Jump to content

I got a hit from [email protected]

oOYaraOo

By oOYaraOo,
in Help, my files are encrypted!

 Share

Recommended Posts

oOYaraOo

oOYaraOo

Posted
Posted

Hi everyone,

 

I got hit from [email protected]

i downloaded an unknown setup 2 days ago

and encrypted yesterday 

 

my all files got encrypted to .kvag

there is now 3 questions worries me

I was saving every signal site data i registered  in one note files  and word files

and my bank account and password to my bank interment service

what should i do about that

are they going to check such files? and what should i do?

 

To reconfirm 

is there any way to decrypte my files or recover some of it?

unfortunately i don't have any backup anywhere

 

and I couldn't get spyhunter so i cleaned with  malewarebytes, norton, hitman and girdein soft

is that enough or i still need to do more?

 

I attached the note they put and one encrypted file

and I don't know if that would be useful in anyway

 I cleaned the hosts file

those are the links I found in it

127.0.0.1 space1.adminpressure.space
127.0.0.1 trackpressure.website
127.0.0.1 htagzdownload.pw
127.0.0.1 360devtraking.website
127.0.0.1 room1.360dev.info
127.0.0.1 djapp.info
127.0.0.1 sharefolder.online
127.0.0.1 telechargini.com
127.0.0.1 fffffk.xyz
127.0.0.1 smarttrackk.xyz

 

thank you and waiting for your replies

 

Akachan-ningen 1.jpg.kvag _readme.txt

Link to comment
Share on other sites
Amigo-A

Amigo-A

Posted
Posted

    
This is the results of the STOP-Djvu Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

Extension .kvag - this is new variant of STOP Ransomware. Until recently, it was possible to collect some information and add it to STOP-Decrypter. Now this does not help. We expect changes in the decryption method. But so far there is no such news and the victims remain with encrypted files.

I repeat, there is no way to decrypt files yet. Any site that offers decryption for this variant may be a scam site. Be careful.

Link to comment
Share on other sites
Amigo-A

Amigo-A

Posted
Posted

Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. 

It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ 

Link to comment
Share on other sites
Amigo-A

Amigo-A

Posted
Posted

In addition, the STOP-Djvu Ransomware does the following:
1) leaves behind a software module that steals personal information from browsers and other programs;
2) modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

You need cleaned or deleted file hosts.

For these targets:
1) after checking and cleaning the PC, when it is be confirmed that there are no other malicious modules, you need to replace the passwords for all sites with more complex ones (at least 12-16 characters, including A-a, Z-z, 0-9, @ # $).
2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you.

The path to this file is: C:\Windows\System32\drivers\etc\

h.jpg.399261a04288db830d6a76357a448996.jpg

Link to comment
Share on other sites
oOYaraOo

oOYaraOo

Posted
  • Author
Posted
2 hours ago, Amigo-A said:

    
This is the results of the STOP-Djvu Ransomware attack. I have been tracking the malicious work of this program since December 2017. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

Extension .kvag - this is new variant of STOP Ransomware. Until recently, it was possible to collect some information and add it to STOP-Decrypter. Now this does not help. We expect changes in the decryption method. But so far there is no such news and the victims remain with encrypted files.

I repeat, there is no way to decrypt files yet. Any site that offers decryption for this variant may be a scam site. Be careful.

yeah i understand that
i searched a lot and didn't find any reasonable decryption method

Link to comment
Share on other sites
oOYaraOo

oOYaraOo

Posted
  • Author
Posted
2 hours ago, Amigo-A said:

Most ransomwares will automatically delete themselves after they finish encrypting files, but some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. 

It's best practice to check and make sure that no such components have been left behind, so we recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (just attach the log files FRST saves to your message):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ 

well nothing happened the first encryption

and i'll try with the frst tool

Link to comment
Share on other sites
oOYaraOo

oOYaraOo

Posted
  • Author
Posted
2 hours ago, Amigo-A said:

In addition, the STOP-Djvu Ransomware does the following:
1) leaves behind a software module that steals personal information from browsers and other programs;
2) modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

You need cleaned or deleted file hosts.

For these targets:
1) after checking and cleaning the PC, when it is be confirmed that there are no other malicious modules, you need to replace the passwords for all sites with more complex ones (at least 12-16 characters, including A-a, Z-z, 0-9, @ # $).
2) you need to reset or delete the modified hosts file, without it, all legitimate sites will be available to you.

The path to this file is: C:\Windows\System32\drivers\etc\

h.jpg.399261a04288db830d6a76357a448996.jpg
Download Image

if he wants the money he asked for

and he would use my personal data

is that when i don't contact him or it's just for my safety to change my passwords and so?

yes i said in the first post that

 I cleaned the hosts file

those are the links I found in it

127.0.0.1 space1.adminpressure.space
127.0.0.1 trackpressure.website
127.0.0.1 htagzdownload.pw
127.0.0.1 360devtraking.website
127.0.0.1 room1.360dev.info
127.0.0.1 djapp.info
127.0.0.1 sharefolder.online
127.0.0.1 telechargini.com
127.0.0.1 fffffk.xyz
127.0.0.1 smarttrackk.xyz

is that what you mean?

Link to comment
Share on other sites
oOYaraOo

oOYaraOo

Posted
  • Author
Posted

ok here the frst logs

and there something els i need to do with the host file

or in general?

and can you tell me what will happen if i change my windows after cleaning and so?

 

 modifies the hosts file to prevent browsers from opening anti-virus companies' websites and forums (like this one) that helps victims.

that part didn't happen with me 

is that something good?

Addition.txt FRST.txt

Link to comment
Share on other sites
GT500

GT500

Posted
Posted

At first glance I don't see an active infection in the FRST logs. I do see pirated software in them however, which I highly recommend removing ASAP. Pirated software (or even fake movie and/or music downloads) are the main source of STOP/Djvu infections.

Link to comment
Share on other sites
oOYaraOo

oOYaraOo

Posted
  • Author
Posted
22 minutes ago, GT500 said:

At first glance I don't see an active infection in the FRST logs. I do see pirated software in them however, which I highly recommend removing ASAP. Pirated software (or even fake movie and/or music downloads) are the main source of STOP/Djvu infections.

ok how to do so?

Link to comment
Share on other sites
  • 2 months later...
GT500

GT500

Posted
Posted
15 hours ago, KARAN BISSA said:

i got virus in my pc type of .reco and it encrypted my all data can you please help me out .

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you will be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
  • 5 months later...
layonelangel

layonelangel

Posted
Posted

Hello, I have been trying to decrypt a .besub for almost a year because nothing with its release code, here I leave the ID: nable to decrypt Old Variant ID: hwvUDV5ZXiqJJD2Px0xK5UPUd6ORMIzyY7bace8P Your personal ID:
110nGddSSsufhwvUDV5ZXiqJJD2Px0xK5UPUd6ORMIzyY7bace8P

I hope someday to recover this info or receive help, because I already lost an important job because of this T.T ...

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
19 hours ago, layonelangel said:

Unable to decrypt Old Variant ID: hwvUDV5ZXiqJJD2Px0xK5UPUd6ORMIzyY7bace8P

You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
layonelangel

layonelangel

Posted
Posted
11 hours ago, stapp said:

https://decrypter.emsisoft.com/submit/stopdjvu/

Note that this will only allow the tool to decrypt files that match the following criteria:

      • Start with bytes: 4944330400
      • They were encrypted with ID: hwvUDV5ZXiqJJD2Px0xK5UPUd6ORMIzyY7bace8P

It is an advance but it was only 1 file of many how can I make greetings.

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
10 hours ago, layonelangel said:

Note that this will only allow the tool to decrypt files that match the following criteria:

      • Start with bytes: 4944330400
      • They were encrypted with ID: hwvUDV5ZXiqJJD2Px0xK5UPUd6ORMIzyY7bace8P

It is an advance but it was only 1 file of many how can I make greetings.

There are certain limitations in regards to how file pairs work. There's more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2022 Emsisoft - 05/27/2022 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...