Takuro Yew

got infected by .gero ransomware. File need decrypt

Recommended Posts

Yesterday one of my company PC got infected by .gero ransomware. Most of the file in the network shared folder are encrypted with .gero file.

Do you have anyway to decrypt  the file?

Share this post


Link to post
Share on other sites

That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:
https://id-ransomware.malwarehunterteam.com/

Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean.

Also note: If this is the STOP/Djvu ransomware, then as of the .gero and .hese variants decryption is no longer possible. If you feel you have no other choice but to contact the criminals to recover files, then I highly recommend that you do so through a third-party that has experience negotiating with such criminals (such as Coveware). Never attempt to contact the criminals yourself, as they will generally have no sympathy for you, and may attempt to further take advantage of you or continue to extort you.

Share this post


Link to post
Share on other sites

Hello @Takuro Yew

Attach the file _readme.txt to your message, so that we can check and catalog this variant of STOP-Djvu Ransomware.

Do not change or rename anything.

Share this post


Link to post
Share on other sites

Dear @Amigo-A

 

I attached the _readme.txt for you to inspect.

Is it advisable to allow the PC to connect to our network by turning of file sharing and network discovery?

Last night most of the file at our network share folder got infected. And we had quarantine the 1 PC that caused infection by installing the CCTV view program.

_readme.txt

Share this post


Link to post
Share on other sites

This is the result of the STOP-Djvu Ransomware attack, which spread since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware, in some cases, when files are encrypted using offline keys, files can be decrypted using a STOP-Decrypter.

Variant with .gero extension is new. It is possible that soon the STOP-Decrypter will be updated for the version with the extension .gero.

But your personal ID contains more than 40 characters, which means the files have been encrypted with an online key.

Therefore, most likely, the STOP-Decrypter will not be able to decrypt encrypted files.

If STOPDecrypter won't be able to recover your files, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter and paste to a new message:
https://kb.gt500.org/stopdecrypter 

 

 

Share this post


Link to post
Share on other sites

Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. 

It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ 

Share this post


Link to post
Share on other sites

In addition, the STOP-Djvu Ransomware does the following:
1) leaves behind a software module that steals personal information from browsers and other programs;
2) modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

For these targets:
1) after checking and cleaning the PC, when it is be confirmed that there are no other malicious modules, you need to replace the passwords for all sites with more complex ones (at least 12-16 characters, including A-a, Z-z, 0-9, @ # $).
2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you.

The path to this file is: C:\Windows\System32\drivers\etc\

h.jpg.399261a04288db830d6a76357a448996.jpg
Download Image

Share this post


Link to post
Share on other sites
2 hours ago, Takuro Yew said:

Is it advisable to allow the PC to connect to our network by turning of file sharing and network discovery?

Last night most of the file at our network share folder got infected. And we had quarantine the 1 PC that caused infection by installing the CCTV view program.

The @GT500 will probably give you an answer on this. He has a special recommendation.

Share this post


Link to post
Share on other sites
12 hours ago, Takuro Yew said:

Is it advisable to allow the PC to connect to our network by turning of file sharing and network discovery?

Turn off File Sharing on any other computers on the network, at least until the infected computer can be verified clean.

After that, follow the instructions at the link below to run FRST and post the logs for me to review:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

 

10 hours ago, Amigo-A said:

If STOPDecrypter won't be able to recover your files, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter and paste to a new message:
https://kb.gt500.org/stopdecrypter 

It's important to note that STOPDecrypter will not be able to help with this newer variant of STOP/Djvu. They've changed the encryption method they use, and STOPDecrypter doesn't support it.

Share this post


Link to post
Share on other sites

Hey guys, 

My laptop also got affected two days back with same Ransomeware and important files got encrypted with gero extension.

I'm a student and manage my bills by working at small job.

Please please please help me out.

I'll be highly thankful to you.

 

Share this post


Link to post
Share on other sites

That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to:
https://id-ransomware.malwarehunterteam.com/

 

Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean.

 

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.