Recommended Posts

Hello @Tahir Moeen

extension .nelasod

This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

You need to attach a ransom note _readme.txt  to the message, or farther act by himself.

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

At the moment this is a new version and it is not yet supported in STOPDecrypter. A few days later, the developer of STOPDecrypter can add support for new variants STOP Ransomware to the STOPDecrypter. Then you can try to decrypt files with STOPDecrypter.
Here is the link.

This is a new variant and most likely it has not yet been added to the STOP Decrypter. Therefore, I give you a link to the future. 

Download STOP Decrypter now >>>

I recommend to you start decrypt with a small group of files, but first you need to make copies of these files.

If STOPDecrypter won't be able to recover your files, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter 

 

Share this post


Link to post
Share on other sites

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Then, after checking and cleaning, you will need to change the passwords on the accounts in browsers. Ransomware do not come by just one, they come with backdoors, trojans and password-stealers to inflict maximum damage and take more money.

Share this post


Link to post
Share on other sites

Ransomware attack my pc last day ,  crypt my all data and change their file , how to decrypt files i need help ,, virus name (.NELASOD) please sir give me suggestion 

 

Share this post


Link to post
Share on other sites

this message from attacker

 

 

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-2P5WrE5b9f
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
132KldYsmpnGGf4SsNNoDBzRHoERsNCDJXFi0OetZhqz2yruT2Ltt1

Share this post


Link to post
Share on other sites

saya juga tidak tahu .. saya hanya mencoba untuk menghapus malware.. masih mencari decrypter yang cocok .. 

semua tugas sekolah saya di dalam pc

Share this post


Link to post
Share on other sites

i don't know .. i'm just trying to remove malware .. still looking for a suitable decrypter ..

all my school assignments are on PC

 

Share this post


Link to post
Share on other sites

Dear Amigo-A

Thanks for reply. I have removed all the malicious files through different Malware like Appcheck, Malwarebytes etc Similarly the registry key is also cleaned. All the ransom notes are cleaned as well. But it is exactly the same as Mr Chusni has shown above.

"""""

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:

https://we.tl/t-2P5WrE5b9f
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
132KldYsmpnGGf4SsNNoDBzRHoERsNCDJXFi0OetZhqz2yruT2Ltt1 
"""""""

Dear Amigo-A. Please help. My all data was in other partitions and are encrypted. If i installed the win 7 again , would it solve the problem? Waiting for your valuable suggestion 

I have run the stopdecrypter and following is my ID and Mac (as per your guidance mentioned above)

[+] Loaded 67 offline keys
Please archive the following info in case of future decryption:
[*] ID: PiZTrTjGj2ERDjqCNEDpJWJfZwuWtP8FHxJeXuSa
[*] ID: 4SsNNoDBzRHoERsNCDJXFi0OetZhqz2yruT2Ltt1
[*] MACs: A0:B3:CC:48:0B:46, 84:A6:C8:2E:4D:8F, 84:A6:C8:2E:4D:8F, 84:A6:C8:2E:4D:8E
This info has also been logged to STOPDecrypter-log.txt
 

Dear Amigo-A. Please help. It is my son computer and i lost my whole family in previous year due to road accident. All my memories, my son photo, class work were present in the computer and it is encrypted. I need your help.

Regards

Tahir

 

_readme.txt

Edited by Tahir Moeen
i found the readme txt file of ransomware

Share this post


Link to post
Share on other sites

Dear Tahir

If I could help you, I would certainly help. But it is not in my power. 

We cannot change the encryption as we wish, it is a very complex computing process.

@Demonslay335  (the developer of the STOPDecrypter) collects information from STOPDecrypter with ID victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

 

  • Sad 1

Share this post


Link to post
Share on other sites

Hello Amigo-A

Ihave send the ransom note and as per your suggestion I have run the stopdecrypter and following is my ID and Mac 

[+] Loaded 67 offline keys
Please archive the following info in case of future decryption:
[*] ID: PiZTrTjGj2ERDjqCNEDpJWJfZwuWtP8FHxJeXuSa
[*] ID: 4SsNNoDBzRHoERsNCDJXFi0OetZhqz2yruT2Ltt1
[*] MACs: A0:B3:CC:48:0B:46, 84:A6:C8:2E:4D:8F, 84:A6:C8:2E:4D:8F, 84:A6:C8:2E:4D:8E
This info has also been logged to STOPDecrypter-log.txt
 

Please send this to him

with regards

Tahir

Share this post


Link to post
Share on other sites
2 hours ago, Tahir Moeen said:

Please send this to him

I informed him. 

case.png.148263570145f095e14270fd3414b81d.png
Download Image

 

He already archived your case. Presently no decryption key for you ID. You can follow Demonslay335 the news on decryption on Twitter.

Share this post


Link to post
Share on other sites

Very small hope at the moment.

If something changes, then for each case, the STOPDecrypter developer will report in the topic where he archived the case.

Share this post


Link to post
Share on other sites

Thank you, Amigo. Your input is so helpful ... I will wait for good news from you or @demonslay335. I am also trying to find a solution by restoring my data with applications that I have not tried.

This is my second experience with ransom, my experience with LANSET and being able to recover 100% I initially tried using a backup and restore application, but only a small part of it was detected, until finally I found stop decrypte, with stop decrypter my data recovered 100% .. but right now it's a nightmare for me ..

Share this post


Link to post
Share on other sites

@Tahir Moeen

See my post above (picture), I wrote Demonslay335 a personal message, he went into this topic, wrote down the data.
You can tweet him if you want him to reply via Twitter. Just tell him that you are from this topic on the Emsisoft forum.

Share this post


Link to post
Share on other sites

That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:
https://id-ransomware.malwarehunterteam.com/

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean.

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

 

Share this post


Link to post
Share on other sites

Hello Amigo-A

I have send the ransom note and as per your suggestion I have run the stopdecrypter and following is my ID and Mac 

[+] Loaded 73 offline keys
Please archive the following info in case of future decryption:
[*] MACs: 08:ED:B9:62:EB:D8, F0:DE:F1:EC:B7:42, 7C:E9:D3:C8:7B:DD
This info has also been logged to STOPDecrypter-log.txt

Please send this to him

with regards

NATHAN

 

Share this post


Link to post
Share on other sites
5 hours ago, NATHANAEL_WILLIAM said:

[+] Loaded 73 offline keys
Please archive the following info in case of future decryption:
[*] MACs: 08:ED:B9:62:EB:D8, F0:DE:F1:EC:B7:42, 7C:E9:D3:C8:7B:DD
This info has also been logged to STOPDecrypter-log.txt

That information doesn't show your ID. Would it be possible to attach a copy of STOPDecrypter's log to a reply so that we can review it?

Share this post


Link to post
Share on other sites

@chusni

Quote

Crack PES 2017

This file or others may be the reason why your PC was attacked and encrypted.
I hope that you will draw the right conclusions from this situation. 😊

If you really need such files, then keep important personal files (photos, documents) separate from this PC on which the files I mentioned above are stored and used.

Share this post


Link to post
Share on other sites
55 minutes ago, Amigo-A said:

@chusni

This file or others may be the reason why your PC was attacked and encrypted.
I hope that you will draw the right conclusions from this situation. 😊

If you really need such files, then keep important personal files (photos, documents) separate from this PC on which the files I mentioned above are stored and used.

thank you for the advice you gave, 
I have a lot of software applications and os, 
and every application has a crack, and I put it into one place, 
maybe this will make good input for me,

Then, what made ransomware cripple people's computers, 
I heard by email, but when I checked there was nothing strange in my email

Share this post


Link to post
Share on other sites
On 8/7/2019 at 12:47 AM, GT500 said:

That information doesn't show your ID. Would it be possible to attach a copy of STOPDecrypter's log to a reply so that we can review it?

http://www.gcs-cmr.com/download_nathan/STOPDecrypter-log.txt

[+] Loaded 73 offline keys
Please archive the following info in case of future decryption:
[*] MACs: 08:ED:B9:62:EB:D8, F0:DE:F1:EC:B7:42, 7C:E9:D3:C8:7B:DD
This info has also been logged to STOPDecrypter-log.txt
Selected directory: G:\TRAITER
Starting decryption...

[+] File: G:\TRAITER\AMPLISOFT_Data_1.8_1_BUEA.mdb.nelasod
[-] No key for ID: ESb3uPly3qKdbjV5Wt9GXKvroRrenxoZWuNkBafl (.nelasod )

[+] File: G:\TRAITER\ATT20170510.mdb.nelasod
[-] No key for ID: ESb3uPly3qKdbjV5Wt9GXKvroRrenxoZWuNkBafl (.nelasod )

Decrypted 0 files!
Skipped 2 files.

[!] No keys were found for the following IDs:
[*] ID: ESb3uPly3qKdbjV5Wt9GXKvroRrenxoZWuNkBafl (.nelasod )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 08:ED:B9:62:EB:D8, F0:DE:F1:EC:B7:42, 7C:E9:D3:C8:7B:DD
This info has also been logged to STOPDecrypter-log.txt

Share this post


Link to post
Share on other sites
8 hours ago, chusni said:

I heard by email, but when I checked there was nothing strange in my email

STOP Rw is distributed mainly through hacker, pirated and repackaged distributions. It is enough to download software from some unofficial sites and the 'payload' will load the components for the attack and encryption.

Share this post


Link to post
Share on other sites
14 hours ago, NATHANAEL_WILLIAM said:

[!] No keys were found for the following IDs:
[*] ID: ESb3uPly3qKdbjV5Wt9GXKvroRrenxoZWuNkBafl (.nelasod )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 08:ED:B9:62:EB:D8, F0:DE:F1:EC:B7:42, 7C:E9:D3:C8:7B:DD
This info has also been logged to STOPDecrypter-log.txt

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites
please help me, my files are under attack ransomware .NELASOD , help me please
 
ID: dcZ8vWGiHl9OInG17SrTpND5ke5s5qwIDAfjUPHs
MACs: 00:FF:1F:03:63:F5, 70:71:BC:94:A7:33 
 
[!] No keys were found for the following IDs:
 
[*] ID: dcZ8vWGiHl9OInG17SrTpND5ke5s5qwIDAfjUPHs (.nelasod )
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MACs: 00:FF:1F:03:63:F5, 70:71:BC:94:A7:33 This info has also been logged to STOPDecrypter-log.txt 

Share this post


Link to post
Share on other sites

Dear Amigo-A and friends

Do you find solution of the Nelasod.

Dear Amigo, what is the latest news from  STOPDecrypter developer.

Please contact him. I will be thankful

Regards

Tahir

+] Loaded 77 offline keys
Please archive the following info in case of future decryption:
[*] ID: PiZTrTjGj2ERDjqCNEDpJWJfZwuWtP8FHxJeXuSa
[*] ID: 4SsNNoDBzRHoERsNCDJXFi0OetZhqz2yruT2Ltt1
[*] MACs: A0:B3:CC:48:0B:46, 84:A6:C8:2E:4D:8F, 84:A6:C8:2E:4D:8F, 84:A6:C8:2E:4D:8E
This info has also been logged to STOPDecrypter-log.txt
Selected directory: F:\
Selected directory: E:\

 

Share this post


Link to post
Share on other sites
On 8/10/2019 at 3:03 AM, Zareef said:

_readme.txt
i used stop STOPDecrypter it works but it left many file ,,, some file escape and some files not Decrypted please give me any other way please,,,

That's because it doesn't have your decryption key.

Right now STOPDecrypter is the only way to decrypt files, however it requires a decryption key unless you have an offline ID. Since you don't appear to have posted your information from STOPDecrypter as per the instructions here, I can only assume that you don't have an offline ID (this is the case for the majority of victims).

Share this post


Link to post
Share on other sites
17 hours ago, Tahir Moeen said:

Dear Amigo, what is the latest news from  STOPDecrypter developer.

There is no new news at the moment. If you give us more time, then hopefully we'll be able to help you.

Share this post


Link to post
Share on other sites
15 hours ago, Tahir Moeen said:

Will it be solved in one week or 2 weeks time??

At this time there's no way to know for certain. It could be a matter of days, or a matter of months.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.