rustyDusty

Encrypted by HETS ransomware

Recommended Posts

Using Win7 Home Primium.
On December 2 2019 5:00PM. Attempted to download ImgBurn, looking for open source software to rip an old DVD home movie into an mp4. Had been using MagicISO to convert audio CD files into mp3's and this seemed a natural progression.

As soon as "I decline" on one of the installation options was clicked, the taskbar icon became a weird little 'pixel phone'. No donwload status and all these strange HUD appeared in Italian.

Killed those apps in taskbar but that was too late. Almost every file in documents, downloads and desktop has a .hets extention now. Cannot be accessed. I am hit with a HETS ransomware attack. Thankfully, the public and shared folder files remained untouched.

Have spent all night and day seeking to use Vipre and Malwarebytes to combat the browser hijack popoups and unauthorized installations. The PC seems stable now.

I'm to blame for no backup and malware protection for over 10 days but Shadow Explorer salvaged C: drive files from the 22nd and 30th November. I can take losing a few days work.

The biggest loss is the thumbdrive files which were not backed up.

Is there anyway to retrive them? Performed a command prompt attrib -s -h /s /d *.* but that changed nothing.

I also applied Rescueit to a few HETS txt files but when opened they only displayed  oriental characters, not english text. Pictures will not display.

What am I doing wrong (other than not backing up and installing dodgy software) and what can I do to retrieve these thumbdrive files?

Talked to the folks at Paretologic Data Protection Pro which every ransomware page insist will do the job. But they say : "No, unfortunately reports online we can be of assistance with these troubles are False and Unaffiliated with ParetoLogic.

As well, we have seen no indication that Data Recovery programs will be of assistance in these matters unfortunately.  These claims are based on the original versions on the Ransomware viruses created a copy of the files, encrypted the copy and deleted the original; deleting the original means it was able to be recovered depending on how the virus was removed.
 
Unfortunately, new iterations of these viruses do not seem to function in these ways. "

So is this true? Is this the latest data retrieval Holy Grail? Can ransomed files be rescued? Has anyone ever done it and how? Do you know someone who knows someone or is this just another sad love song?

I do seem to have an offline ID that ends in t1.

Thanks for any input.

Share this post


Link to post
Share on other sites
Quote
Quote

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-iLkPxViexl
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0189jYs9d8TwbCMGuw5Ei5PlymKj0pldFtsUYeGxci3YGlbt1

The ID has a t1 so why won't the encryptor work?

 

Share this post


Link to post
Share on other sites
16 hours ago, rustyDusty said:

Is there anyway to retrive them?

If shadow copies had not been entirely wiped out, then there's a slight possibility that file recovery software (Recuva from Piriform for instance) may be able to recover some files, however most ransomware either overwrites old files when encrypting the data or securely erases them to guarantee such recovery is impossible.

 

16 hours ago, rustyDusty said:

So is this true? Is this the latest data retrieval Holy Grail? Can ransomed files be rescued? Has anyone ever done it and how? Do you know someone who knows someone or is this just another sad love song?

In the vast majority of cases file recovery isn't possible without decryption. It really just depends on whether or not the criminals who made the ransomware considered data recovery methods and how to prevent them, and whether or not there were any bugs in the ransomware that caused it to fail to properly overwrite or erase files.

STOP/Djvu has been around for roughly one year, and the criminals behind it have had enough time to work out issues that allow for easy recovery. They've even changed the type of encryption used to make it impossible to decrypt the files without the private key.

 

16 hours ago, rustyDusty said:

I do seem to have an offline ID that ends in t1.

If your files do have an offline ID, then that's the strongest possibility you have for decryption. My recommendation is to back up your encrypted files, and then try the decrypter once every week or two just to see if we've had a chance to add the offline key for this variant of STOP/Djvu.

Share this post


Link to post
Share on other sites
On 12/5/2019 at 5:59 PM, rustyDusty said:
Quote

Your personal ID:
0189jYs9d8TwbCMGuw5Ei5PlymKj0pldFtsUYeGxci3YGlbt1

The ID has a t1 so why won't the encryptor work?

List of variants of STOP Ransomware, for which offline keys were received (to today)

0156: .gero
0157: .hese
0159: .seto
0160: .peta
0161: .moka
162: .meds
0163: .kvag
0164: .domn
0165: .karl
0166: .nesa
0168: .noos
0169: .kuub
0170: .reco
0171: .bora
0173: .nols
0174: .werd
0175: .coot
0176: .derp
0178: .meka
0179: .toec
0180: .mosk
0181: .lokf
0182: .peet
0183: .grod
0184: .mbed
0185: .kodg
0186: .zobm
0188: .msop
0189: .hets

Edited by Amigo-A

Share this post


Link to post
Share on other sites

You need to try downloading the new version of the Emsisoft decryptor.

But first, delete the previous one.

Share this post


Link to post
Share on other sites

It is important to always use the latest version of anti-virus protection of Internet Security class or higher.

Very often, users find somewhere re-patched version, where hackers made changes that would will critical at the time of the attack. 

Unfortunately, this is very common when users do not want or cannot buy an antivirus product on the official website.

Share this post


Link to post
Share on other sites

Help me ramsomware Hets

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-iLkPxViexl
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0189jYs9doKHDYc1OHBXQFVnjGfk6rj1Zi8BGOtrxprKfz4Xk

Share this post


Link to post
Share on other sites

Help Ramsomware Hets

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-iLkPxViexl
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0189jYs9doKHDYc1OHBXQFVnjGfk6rj1Zi8BGOtrxprKfz4Xk

Share this post


Link to post
Share on other sites
11 hours ago, Amigo-A said:

You need to try downloading the new version of the Emsisoft decryptor.

But first, delete the previous one.

That shouldn't be necessary. They can just run the version of the decrypter they had already downloaded (it hasn't been updated for roughly a month).

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

That shouldn't be necessary.

:)

This is only necessary so that the user is not mistaken with the same files of decryptor.

Share this post


Link to post
Share on other sites
On 12/6/2019 at 10:57 AM, Amigo-A said:

List of variants of STOP Ransomware, for which offline keys were received (to today)

0156: .gero
0157: .hese
0159: .seto
0160: .peta
0161: .moka
162: .meds
0163: .kvag
0164: .domn
0165: .karl
0166: .nesa
0168: .noos
0169: .kuub
0170: .reco
0171: .bora
0173: .nols
0174: .werd
0175: .coot
0176: .derp
0178: .meka
0179: .toec
0180: .mosk
0181: .lokf
0182: .peet
0183: .grod
0184: .mbed
0185: .kodg
0186: .zobm
0188: .msop
0189: .hets

 

Good afternoon! My id appears above. Can I decrypt my files?

Your personal ID:
0184Asd374y5AaEmZMkdn5e3TujvxMhixZEAMpwx3fZ3ppi4mfdi

Share this post


Link to post
Share on other sites
On 12/7/2019 at 3:29 AM, T20 said:

I have used version .1.0.0.1 but I still can't delete the hets virus

There is no "virus" on your computer preventing you from accessing your files, but rather your files are encrypted. If you ran a scan with an Anti-Virus software, then it more than likely removed the infection, and the decrypter disables it so that it won't run anymore. Removing the infection is important for preventing newer files from being encrypted, however it will not allow you to access your old files. They need to be decrypted.

The reason the decrypter isn't working for you is due to the fact that your files have an online ID, and thus the decrypter will not have a private key for them. In short, your files can't be decrypted unless the criminals give us your private key (which isn't going to happen). There's more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

 

9 hours ago, MatiasB said:

Good afternoon! My id appears above. Can I decrypt my files?

Your personal ID:
0184Asd374y5AaEmZMkdn5e3TujvxMhixZEAMpwx3fZ3ppi4mfdi

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

 

6 hours ago, DGCR said:

Hello, I have the same problem with my .derp files. It says: "Error: Unable to decrypt file with ID: otKNFPuMhxyl5bKZDC6vSdudxf5iGFCURCbSUPRq"

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.