Gladstone

.nacro ransomware attack need help

Recommended Posts

Hi guys, my files infected by ransomware with extension .nacro file named STOP DJVU. Pls. help me I can't access my files.it's been 4 days now I have been trying one decryptor tool to.another but all never worked. .

Need help...

Edited by Gladstone

Share this post


Link to post
Share on other sites

Hello

This variant .nacro has not yet been added to the STOP Decrypter. 
Attach your file _readme.txt to message to see how the type of ID is.

 

Share this post


Link to post
Share on other sites

That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:
https://id-ransomware.malwarehunterteam.com/

While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter

 

Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean.

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites

I do not see the ID here, therefore, it is not clear with which key the files were encrypted.

If your ID does not have the following code after the first three digits
gyTwIW8EFRyrHBHcn0bFVHerzI3NtAa14YK0kst1
then your files cannot be decrypted right now.

Share this post


Link to post
Share on other sites
3 hours ago, Amigo-A said:

I do not see the ID here, therefore, it is not clear with which key the files were encrypted.

If your ID does not have the following code after the first three digits
gyTwIW8EFRyrHBHcn0bFVHerzI3NtAa14YK0kst1
then your files cannot be decrypted right now.

STOPDecrypter shows 4 ID's, several of which are the offline ID:

[*] ID: gyTwIW8EFRyrHBHcn0bFVHerzI3NtAa14YK0kst1 (.nacro )
[*] ID: gyTwIW8EFRyrHBHcn0bFVHerzI3NtAa14YK0kst1 (.pdf )
[*] ID: HygoDFhpIN6nXxhxWzH8pkbWXQ6fWVGHivdx0XWp (.nacro )
[*] ID: gyTwIW8EFRyrHBHcn0bFVHerzI3NtAa14YK0kst1 (.dwg )

@Gladstone in theory if you run STOPDecrypter again, add your files to it, and then try to decrypt them then it may be able to decrypt some of them. I can't say for certain how much will be decryptable, since I don't know how many were encrypted using the offline key.

 

13 hours ago, Gladstone said:

i hereby attached a copy of FRST save file after scan and i have also added the save information after running STOPDecryptor

Addition.txt 34.14 kB · 0 downloads FRST.txt 215.08 kB · 0 downloads STOPDecrptor information.txt 408 B · 0 downloads

I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.

All you have to do now is give us some time, and we'll do what we can for you.

Share this post


Link to post
Share on other sites

@Gladstone after a quick look at your FRST logs, I don't think your computer is still infected, however I am seeing pirated software installed on your computer. Please note that we require any pirated software to be removed.

Also note that you're much safer avoiding pirated software. The STOP/Djvu ransomware that you are a victim of is usually spread through pirated software, music, and movie downloads.

Share this post


Link to post
Share on other sites

Thanx soo much for the response and will also do as u said by removing all pirated software's from the system,have also tried with the updated STOPDecryptor and have had success with some of the files and i hereby attached copy of the save note after decryption and will be on standby if there is any update concerning my issue.

STOPDecrypter-log.txt

Share this post


Link to post
Share on other sites
12 hours ago, Gladstone said:

Thanx soo much for the response and will also do as u said by removing all pirated software's from the system,have also tried with the updated STOPDecryptor and have had success with some of the files and i hereby attached copy of the save note after decryption and will be on standby if there is any update concerning my issue.

I'm glad to hear that some of your files were recoverable. Someone will contact you if your decryption key can be figured out.

Share this post


Link to post
Share on other sites

@Gladstone

After cleaning, you can attach the logs again and we will look in the logs for the presence of remaining unwanted elements.

Share this post


Link to post
Share on other sites
Quote

AVAST Software

Malwarebytes Corporation

ESET Security

HitmanPro

Your system has these antivirus software files. Only one should remain.

Share this post


Link to post
Share on other sites
8 hours ago, Gladstone said:

ok cos i have remove the avast left with the Eset and the malwarebyte

That should be fine as long as Malwarebytes is just running in freeware mode without protection.

Share this post


Link to post
Share on other sites
Quote

Malwarebytes  in freeware mode

Most free security and free anti-viruses software will not protect against crypto-ransomware and hacker attacks. Using these programs only gives you a false sense of security against such infection and attacks in addition to wasting a lot of computer resources.

If you do not have money to purchase comprehensive protection, I recommend to use 30-60-90 daily trial versions of paid products. In my opinion, changing protection every month and taking advantage of full security program functionality for 30-60-90 days is a good practice. There are legitimate sites that from time to time provide special offers and a legitimate license to use various products including anti-virus software. It is your right and choice to choose and use 30 days or more of comprehensive protection when such promotions are available. If you wish, I can advise you the names of such sites and provide links where to go in order to take advantage of these promotional offers.

https://www.giveawayoftheday.com/ - daily software offer
https://sharewareonsale.com/ - daily discounts, excluding 100%

Free Office

https://www.freeoffice.com/  - modern office suite fully compatible with MS Office
https://www.freeoffice.com/ru/softmaker-office-hd-android - version for Android

FreeOffice 2018 is a full-featured Office suite with word processing, spreadsheet and presentation software. It is seamlessly compatible with Microsoft Office and available for Windows, Mac and Linux.

Becoming a licensed user in a legal way is now easy and simple! No need to download cracked and repackaged programs, no need to use  illegal activation programs.

Share this post


Link to post
Share on other sites

FreeOffice 2018
Free download for Windows, Mac and Linux
Permanently free to use!

No need to use broken, patched and repacked offices ! Download, install, use FreeOffice!

free.jpg.40e3e437e19ceddb9446d3d030cbe7c8.jpg
Download Image

Share this post


Link to post
Share on other sites

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:
https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-released-for-148-variants/
https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.