Recommended Posts

Hi everyone,

 

I got hit from [email protected]

i downloaded an unknown setup 2 days ago

and encrypted yesterday 

 

my all files got encrypted to .kvag

there is now 3 questions worries me

I was saving every signal site data i registered  in one note files  and word files

and my bank account and password to my bank interment service

what should i do about that

are they going to check such files? and what should i do?

 

To reconfirm 

is there any way to decrypte my files or recover some of it?

unfortunately i don't have any backup anywhere

 

and I couldn't get spyhunter so i cleaned with  malewarebytes, norton, hitman and girdein soft

is that enough or i still need to do more?

 

I attached the note they put and one encrypted file

and I don't know if that would be useful in anyway

 I cleaned the hosts file

those are the links I found in it

127.0.0.1 space1.adminpressure.space
127.0.0.1 trackpressure.website
127.0.0.1 htagzdownload.pw
127.0.0.1 360devtraking.website
127.0.0.1 room1.360dev.info
127.0.0.1 djapp.info
127.0.0.1 sharefolder.online
127.0.0.1 telechargini.com
127.0.0.1 fffffk.xyz
127.0.0.1 smarttrackk.xyz

 

thank you and waiting for your replies

 

Akachan-ningen 1.jpg.kvag _readme.txt

Share this post


Link to post
Share on other sites

    
This is the results of the STOP-Djvu Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

Extension .kvag - this is new variant of STOP Ransomware. Until recently, it was possible to collect some information and add it to STOP-Decrypter. Now this does not help. We expect changes in the decryption method. But so far there is no such news and the victims remain with encrypted files.

I repeat, there is no way to decrypt files yet. Any site that offers decryption for this variant may be a scam site. Be careful.

Share this post


Link to post
Share on other sites

Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. 

It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ 

Share this post


Link to post
Share on other sites

In addition, the STOP-Djvu Ransomware does the following:
1) leaves behind a software module that steals personal information from browsers and other programs;
2) modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

You need cleaned or deleted file hosts.

For these targets:
1) after checking and cleaning the PC, when it is be confirmed that there are no other malicious modules, you need to replace the passwords for all sites with more complex ones (at least 12-16 characters, including A-a, Z-z, 0-9, @ # $).
2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you.

The path to this file is: C:\Windows\System32\drivers\etc\

h.jpg.399261a04288db830d6a76357a448996.jpg
Download Image

Share this post


Link to post
Share on other sites
2 hours ago, Amigo-A said:

    
This is the results of the STOP-Djvu Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

Extension .kvag - this is new variant of STOP Ransomware. Until recently, it was possible to collect some information and add it to STOP-Decrypter. Now this does not help. We expect changes in the decryption method. But so far there is no such news and the victims remain with encrypted files.

I repeat, there is no way to decrypt files yet. Any site that offers decryption for this variant may be a scam site. Be careful.

yeah i understand that
i searched a lot and didn't find any reasonable decryption method

Share this post


Link to post
Share on other sites
2 hours ago, Amigo-A said:

Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. 

It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ 

well nothing happened the first encryption

and i'll try with the frst tool

Share this post


Link to post
Share on other sites
2 hours ago, Amigo-A said:

In addition, the STOP-Djvu Ransomware does the following:
1) leaves behind a software module that steals personal information from browsers and other programs;
2) modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

You need cleaned or deleted file hosts.

For these targets:
1) after checking and cleaning the PC, when it is be confirmed that there are no other malicious modules, you need to replace the passwords for all sites with more complex ones (at least 12-16 characters, including A-a, Z-z, 0-9, @ # $).
2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you.

The path to this file is: C:\Windows\System32\drivers\etc\

h.jpg.399261a04288db830d6a76357a448996.jpg
Download Image
Download Image

if he wants the money he asked for

and he would use my personal data

is that when i don't contact him or it's just for my safety to change my passwords and so?

yes i said in the first post that

 I cleaned the hosts file

those are the links I found in it

127.0.0.1 space1.adminpressure.space
127.0.0.1 trackpressure.website
127.0.0.1 htagzdownload.pw
127.0.0.1 360devtraking.website
127.0.0.1 room1.360dev.info
127.0.0.1 djapp.info
127.0.0.1 sharefolder.online
127.0.0.1 telechargini.com
127.0.0.1 fffffk.xyz
127.0.0.1 smarttrackk.xyz

is that what you mean?

Share this post


Link to post
Share on other sites

ok here the frst logs

and there something els i need to do with the host file

or in general?

and can you tell me what will happen if i change my windows after cleaning and so?

 

 modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

that part didn't happen with me 

is that something good?

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

At first glance I don't see an active infection in the FRST logs. I do see pirated software in them however, which I highly recommend removing ASAP. Pirated software (or even fake movie and/or music downloads) are the main source of STOP/Djvu infections.

Share this post


Link to post
Share on other sites
22 minutes ago, GT500 said:

At first glance I don't see an active infection in the FRST logs. I do see pirated software in them however, which I highly recommend removing ASAP. Pirated software (or even fake movie and/or music downloads) are the main source of STOP/Djvu infections.

ok how to do so?

Share this post


Link to post
Share on other sites
22 hours ago, oOYaraOo said:

ok how to do so?

Uninstall the pirated software and then delete any cracks, keygens, or activation bypasses that you downloaded for them.

Share this post


Link to post
Share on other sites
15 hours ago, KARAN BISSA said:

i got virus in my pc type of .reco and it encrypted my all data can you please help me out .

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you will be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.