Recommended Posts

Does anyone can help me my computer was attack by "Carote ransomware" 

all my files left encrypted with the extension name .carote ransomware

Any decrypted software to help me recover all my files.
 

Share this post


Link to post
Share on other sites

Hello @Allan Tidalgo

This is the result of the STOP-Djvu Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

This is new variant. You need to attach a ransom note _readme.txt  to the message, or farther act by himself.

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

You can try to decrypt files with STOPDecrypter.

Download STOP Decrypter now >>>

I recommend to you start decrypt with a small group of files, but first you need to make copies of these files.

If STOPDecrypter won't be able to recover your files, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter and paste to a new message:
https://kb.gt500.org/stopdecrypter 

Share this post


Link to post
Share on other sites

Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. 

It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ 

 

Share this post


Link to post
Share on other sites

In addition, the STOP-Djvu Ransomware does the following:
1) leaves behind a software module that steals personal information from browsers and other programs;
2) modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

For these targets:
1) after checking and cleaning the PC, when it is be confirmed that there are no other malicious modules, you need to replace the passwords for all sites with more complex ones (at least 12-16 characters, including A-a, Z-z, 0-9, @ # $).
2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you.

The path to this file is: C:\Windows\System32\drivers\etc\

h.jpg.399261a04288db830d6a76357a448996.jpg
Download Image

Share this post


Link to post
Share on other sites

@Allan Tidalgo would you still have a copy of the malicious file that the ransomware came from? With the STOP/Djvu ransomware it's usually pirated software, music, and movie downloads that that contain it.

If you can find a copy of it, then please upload it to VirusTotal, and then paste a link to the analysis here for us to review:
https://www.virustotal.com/gui/home/upload

Share this post


Link to post
Share on other sites

To GT500

 

         Sir  I download the file from piratebay, when I start to install it then out of a sudden something wrong in my computer,, then I realized all my files were encrypted.

 but I cannot find now where is the files that i install. I also use the "stopdecrypter" although it includes inside about the ".carote" offline keys,, but when I try it,, it says

+] File: D:\Grace\JS 23507 Abdulla 03.07.19\MVI_8307.MOV.carote
[-] No key for ID: 6iQ4RUPuZqB0qis4pFpU95dwg6FF1HiNXgfPlFx1 (.carote )

       This is the result shown from the StopDecrypter.

 

  From,

Allan Tidalgo

 

 

 

Share this post


Link to post
Share on other sites
15 hours ago, Allan Tidalgo said:

+] File: D:\Grace\JS 23507 Abdulla 03.07.19\MVI_8307.MOV.carote
[-] No key for ID: 6iQ4RUPuZqB0qis4pFpU95dwg6FF1HiNXgfPlFx1 (.carote )

       This is the result shown from the StopDecrypter.

That's an online ID, so there won't be an immediate solution, however there is work on a way to recover your files that's ongoing. Just make sure to keep a backup of all of your encrypted files.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.