Recommended Posts

Hi team,

My PC was recently infected by a ransomware and it encrypted all my files to the .coot format. I heard it is fairly new and has been protected with a very strong RSA algorithm and cannot be decrypted.

I formatted my primary SSD on which Windows(10) was installed. I did a full scan by Malwarebytes and I think I got rid of the ransomware but I still need my data back.

I have two questions:

1) If possible, how long will it take for a decrypter to be made for it and will Emsisoft make one?

2) Can the encrypted files be recovered by Data Recovery firms that recover hard drives (like Stellar)?

Thank you.

Files-encrypted-with-.Coot-extension.jpg

Share this post


Link to post
Share on other sites
Quote

.coot extension

This is one of the new variants of STOP Ransomware. In order can decrypt, first need to add offline keys in the decryptor. Files encrypted with online keys (when the PC was connected to the Internet) will not be decrypted. 

Try this tool,  if the files are encrypted with an offline key, then there is a chance to decrypt some files.
https://www.emsisoft.com/ransomware-decryption-tools/free-download 
 https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

-------------------------------------------------------------------

Most likely, at the moment there is no way to decrypt your files, but you can try.

When there will be good results, we do not know. The search for keys for decryption continues.

Save encrypted files and stay tuned for more of the Decryptor. 

Share this post


Link to post
Share on other sites
On 10/28/2019 at 9:48 AM, Shaik Muhammad Yahiya said:

Hi team,

My PC was recently infected by a ransomware and it encrypted all my files to the .coot format. I heard it is fairly new and has been protected with a very strong RSA algorithm and cannot be decrypted.

I formatted my primary SSD on which Windows(10) was installed. I did a full scan by Malwarebytes and I think I got rid of the ransomware but I still need my data back.

I have two questions:

1) If possible, how long will it take for a decrypter to be made for it and will Emsisoft make one?

2) Can the encrypted files be recovered by Data Recovery firms that recover hard drives (like Stellar)?

Thank you.

Files-encrypted-with-.Coot-extension.jpg

Same happened to me couple days ago. All my data (500GB and even more) got encrypted with that .coot extension (everything! Literally)

I tried the recovery method you mentioned in question 2, with stellar but not much to show. The recovery tool finds some data (after several hours) but cannot read it. Next to the file (the one that has been found by the recovery tool) there is one or several other same files with the .coot extension.

I just finished backing up my encrypted data on a external drive (that very drive’s data has been encrypted as well since it was connected to the PC when the Ransomware has infected it)

All in all, It did not work for me

Hope there’s going to be a solution very soon 

 

Share this post


Link to post
Share on other sites

Right now there's nothing that can be done for this variant of STOP/Djvu if you have an onling ID. Offline ID's may be a different matter, however I don't know for certain if we've been able to add a decryption key for offline ID's for .coot yet.

There's more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites

Now the situation is different with the new STOP Ransomware variants:
.gero, .hese , .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec,

Most files will never be decrypted. It will take millions of years to advance one step in decryption, but even this does not lead to decryption of files.

To prevent this from happening, you need to better protect your PC and not use any pirated and hacked software. 

Of course, licensed use is an expensive pleasure, but there are many legitimate analogues of those paid programs that are commonly used around the world.

Share this post


Link to post
Share on other sites

Hey, My files also affected by that ransomware every file has added an extra .coot extension, I was searching for solution but did not found anything. I just want to ask how to know if the key is online or offline?

Share this post


Link to post
Share on other sites
10 hours ago, Ubaid said:

I just want to ask how to know if the key is online or offline?

Offline keys almost always end in t1 with the only exceptions being a few early variants from roughly a year ago.

  • Like 1

Share this post


Link to post
Share on other sites
6 hours ago, GT500 said:

Offline keys almost always end in t1 with the only exceptions being a few early variants from roughly a year ago.

Unfortunately, my key ends up with LF, In future would it still be possible to decrypt files files with online key?

 

Share this post


Link to post
Share on other sites
16 minutes ago, Ubaid said:

it still be possible to decrypt files files with online key?

It is impossible to calculate the online-key, because with all our common desire, the best supercomputer will not do this in our lifetime.

Share this post


Link to post
Share on other sites

Anyone wishing to pay a ransom should also consider purchasing modern anti-virus protection.

Free antivirus will not help. Do not be fooled.

Share this post


Link to post
Share on other sites

I read somewhere that we can hope from recovery software to recover deleted data, since the virus delete the original data after encrypt. Is it possible?

Share this post


Link to post
Share on other sites
1 hour ago, Ubaid said:

Is it possible?

It depends on the algorithm of actions used by the malware.
Data recovery programs can read information from sectors on the hard disk and restore the deleted file even if the recycle bin has been emptied. Yes, it is possible, but only immediately after deleting the file and emptying the recycle bin.
They will not be able to recover information if the sector where the deleted file, later was entirely overwritten or the remaining information was overwritten with zeros or garbage.
They will not be able to recover information if the deleted file was first modified or damaged, and then deleted. In this case, the program will restore the latest (modified or deleted) version of the file.
They will not be able to recover information if the deleted original file was moved to a temporary directory, and then this place was overwritten many times by other temporary files. In this case, the program will restore only the some latest of the file or several small files.

  • Like 1

Share this post


Link to post
Share on other sites
16 hours ago, Ubaid said:

Unfortunately, my key ends up with LF, In future would it still be possible to decrypt files files with online key?

Only if law enforcement is able to catch the criminals behind this ransomware and release their database of private keys.

 

15 hours ago, Amigo-A said:

Anyone wishing to pay a ransom should also consider purchasing modern anti-virus protection.

Free antivirus will not help. Do not be fooled.

Most Anti-Virus will detect STOP/Djvu, and should prevent this particular ransomware. The Behavior Blocker in Emsisoft Anti-Malware is fairly good at detecting most ransomware, even if they aren't detected by the Anti-Virus signatures.

 

11 hours ago, Ubaid said:

I read somewhere that we can hope from recovery software to recover deleted data, since the virus delete the original data after encrypt. Is it possible?

Most ransomware these days will ensure file recovery is not possible.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.