Recommended Posts

Quote

.lapoi extension

Hello

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

You need to attach a ransom note _readme.txt  to the message, or farther act by himself.

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

This is a new variant and it has not yet been added to the STOPDecrypter.
It is possible that this will be done in the near future, but the STOPDecrypter's developer needs a sample of the malicious file. If you scanned PC with anti-virus system, do not clear the quarantine until you show it to our specialists. 

=======================

This is for the future, when there will be support for this variant of STOP ransomware. It can be today, tomorrow or later.

Download STOP Decrypter now >>>

I recommend to you start decrypt with a small group of files, but first you need to make copies of these files.

If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter 

Decryption specialist will record your information.

Share this post


Link to post
Share on other sites

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites

Hi;

need help, my laptop have been affected with .lapoi virus and all my files with .lapoi extension. I re-installed my laptop and keep all the documents affected

Share this post


Link to post
Share on other sites
1 hour ago, Leon79 said:

Hi;

need help, my laptop have been affected with .lapoi virus and all my files with .lapoi extension. I re-installed my laptop and keep all the documents affected

That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:
https://id-ransomware.malwarehunterteam.com/

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean.

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites

dear sir 
i am using that software but not recover my data 
Update to STOPDecrypter v2.1.0.20 with more OFFLINE keys.
OFFLINE ID: ZivCxija0GBwtwtwD0q4JRy80spT6lUyybPYhot1
Extensions: .lapoi
OFFLINE ID: Q2fNGjIEoR7J8UnURFiIH13JGa23UqaNUDz4ret1
Extensions: .todar
i check my files in ID  Ransomware - Identify What Ransomware Encrypted Your Files
result 
 This ransomware may be decryptable under certain circumstances.

Please refer to the appropriate guide for more information.
Identified by

ransomnote_email: [email protected]
sample_extension: .todar
sample_bytes: [0xC8B5 - 0xC8CF] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D
Click here for more information about STOP (Djvu)
please help me please
please 
my data is not Decrypter

Share this post


Link to post
Share on other sites

I added experts to the conversation to transfer your data for analysis - here and in PM

Share this post


Link to post
Share on other sites
19 hours ago, rizwanigf2011 said:

my data is not Decrypter

Please follow the instructions I posted above for running STOPDecrypter to get your ID and MAC addresses, and post the information in a reply for me to review.

Share this post


Link to post
Share on other sites

[+] Loaded 64 offline keys
Please archive the following info in case of future decryption:
[*] MACs: D0:BF:9C:9B:F0:3E, 76:29:AF:EF:05:C1, 74:29:AF:EF:05:C1, 74:29:AF:EF:05:C2
This info has also been logged to STOPDecrypter-log.txt

Share this post


Link to post
Share on other sites
18 hours ago, Leon79 said:

[+] Loaded 64 offline keys
Please archive the following info in case of future decryption:
[*] MACs: D0:BF:9C:9B:F0:3E, 76:29:AF:EF:05:C1, 74:29:AF:EF:05:C1, 74:29:AF:EF:05:C2
This info has also been logged to STOPDecrypter-log.txt

That's missing your ID. Could you attach the STOPDecrypter log file to a reply so I can take a look at it?

Share this post


Link to post
Share on other sites

[+] Loaded 64 offline keys
Please archive the following info in case of future decryption:
[*] MACs: D0:BF:9C:9B:F0:3E, 76:29:AF:EF:05:C1, 76:29:AF:EF:0D:C1, 74:29:AF:EF:05:C1, 74:29:AF:EF:05:C2
This info has also been logged to STOPDecrypter-log.txt
Selected directory: D:\Pictures
Starting decryption...

[+] File: D:\Pictures\115225_4162125_659311_image.jpg.lapoi
[-] No key for ID: o0pGIShgdzcoYdIu1d7DkoChMpfq5ZayvJPrpfwq (.lapoi )

...

Decrypted 0 files!
Skipped 771 files.

[!] No keys were found for the following IDs:
[*] ID: o0pGIShgdzcoYdIu1d7DkoChMpfq5ZayvJPrpfwq (.lapoi )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: D0:BF:9C:9B:F0:3E, 76:29:AF:EF:05:C1, 76:29:AF:EF:0D:C1, 74:29:AF:EF:05:C1, 74:29:AF:EF:05:C2
This info has also been logged to STOPDecrypter-log.txt

 

_readme.txt 2013-09-10 03.35.28.jpg.lapoi

Edited by GT500
Removed redundant lines from log.

Share this post


Link to post
Share on other sites
13 hours ago, Leon79 said:

[!] No keys were found for the following IDs:
[*] ID: o0pGIShgdzcoYdIu1d7DkoChMpfq5ZayvJPrpfwq (.lapoi )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: D0:BF:9C:9B:F0:3E, 76:29:AF:EF:05:C1, 76:29:AF:EF:0D:C1, 74:29:AF:EF:05:C1, 74:29:AF:EF:05:C2
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

BTW: The contents of the STOPDecrypter log that you pasted into your post was 2,328 lines. I removed most of it so that it's easier to scroll through the topic. ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.