rustyDusty 0 Posted December 5, 2019 Report Share Posted December 5, 2019 Using Win7 Home Primium. On December 2 2019 5:00PM. Attempted to download ImgBurn, looking for open source software to rip an old DVD home movie into an mp4. Had been using MagicISO to convert audio CD files into mp3's and this seemed a natural progression. As soon as "I decline" on one of the installation options was clicked, the taskbar icon became a weird little 'pixel phone'. No donwload status and all these strange HUD appeared in Italian. Killed those apps in taskbar but that was too late. Almost every file in documents, downloads and desktop has a .hets extention now. Cannot be accessed. I am hit with a HETS ransomware attack. Thankfully, the public and shared folder files remained untouched. Have spent all night and day seeking to use Vipre and Malwarebytes to combat the browser hijack popoups and unauthorized installations. The PC seems stable now. I'm to blame for no backup and malware protection for over 10 days but Shadow Explorer salvaged C: drive files from the 22nd and 30th November. I can take losing a few days work. The biggest loss is the thumbdrive files which were not backed up. Is there anyway to retrive them? Performed a command prompt attrib -s -h /s /d *.* but that changed nothing. I also applied Rescueit to a few HETS txt files but when opened they only displayed oriental characters, not english text. Pictures will not display. What am I doing wrong (other than not backing up and installing dodgy software) and what can I do to retrieve these thumbdrive files? Talked to the folks at Paretologic Data Protection Pro which every ransomware page insist will do the job. But they say : "No, unfortunately reports online we can be of assistance with these troubles are False and Unaffiliated with ParetoLogic. As well, we have seen no indication that Data Recovery programs will be of assistance in these matters unfortunately. These claims are based on the original versions on the Ransomware viruses created a copy of the files, encrypted the copy and deleted the original; deleting the original means it was able to be recovered depending on how the virus was removed. Unfortunately, new iterations of these viruses do not seem to function in these ways. " So is this true? Is this the latest data retrieval Holy Grail? Can ransomed files be rescued? Has anyone ever done it and how? Do you know someone who knows someone or is this just another sad love song? I do seem to have an offline ID that ends in t1. Thanks for any input. Quote Link to post Share on other sites
rustyDusty 0 Posted December 5, 2019 Author Report Share Posted December 5, 2019 Quote Quote ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool:https://we.tl/t-iLkPxViexl Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0189jYs9d8TwbCMGuw5Ei5PlymKj0pldFtsUYeGxci3YGlbt1 The ID has a t1 so why won't the encryptor work? Quote Link to post Share on other sites
GT500 873 Posted December 6, 2019 Report Share Posted December 6, 2019 16 hours ago, rustyDusty said: Is there anyway to retrive them? If shadow copies had not been entirely wiped out, then there's a slight possibility that file recovery software (Recuva from Piriform for instance) may be able to recover some files, however most ransomware either overwrites old files when encrypting the data or securely erases them to guarantee such recovery is impossible. 16 hours ago, rustyDusty said: So is this true? Is this the latest data retrieval Holy Grail? Can ransomed files be rescued? Has anyone ever done it and how? Do you know someone who knows someone or is this just another sad love song? In the vast majority of cases file recovery isn't possible without decryption. It really just depends on whether or not the criminals who made the ransomware considered data recovery methods and how to prevent them, and whether or not there were any bugs in the ransomware that caused it to fail to properly overwrite or erase files. STOP/Djvu has been around for roughly one year, and the criminals behind it have had enough time to work out issues that allow for easy recovery. They've even changed the type of encryption used to make it impossible to decrypt the files without the private key. 16 hours ago, rustyDusty said: I do seem to have an offline ID that ends in t1. If your files do have an offline ID, then that's the strongest possibility you have for decryption. My recommendation is to back up your encrypted files, and then try the decrypter once every week or two just to see if we've had a chance to add the offline key for this variant of STOP/Djvu. Quote Link to post Share on other sites
Amigo-A 136 Posted December 6, 2019 Report Share Posted December 6, 2019 (edited) On 12/5/2019 at 5:59 PM, rustyDusty said: Quote Your personal ID: 0189jYs9d8TwbCMGuw5Ei5PlymKj0pldFtsUYeGxci3YGlbt1 The ID has a t1 so why won't the encryptor work? List of variants of STOP Ransomware, for which offline keys were received (to today) 0156: .gero 0157: .hese 0159: .seto 0160: .peta 0161: .moka 162: .meds 0163: .kvag 0164: .domn 0165: .karl 0166: .nesa 0168: .noos 0169: .kuub 0170: .reco 0171: .bora 0173: .nols 0174: .werd 0175: .coot 0176: .derp 0178: .meka 0179: .toec 0180: .mosk 0181: .lokf 0182: .peet 0183: .grod 0184: .mbed 0185: .kodg 0186: .zobm 0188: .msop 0189: .hets Edited December 6, 2019 by Amigo-A Quote Link to post Share on other sites
Amigo-A 136 Posted December 6, 2019 Report Share Posted December 6, 2019 You need to try downloading the new version of the Emsisoft decryptor. But first, delete the previous one. Quote Link to post Share on other sites
Amigo-A 136 Posted December 6, 2019 Report Share Posted December 6, 2019 It is important to always use the latest version of anti-virus protection of Internet Security class or higher. Very often, users find somewhere re-patched version, where hackers made changes that would will critical at the time of the attack. Unfortunately, this is very common when users do not want or cannot buy an antivirus product on the official website. Quote Link to post Share on other sites
T20 0 Posted December 7, 2019 Report Share Posted December 7, 2019 Help me ramsomware Hets ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iLkPxViexl Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0189jYs9doKHDYc1OHBXQFVnjGfk6rj1Zi8BGOtrxprKfz4Xk Quote Link to post Share on other sites
T20 0 Posted December 7, 2019 Report Share Posted December 7, 2019 Help Ramsomware Hets ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool:https://we.tl/t-iLkPxViexl Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0189jYs9doKHDYc1OHBXQFVnjGfk6rj1Zi8BGOtrxprKfz4Xk Quote Link to post Share on other sites
GT500 873 Posted December 7, 2019 Report Share Posted December 7, 2019 11 hours ago, Amigo-A said: You need to try downloading the new version of the Emsisoft decryptor. But first, delete the previous one. That shouldn't be necessary. They can just run the version of the decrypter they had already downloaded (it hasn't been updated for roughly a month). Quote Link to post Share on other sites
T20 0 Posted December 7, 2019 Report Share Posted December 7, 2019 New version of the Emsisoft decryptor 1.0.0.1, but error Error: Unable to decrypt file with ID: oKHDYc1OHBXQFVnjGfk6rj1Zi8BGOtrxprKfz4Xk Quote Link to post Share on other sites
Amigo-A 136 Posted December 7, 2019 Report Share Posted December 7, 2019 4 hours ago, GT500 said: That shouldn't be necessary. This is only necessary so that the user is not mistaken with the same files of decryptor. Quote Link to post Share on other sites
T20 0 Posted December 7, 2019 Report Share Posted December 7, 2019 I have used version .1.0.0.1 but I still can't delete the hets virus Quote Link to post Share on other sites
MatiasB 0 Posted December 9, 2019 Report Share Posted December 9, 2019 On 12/6/2019 at 10:57 AM, Amigo-A said: List of variants of STOP Ransomware, for which offline keys were received (to today) 0156: .gero 0157: .hese 0159: .seto 0160: .peta 0161: .moka 162: .meds 0163: .kvag 0164: .domn 0165: .karl 0166: .nesa 0168: .noos 0169: .kuub 0170: .reco 0171: .bora 0173: .nols 0174: .werd 0175: .coot 0176: .derp 0178: .meka 0179: .toec 0180: .mosk 0181: .lokf 0182: .peet 0183: .grod 0184: .mbed 0185: .kodg 0186: .zobm 0188: .msop 0189: .hets Good afternoon! My id appears above. Can I decrypt my files? Your personal ID: 0184Asd374y5AaEmZMkdn5e3TujvxMhixZEAMpwx3fZ3ppi4mfdi Quote Link to post Share on other sites
Amigo-A 136 Posted December 9, 2019 Report Share Posted December 9, 2019 To know this, you need to tryhttps://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Quote Link to post Share on other sites
DGCR 0 Posted December 9, 2019 Report Share Posted December 9, 2019 3 hours ago, Amigo-A said: To know this, you need to tryhttps://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Hello, I have the same problem with my .derp files. It says: "Error: Unable to decrypt file with ID: otKNFPuMhxyl5bKZDC6vSdudxf5iGFCURCbSUPRq" Quote Link to post Share on other sites
GT500 873 Posted December 10, 2019 Report Share Posted December 10, 2019 On 12/7/2019 at 3:29 AM, T20 said: I have used version .1.0.0.1 but I still can't delete the hets virus There is no "virus" on your computer preventing you from accessing your files, but rather your files are encrypted. If you ran a scan with an Anti-Virus software, then it more than likely removed the infection, and the decrypter disables it so that it won't run anymore. Removing the infection is important for preventing newer files from being encrypted, however it will not allow you to access your old files. They need to be decrypted. The reason the decrypter isn't working for you is due to the fact that your files have an online ID, and thus the decrypter will not have a private key for them. In short, your files can't be decrypted unless the criminals give us your private key (which isn't going to happen). There's more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ 9 hours ago, MatiasB said: Good afternoon! My id appears above. Can I decrypt my files? Your personal ID: 0184Asd374y5AaEmZMkdn5e3TujvxMhixZEAMpwx3fZ3ppi4mfdi This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ 6 hours ago, DGCR said: Hello, I have the same problem with my .derp files. It says: "Error: Unable to decrypt file with ID: otKNFPuMhxyl5bKZDC6vSdudxf5iGFCURCbSUPRq" This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Quote Link to post Share on other sites
Shahzad Malik 0 Posted June 3, 2020 Report Share Posted June 3, 2020 QMtPDQy2MofNHYdngfPj5cofBy3QMdRHTatXqxBy Quote Link to post Share on other sites
GT500 873 Posted June 4, 2020 Report Share Posted June 4, 2020 23 hours ago, Shahzad Malik said: QMtPDQy2MofNHYdngfPj5cofBy3QMdRHTatXqxBy This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.