.lapoi

[brunokitano]

My pc got infected with the lapoi ransomware

[Amigo-A]

Quote

.lapoi extension

Hello

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

You need to attach a ransom note _readme.txt  to the message, or farther act by himself.

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

This is a new variant and it has not yet been added to the STOPDecrypter.
It is possible that this will be done in the near future, but the STOPDecrypter's developer needs a sample of the malicious file. If you scanned PC with anti-virus system, do not clear the quarantine until you show it to our specialists. 

=======================

This is for the future, when there will be support for this variant of STOP ransomware. It can be today, tomorrow or later.

Download STOP Decrypter now >>>

I recommend to you start decrypt with a small group of files, but first you need to make copies of these files.

If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter 

Decryption specialist will record your information.

[Amigo-A]

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

[Leon79]

Hi;

need help, my laptop have been affected with .lapoi virus and all my files with .lapoi extension. I re-installed my laptop and keep all the documents affected

[GT500]

1 hour ago, Leon79 said:

Hi;

need help, my laptop have been affected with .lapoi virus and all my files with .lapoi extension. I re-installed my laptop and keep all the documents affected

That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:
https://id-ransomware.malwarehunterteam.com/

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean.

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

[rizwanigf2011]

dear sir 
i am using that software but not recover my data 
Update to STOPDecrypter v2.1.0.20 with more OFFLINE keys.
OFFLINE ID: ZivCxija0GBwtwtwD0q4JRy80spT6lUyybPYhot1
Extensions: .lapoi
OFFLINE ID: Q2fNGjIEoR7J8UnURFiIH13JGa23UqaNUDz4ret1
Extensions: .todar
i check my files in ID  Ransomware - Identify What Ransomware Encrypted Your Files
result 
 This ransomware may be decryptable under certain circumstances.

Please refer to the appropriate guide for more information.
Identified by

ransomnote_email: [email protected]
sample_extension: .todar
sample_bytes: [0xC8B5 - 0xC8CF] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D
Click here for more information about STOP (Djvu)
please help me please
please 
my data is not Decrypter

[Amigo-A]

I added experts to the conversation to transfer your data for analysis - here and in PM

[GT500]

19 hours ago, rizwanigf2011 said:

my data is not Decrypter

Please follow the instructions I posted above for running STOPDecrypter to get your ID and MAC addresses, and post the information in a reply for me to review.

[Leon79]

[+] Loaded 64 offline keys
Please archive the following info in case of future decryption:
[*] MACs: D0:BF:9C:9B:F0:3E, 76:29:AF:EF:05:C1, 74:29:AF:EF:05:C1, 74:29:AF:EF:05:C2
This info has also been logged to STOPDecrypter-log.txt

[Leon79]

Good Day

This are the files after i run FRST

Addition.txt FRST.txt

[GT500]

18 hours ago, Leon79 said:

[+] Loaded 64 offline keys
Please archive the following info in case of future decryption:
[*] MACs: D0:BF:9C:9B:F0:3E, 76:29:AF:EF:05:C1, 74:29:AF:EF:05:C1, 74:29:AF:EF:05:C2
This info has also been logged to STOPDecrypter-log.txt

That's missing your ID. Could you attach the STOPDecrypter log file to a reply so I can take a look at it?

[GT500]

18 hours ago, Leon79 said:

This are the files after i run FRST

Addition.txt 59.61 kB · 0 downloads FRST.txt 346.7 kB · 0 downloads

At first glance I'm not seeing any obvious signs of infection, however I do recommend only having one Anti-Virus software installed at a time.

[Leon79]

[+] Loaded 64 offline keys
Please archive the following info in case of future decryption:
[*] MACs: D0:BF:9C:9B:F0:3E, 76:29:AF:EF:05:C1, 76:29:AF:EF:0D:C1, 74:29:AF:EF:05:C1, 74:29:AF:EF:05:C2
This info has also been logged to STOPDecrypter-log.txt
Selected directory: D:\Pictures
Starting decryption...

[+] File: D:\Pictures\115225_4162125_659311_image.jpg.lapoi
[-] No key for ID: o0pGIShgdzcoYdIu1d7DkoChMpfq5ZayvJPrpfwq (.lapoi )

...

Decrypted 0 files!
Skipped 771 files.

[!] No keys were found for the following IDs:
[*] ID: o0pGIShgdzcoYdIu1d7DkoChMpfq5ZayvJPrpfwq (.lapoi )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: D0:BF:9C:9B:F0:3E, 76:29:AF:EF:05:C1, 76:29:AF:EF:0D:C1, 74:29:AF:EF:05:C1, 74:29:AF:EF:05:C2
This info has also been logged to STOPDecrypter-log.txt

 

_readme.txt 2013-09-10 03.35.28.jpg.lapoi

Edited August 6, 2019 by GT500
Removed redundant lines from log.

[GT500]

13 hours ago, Leon79 said:

[!] No keys were found for the following IDs:
[*] ID: o0pGIShgdzcoYdIu1d7DkoChMpfq5ZayvJPrpfwq (.lapoi )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: D0:BF:9C:9B:F0:3E, 76:29:AF:EF:05:C1, 76:29:AF:EF:0D:C1, 74:29:AF:EF:05:C1, 74:29:AF:EF:05:C2
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

BTW: The contents of the STOPDecrypter log that you pasted into your post was 2,328 lines. I removed most of it so that it's easier to scroll through the topic.

[GT500]

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

[Leon79]

Hi, Thank you for notice.

when my laptop was affected with .lapoi virus and all my files with .lapoi extension. I re-installed my laptop and keep all the documents affected . So i don't have the originals files to upload since all the files were  encrypted. what can i do in this case?

Thank you🙏

[Amigo-A]

Here is a sample list where you can find the originals of the encrypted files :

1) on flash drives, external drives, CD / DVD, memory cards of the camera, phone;
2) in attachments of emails sent or received by you;
3) among the copies of shared photos of friends, relatives (in their PC) that you gave;
4) among the uploaded photos in the social. networks, including via smartphone and tablet;
5) among the uploaded photos to cloud services (Google Disk,  OneDrive, Yandex Disk etc.);
6) on the sites of ads, forums, where you could previously send photos or images;
7) among unencrypted files, copies, renamed files on your PC;
8 ) on an old PC or disk, from where you transferred photos and documents to a new PC;
9) you can re-upload from the Internet previously downloaded photos, pictures, etc .;
10) you can use sample images supplied with Windows;
11) take photos or pictures that you previously posted on the avatar on the forums.
12) extract previously deleted files from the Recycle Bin or restore it with a special program.
 
If decryption failed ...
 
It is possible that the original file was an inaccurate copy of the encrypted. This could be due to the fact that earlier you yourself reduced or corrected it in the editor, or uploaded to social networks, cloud services, and there the file was somehow automatically changed.
Look for more files and try different pairs of encrypted and original files with the same name. Very often files can have the same name, but are not a copy of each other. Vocabulary used in any language is limited. The possibilities of PCs, cameras and other devices for taking photos are also limited. In cameras and mobile devices, names for photos are given automatically according to a specific format, so photos with the name from IMG_0001.JPG to IMG_9999.JPG can be quite a lot in different years. Smartphones can give photos more original names, such as IMG_20171012_170451.jpg - here and the date of shooting, and the sequence number, because the repetition of the name is unlikely.

[Amigo-A]

Also...

Maybe you will need something from archives. Try the next trick for archives.
Archive files are not encrypted like all files. The first 1-2 files may be damaged there, the rest will be serviceable. You can make a copy of the encrypted archive and then remove the .lapoi extension from this copy, unzip the archive and find the intact files. 

[GT500]

11 hours ago, Leon79 said:

when my laptop was affected with .lapoi virus and all my files with .lapoi extension. I re-installed my laptop and keep all the documents affected . So i don't have the originals files to upload since all the files were  encrypted. what can i do in this case?

Without being able to supply file pairs (an encrypted file, and an unencrypted original copy of the same file) it will more than likely be impossible to decrypt your files.