phantom512

My files got encrypted by .gusau

Recommended Posts

Dear DemonSlay335

 

I would appreciate any help you can give me to get my files decrypted. I was infected with the ransomware that appends a ".gusau" file extension, and unfortunately your current STOPDecrypter does not work on my files.

 

The STOPdecrypter log is as follows:

 

[+] Loaded 64 offline keys
Please archive the following info in case of future decryption:
[*] ID: ujE2lYYKAwZr5Qi3kj9FDPJ0WdH5abcyOiGnxFS8
[*] ID: 68O9eTFDNbn8z2O956vweaL1v2GY5gvWBYMKcmt1
[*] MACs: EC:08:6B:14:E0:8C, EC:08:6B:14:E0:8E, EC:08:6B:14:E0:8F, 40:8D:5C:03:3A:11
This info has also been logged to STOPDecrypter-log.txt
Selected directory: C:\Decrypt
Starting decryption...

[+] File: C:\Decrypt\HiJackThis.exe.gusau
[-] No key for ID: ujE2lYYKAwZr5Qi3kj9FDPJ0WdH5abcyOiGnxFS8 (.gusau )

[+] File: C:\Decrypt\TSSniper_0_80_0_600_Freeware.zip.gusau
[-] No key for ID: ujE2lYYKAwZr5Qi3kj9FDPJ0WdH5abcyOiGnxFS8 (.gusau )

[+] File: C:\Decrypt\windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu.gusau
[-] No key for ID: ujE2lYYKAwZr5Qi3kj9FDPJ0WdH5abcyOiGnxFS8 (.gusau )

[+] File: C:\Decrypt\YUMI-2.0.6.1a.exe.gusau
[-] No key for ID: ujE2lYYKAwZr5Qi3kj9FDPJ0WdH5abcyOiGnxFS8 (.gusau )

Decrypted 0 files!
Skipped 4 files.

[!] No keys were found for the following IDs:
[*] ID: ujE2lYYKAwZr5Qi3kj9FDPJ0WdH5abcyOiGnxFS8 (.gusau )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: EC:08:6B:14:E0:8C, EC:08:6B:14:E0:8E, EC:08:6B:14:E0:8F, 40:8D:5C:03:3A:11
This info has also been logged to STOPDecrypter-log.txt

I have also attached the _readme.txt file for reference.

Any help would be greatly appreciated. I managed to stop the virus before it infected too much, but unfortunately only had a single copy of some files I would prefer not to lose.

Regards,

 

phantom512

_readme.txt

Share this post


Link to post
Share on other sites

That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:
https://id-ransomware.malwarehunterteam.com/

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean.

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites

Hello @phantom512

You need to know that this is not the only case. 

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

Download STOP Decrypter now >>>

I recommend to you start decrypt with a small group of files, but first you need to make copies of these files.

Do the rest as the GT500 told you.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.