15-39-33-310.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

[+] File: C:\Users\dasba\OneDrive\Desktop\New folder\2018-07-10-15-49-11-156.jpg.todar
[-] No key for ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )

Decrypted 0 files!
Skipped 6 files.

[!] No keys were found for the following IDs:
[*] ID: lmh5CF4FsVtOlzi0SCFLvW3n6HhzlmgiVu1inkyw (.todar )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 4C:ED:FB:11:77:1B, 88:78:73:9E:5D:82, 8A:78:73:9E:5D:81, 88:78:73:9E:5D:81
This info has also been logged to STOPDecrypter-log.txt

STOPDecrypter-log.txt

_readme.txt

Edited by Swarnav
I have added the ransomware note

Share this post


Link to post
Share on other sites

The variant that used the .lapoi extension should be first. 
Do you have files with the extension .lapoi now?

Or are they on another PC?

Share this post


Link to post
Share on other sites

Look for files _readme.txt where in instead numbers under 'Your personal ID: 124***' will be written 'Your personal ID: 123***'

These files and ID refer to files with .lapoi extension and should be in folders with files, which having such a new extension.

Find a few, compare, and if they are the same, attach one file _readme.txt to the message.

Share this post


Link to post
Share on other sites

Need a file _readme.txt, in which the ID will contain at the beginning of the number 123.

This is necessary for files that have received an .lapoi extension.

Perhaps the encryption process replaced them with new ones with numbers 124.
Perhaps they may have been renamed to _readme1.txt or _readme2.txt

These 'readme' files should be in folders with files, which having a .lapoi extension.

Share this post


Link to post
Share on other sites

OK. We will transfer your case to the developer. Perhaps he already knows what to do. In his time zone is now earlier morning. It will be a little later.

Now it's best to check and make sure that no malware  components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Share this post


Link to post
Share on other sites

Please help me solve this problem sir..

I have pictures of my grand mom who died recently which i would never again get.

Please sir...

Share this post


Link to post
Share on other sites

I have already sent a message to the STOP Decrypter's developer (Demonslay335).

Make a FRST log.

https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Do not remove anything yourself. Perhaps the harmful file is still in the system and the STOP Decrypter's developer will need a sample of it.

Perhaps this is the only chance for you.

Share this post


Link to post
Share on other sites

Sir ..

I sent the log files and some suspicious files.

I backed up all the necessary encrypted files and i will store it in my F drive.I have also zipped them using Win Zip.

But now I have to use the laptop so can i perform a clean installation of the OS and also clean all other drives except the drive containing the infected files???

Share this post


Link to post
Share on other sites

Wait. You will be answered by a support specialist.

The logs have information about malicious files. They need to save and transfer to experts. Then you can reinstall the system.

---

The 'readme' files with 123 look the same. For now, leave them in the folders where they were found. The decryption specialist will look at the downloaded files here.

Share this post


Link to post
Share on other sites

The file you mentioned above is not there..although the folder is present the '2.exe'   is not there.

I searched it in Malware bytes quarantine but it got deleted.

But I am attaching the report.

dd.txt

Edited by Swarnav
REPORT ADDED

Share this post


Link to post
Share on other sites

look still

Quote

C:\Users\dasba\AppData\Roaming\Microsoft\Windows\avbtedar\gtbdurjf.exe

 

Share this post


Link to post
Share on other sites

It could be removed by antivirus.

See the quarantine of Windows Defender and others you used. Only do not clean.

Share this post


Link to post
Share on other sites

Now my time zone went into the night.. Employees will connect to you. 

Good luck!

Share this post


Link to post
Share on other sites

@Swarnav please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2019-07July-23/Swarnav/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

Share this post


Link to post
Share on other sites
13 hours ago, Swarnav said:

"C:\Users\dasba\AppData\Local\Temp\csrss\smb\e7.exe"

This may be an auxiliary file that was needed to launch an attack and then encrypt the files or it is some other malware.

Share this post


Link to post
Share on other sites

According to the FRST fixlog a lot of the infection had already been removed. FRST appears to have removed the rest, however I recommend running a scan with Emsisoft Emergency Kit to make sure that nothing was missed:
http://www.emsisoft.com/en/software/eek/

Share this post


Link to post
Share on other sites
16 hours ago, Swarnav said:

But Sir...Please help me decrypt the files..they were very important to me.😔

If the creator of STOPDecrypter is able to figure out your decryption key, then he'll send it to you. Otherwise, all you can do is wait.

We haven't stopped working on this, however we also have no immediate solution. It's going to take time.

Share this post


Link to post
Share on other sites

Dear @Swarnav

We received information from dozens of victims with a similar problem. On their computers as well as you have encrypted files with two .TODAR и .LAPOI extensions. First, the files were encrypted 'online' with a version of the encoder with extension .LAPOI, and then the version of the STOP Ransomware was automatically updated, and the files also 'online' were encrypted with extension .TODAR.

Thus, the one and same ransomware has caused you double harm. 

Michael, the developer of the STOPDecrypter yesterday again updated this software. If now there is no possibility to decrypt your files, then you should wait for the next update of decrypter. 
Michael makes the STOPDecrypter from December 2018. Sometimes he manages to add keys for previous versions, but so far not yet possible to decrypt in some other way. 
If the files are encrypted with an online key, then it is almost impossible to pick up the key and decrypt the files. 
You got double encryption, if it becomes possible to decrypt a part of the files, it will tell you. But so far there is no such possibility. And Michael do not have a "magic wand" to correct the situation.

We can only hope together for a happy occasion. Sometimes it happens...

Share this post


Link to post
Share on other sites
11 hours ago, Swarnav said:

I tried with the Updated STOPDecrypter ,it did not work.

That's because your encrypted files don't have an offline ID. The only way to decrypt your files is to supply the proper decryption key, and you'll have to wait until the creator of STOPDecrypter is able to figure out your decryption key and send it to you before you'll be able to do that.

 

5 hours ago, Swarnav said:

Can I now perform a clean installation of my system?

With this particular ransomware it's safe to do that, however please be sure to make backups of all of your files (encrypted or otherwise) as well as the ransom notes and the files in C:\SystemID (there should at least be a file named "PersonalID").

Share this post


Link to post
Share on other sites
12 hours ago, Swarnav said:

Can I now perform a clean installation of my system?

Yes of course. Just need to know to make it really clean install, need to use the official Microsoft Windows software and license key to activate online. All other methods will lead to analogical unpleasant consequences. For example, if there is a legitimate activation key for this PC, but there is no distribution kit, then you can download the image from the Microsoft website, using the key to check the validity and legitimacy.

Share this post


Link to post
Share on other sites
8 hours ago, Swarnav said:

Sir Any update on my problem..

No, unfortunately there's been no new developments with this ransomware.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.