Richard

Seto Virus Ransomware

Recommended Posts

Hello. . 

Please I need your help and expertise!

My Laptop just got infected by Seto Virus and really unfortunate that my backup files also infected by this virus, i have try many recovery tools and it didn't help at all.

I really need your help to decrypt my files :( Please.

Please Help. 

Share this post


Link to post
Share on other sites

Hello @Richard

  Quote

.gero
.hese
.seto
.peta
.moka

This is the results of the STOP-Djvu Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

Extension .seto - this is new variant of STOP Ransomware. Until recently, it was possible to collect some information and add it to STOP-Decrypter. Now this does not help. We expect changes in the decryption method. But so far there is no such news and the victims remain with encrypted files.

I repeat, there is no way to decrypt files yet. Any site that offers decryption for this variant may be a scam site. Be careful.

Share this post


Link to post
Share on other sites

Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. 

It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ 

Share this post


Link to post
Share on other sites

In addition, the STOP-Djvu Ransomware does the following:
1) leaves behind a software module that steals personal information from browsers and other programs;
2) modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

For these targets:
1) after checking and cleaning the PC, when it is be confirmed that there are no other malicious modules, you need to replace the passwords for all sites with more complex ones (at least 12-16 characters, including A-a, Z-z, 0-9, @ # $).
2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you.

The path to this file is: C:\Windows\System32\drivers\etc\

h.jpg.399261a04288db830d6a76357a448996.jpg
Download Image

Share this post


Link to post
Share on other sites

I was informed that Drweb can decrypt some files that STOP cannot decrypt, only in another way. Only .pdf encrypted files and all the Office documents .doc, xls, docx, xlsx, ppt, pps, etc … 
Unfortunatly with this way can't will decrypt photo, video, audio and many files with other extensions.
If free test decrypt these files will successful, the fees requested by Dr.Web experts 150 EUR for Rescue Pack (Personal decryptor + 2-year DrWeb Security Space protection). There is no alternative to receiving this service. If the test-decrypt will fails, no payment will be required. 

Tell me, if this way suits you, I will let you know what files you need to collect for this. 

I do not participate in this process and do not provide any help except this information. I not having any financial benefit and is not involved in this decryption service at all.

Share this post


Link to post
Share on other sites

Hi @Amigo-A

thank you for your explanation on this issue,

as i aware of there's no solution yet on this matter, thus i will just wait for the time to come.

however, appreciate your help to inform me once the decryptor is available to decrypt this .seto virus.

Quote
On 9/8/2019 at 12:27 AM, Amigo-A said:

Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. 

It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ 

 

and, please find the attachment for the FRST file, hope you can let me know whether my laptop still has malicious things or not.

Quote

2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you.

The path to this file is: C:\Windows\System32\drivers\etc\

image.png.16a7df39b8f7ef1af6d8d21998586df7.png
Download Image

what should i do with this?

 

Thanks a lot @Amigo-A

FRST.txt

Share this post


Link to post
Share on other sites
2 hours ago, Richard said:

what should i do with this?

You need to open and check this file hosts. If there is a list of blocked ~250 addresses of AV companies and security sites, then the file must be cleaned or deleted.

If the list is small, then it could be make up by your programs, in that case do not delete it.

Share this post


Link to post
Share on other sites

I looked at the log-file and made sure that not a single comprehensive antivirus was protecting your computer, so the ransomware attack was successful. 

Free antiviruses are not able to protect against such attacks. Even if on all billboards write that "Protects from extortionists!" Do not believe it! Will not protect in reality! A very small percentage of real protection. 

First of all, you need to choose one, but comprehensive antivirus with protection of class Internet or Total Security and stop using programs like [email protected] and other illegitimate activators.
Otherwise, attacks like this one will continue and your computer will suffer again. 

Quote

 

C:\Windows\[email protected]
C:\Windows\[email protected]

 

 

 

Uninstall or remove manually.

Quote

C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
C:\Program Files\Malwarebytes
C:\Program Files\AVAST Software

Uninstall like a useless load.

Share this post


Link to post
Share on other sites

I think support representatives will say something more about FRST log and advise you to do a check PC with Emsisoft Emergency Kit

Then, after checking the PC, the report from Quarantine (from the context menu) can be saved to a text file or take a screenshot to attach them to your message.

Share this post


Link to post
Share on other sites
22 hours ago, Richard said:

and, please find the attachment for the FRST file, hope you can let me know whether my laptop still has malicious things or not.

@Richard please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2019-09September-13/Richard/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

Share this post


Link to post
Share on other sites
On 9/14/2019 at 10:36 AM, GT500 said:

@Richard please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2019-09September-13/Richard/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

 

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

 

Hi @GT500 

please find the attachment for Fixlog.txt

On 9/21/2019 at 2:26 AM, Amigo-A said:

Hello @Richard

Attach a ransom note, so that we can take a look at your ID and check out yet another way to decrypt the files.

@Amigo-A Please find the attachment for the ransom note as well 

personal ID : 0159Iuihiuer7f3hftSO6M07y0A7cJ2aseiSLOnY783WALrOELafbNFKm

Fixlog.txt

_readme.txt

Share this post


Link to post
Share on other sites
7 hours ago, Amigo-A said:

Your files were encrypted online with a key, after which decryption is not possible.

That's correct, however STOPDecrypter doesn't support this version of STOP/Djvu at all, so even if it was an offline key that was used then decryption wouldn't be possible.

 

@Richard please note that this particular ransomware is distributed mainly with pirated software and fake pirated music and videos/movies. Certain cracking/activation bypassing software (KMSPico for instance) are particularly well known for it, so we highly recommend avoiding such things.

Share this post


Link to post
Share on other sites
23 hours ago, Amigo-A said:

@GT500

This link refers to another decryptor, which works with offline keys. I did not talk about STOP Decrypter, which has not been updated for a long time.

Share this post


Link to post
Share on other sites
8 hours ago, Amigo-A said:

@GT500

This link refers to another decryptor, which works with offline keys. I did not talk about STOP Decrypter, which has not been updated for a long time.

Ah, OK. Thank you.

Share this post


Link to post
Share on other sites

Thank you @GT500  & @Amigo-A , so i assume that there are no help as for now?

Usually how long it will take for experts to come out with the decryptor?

Quote
On 9/29/2019 at 10:28 AM, GT500 said:

 

@Richard please note that this particular ransomware is distributed mainly with pirated software and fake pirated music and videos/movies. Certain cracking/activation bypassing software (KMSPico for instance) are particularly well known for it, so we highly recommend avoiding such things.

 

my best guess is because i downloaded some unknown files and infects my laptop.

 

Thanks for all your clear explanation and help @GT500 & @Amigo-A

 

Share this post


Link to post
Share on other sites
1 hour ago, Richard said:

Usually how long it will take for experts to come out with the decryptor?

For all the time the activity of this ransomware was only twice managed to pick up methods and decrypt files. At first, some early versions were decrypted by DrWeb specialists, then Demonslay335 found a decryption method that works for offline keys. This method worked until recently.

Files encrypted with online keys could never be decrypted. They cannot be calculated over decades using supercomputers.

DrWeb continues to help when files are encrypted with offline keys. This also works for new variants with 4st letters in extension. Each time, the selection of the method and the calculation becomes more difficult. STOP Ransomware developers take into account all the shortcomings and fix them very quickly.

Share this post


Link to post
Share on other sites
On 10/2/2019 at 12:56 PM, Amigo-A said:

For all the time the activity of this ransomware was only twice managed to pick up methods and decrypt files. At first, some early versions were decrypted by DrWeb specialists, then Demonslay335 found a decryption method that works for offline keys. This method worked until recently.

Files encrypted with online keys could never be decrypted. They cannot be calculated over decades using supercomputers.

DrWeb continues to help when files are encrypted with offline keys. This also works for new variants with 4st letters in extension. Each time, the selection of the method and the calculation becomes more difficult. STOP Ransomware developers take into account all the shortcomings and fix them very quickly.

@Amigo-A

Does it mean that i will never be able to retrieve back all my files and will gone forever?

or is there any glimpse of hope that the decryptor for this ransomware will be created in near future?

 

Unfortunately, all my back up are also infected by this ransomware. :(

Share this post


Link to post
Share on other sites

I can’t know for sure.

We always hope that the files can be returned, if not now, then in the future.

Share this post


Link to post
Share on other sites
19 hours ago, Richard said:

Does it mean that i will never be able to retrieve back all my files and will gone forever?

or is there any glimpse of hope that the decryptor for this ransomware will be created in near future?

There is always the possibility that law enforcement may manage to catch the criminals or at least gain possession of their server. There's also the possibility that the criminals may decide to release their database of keys to someone can make a decrypter, or that researchers may discover a flaw in the ransomware that allows for decryption.

With more secure ransomwares this sort of thing doesn't necessarily happen quickly, however if you can keep a copy of your encrypted files in a safe place then there is the possibility that some day you may be able to get them back.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.