jaffar

Ransomware .rote

Recommended Posts

Hello @jaffar

Quote

0187Asd374y5iuhld8vqlSswfRM10lCmckClRtShnwcsZaWzZnsPeYbt1

There are symbols t1 here, so in the future, a decryption key may be added to this Emsisoft decryptor.
You need to wait. When this will be realized, it is not known, maybe soon, maybe not soon. It is regularly updated.

Share this post


Link to post
Share on other sites
10 hours ago, jaffar said:

Tnx I will wait, honestly I don't have to much option, maybe some day ...

My recommendation is to try the decrypter once every week or two to see if the key has been added to our database.

Share this post


Link to post
Share on other sites

After seven month nothing new, I know ... there is a thousand cases ...

I read a little bit and if I understood we have Id inside the read.me public key. To decrypt files I need private key.

Em I wright?

What can I do if I have private key?

tnx.

Share this post


Link to post
Share on other sites
8 hours ago, jaffar said:

there is a thousand cases ...

For STOP/Djvu a thousand cases is an understatement. There are nearly that many new cases every day (roughly 700-800 daily submissions to ID Ransomware at least).

Not that the actual number of cases matters. Decrypting even one person's files is impossible without their private key.

 

8 hours ago, jaffar said:

I read a little bit and if I understood we have Id inside the read.me public key. To decrypt files I need private key.

There is an ID inside the readme files, and this ID identifies which private key should be used to decrypt your files.

Public keys are used to encrypt files, and normally you won't see these. Some people do manage to find these on their computers, however they are useless for decryption.

 

8 hours ago, jaffar said:

What can I do if I have private key?

Only the criminals have the private keys, unless you paid the ransom and they sent you a decrypter.

Share this post


Link to post
Share on other sites

Tnx for answer,

That's all clear, but focus of my question was what can I do if I have a private key, can I send to you or what?

I know only the criminals have private key (probably aes) but someone posted private key for ID 8vqlSswfRM10lCmckClRtShnwcsZaWzZnsPeYbt1 (which is mine) of course I can't be sure if it works, maybe it will help to someone else ...
Sorry if bothering You, I'm just try to participate.

Share this post


Link to post
Share on other sites
9 hours ago, jaffar said:

That's all clear, but focus of my question was what can I do if I have a private key, can I send to you or what?

We can add private keys to our database.

 

9 hours ago, jaffar said:

I know only the criminals have private key (probably aes)

Newer variants of STOP/Djvu use RSA keys.

 

9 hours ago, jaffar said:

someone posted private key for ID 8vqlSswfRM10lCmckClRtShnwcsZaWzZnsPeYbt1 (which is mine) of course I can't be sure if it works, maybe it will help to someone else ...

Isn't that the offline ID for .zobm? We already have the private key for that offline ID. Is our decrypter not able to decrypt your files? If not, then what does it say when it fails to decrypt?

Share this post


Link to post
Share on other sites

Actually someone posted for .msop, same Id as I have with .rote files.

There is decrypter log in attachment as you can see the ID is the same.

If you want I will send posted rsa key in private message or whatever you want.

Untitled.jpg
Download Image

Share this post


Link to post
Share on other sites
1 hour ago, jaffar said:

Actually someone posted for .msop, same Id as I have with .rote files.

There is decrypter log in attachment as you can see the ID is the same.

If you want I will send posted rsa key in private message or whatever you want.

Untitled.jpg
Download Image
Download Image

The offline ID for .msop is 

d8TwbCMGuw5Ei5PlymKj0pldFtsUYeGxci3YGlbt1 - .msop 

It is NOT the same as yours.

Share this post


Link to post
Share on other sites
On 7/11/2020 at 10:30 AM, jaffar said:

Actually someone posted for .msop, same Id as I have with .rote files.

OK, we do not have the private key for .rote's offline ID.

I assume this is the key you're talking about?
https://pastebin.com/eF3vEZLc

Share this post


Link to post
Share on other sites

@jaffar we never actually got a sample of the .rote variant of STOP/Djvu, so we don't have its offline ID on file. Could you attach a copy of the encrypted file to a reply that our decrypter says has an offline ID? The Word document you attached to your first post has an online ID (q6OxUk3VDgW4BqrccLHj9q406UixL5m64FmWEkRP) and thus isn't going to be decryptable.

Share this post


Link to post
Share on other sites
On 7/14/2020 at 10:50 AM, GT500 said:

OK, we do not have the private key for .rote's offline ID.

I assume this is the key you're talking about?
https://pastebin.com/eF3vEZLc

This is it.

On 7/14/2020 at 4:45 PM, GT500 said:

@jaffar we never actually got a sample of the .rote variant of STOP/Djvu, so we don't have its offline ID on file. Could you attach a copy of the encrypted file to a reply that our decrypter says has an offline ID? The Word document you attached to your first post has an online ID (q6OxUk3VDgW4BqrccLHj9q406UixL5m64FmWEkRP) and thus isn't going to be decryptable.

Here is some crypted files, if you want more or different extensions, I can attach, I have millions of them :D I know it's not funny ...

The only one text file I received from the attacker was attached in the first post.

Thank you for your patience.

A-SD-HD.jpg.rote GPS.txt.rote

Share this post


Link to post
Share on other sites

@jaffar

Thank you, I was able to confirm the key works for your files with that ID. I have added it to the server for the .rote extension. You may simply re-run the decryptor, and it should be able to decrypt some of your files now.

 

  • Thanks 1

Share this post


Link to post
Share on other sites

Nope, big, big ... thank you. 

I just try to participate. If I have contributed at least a little I have reason to be pleased ...

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.