Help, my files are encrypted!

[elhakim 0]

Please help me, my computer is infected with a ransomware virus with the extension .NOSU File.
I still have the ID and the Readme / ransom. I tried the existing Djvu Decryptor variant, but it didn't work.

[Kevin Zoll 307]

Hello @elhakim,

 

Welcome to the Emsisoft Support Forums.

 

What is the Personal ID in the Readme ransom note.

 

Some variants of STOP are known to install malware to ensure that newly added files are encrypted.

 

Let's make sure that there is not an active malware infection present, and if there is we can remove it.

 

Download to your Desktop:

• Farbar Recovery Scan Tool

 

NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive.

 

• Run Farbar Recovery Scan Tool (FRST):
  • Double-click to run it. When the tool opens click Yes to the disclaimer.

 

NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings.

 

• • Press the Scan button.
  • Farbar Recovery Scan Tool will produce the following logs:
    • FRST.txt
    • Addition.txt

[elhakim 0]

I've tried it

[elhakim 0]

what should I do next?

[elhakim 0]

Here are the results of the scan

Addition_23-01-2020 20.26.32.txt FRST_23-01-2020 20.26.32.txt

[elhakim 0]

This is his personal ID and Readme ransom note

_readme.txt PersonalID.txt

[Amigo-A 83]

Wait for Kevin's answer with instructions.

----------------------

Quote

Your personal ID:
0197nTsddv06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1

t1 - a good sign, offline ID, you can try to decrypt the files, BUT ONLY after the malware has been removed and the PC preparation in safe use.

If the malware still active, it can cause repeated encryption, during which the Online key will be used.

[elhakim 0]

Yes, I'll wait for it. I have tried several decrypt variants, but it didn't work

[Amigo-A 83]

It is not possible to pick up decryption keys before the new variant of encryptor appears. 

The version with the .nosu extension is the latest variant of STOP Ransomware and Emsisoft Decryptor does not support it yet.

This can be implemented later, when decryption keys are received. This operation cannot be accelerated, you just have to wait a while.

 

[elhakim 0]

OK I will wait for updates and variants that can support it, thank you for replying, and I really need help

[Kevin Zoll 307]

@elhakim I can see from the FRST reports that you tried to fix this yourself.  Though a fairly typical and understandable reaction, it is the wrong thing to do.  First, you run the very real chance of rendering your system inoperable, and second there are ransomware variants that if removed, will make it impossible to decrypt the files.

 

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

 

Startup: C:\Users\muham\AppData\Roaming\Microsoft\Credentials\2428593\muham.lnk [2020-01-21]
ShortcutTarget: muham.lnk -> C:\Program Files (x86)\Seed Trade\Seed\seed.exe (No File)
S3 VSScanner; system32\DRIVERS\vsscanner.sys [X]

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.