Jump to content

Cannot decrypt Old variant Id

Rushil Bhardwaj L
 Share

Recommended Posts

Amigo-A

Amigo-A

Posted
Posted

Older versions are also supported, but their decryption works on a different principle.

In order to use the service, you first need to find some encrypted files and their originals that match the following requirements and train the decryption service using them.

Need a file pair per file type you wish to decrypt
Must be at least 150KB
Note, for each file type (doc, docx, xls, xlsx, png, etc) you want to decrypt, you must also upload an encrypted and unencrypted pair in order to train the service. 
Once the decryption service is trained with a file type, it can be used to decrypt all files on your computer of that same type.

The best way to find encrypted and unencrypted file pairs are to look for encrypted images or files that were downloaded from the Internet. That way you can download the original location so that you have an unencrypted version.

Once you have a pair of files, go to https://decrypter.emsisoft.com/submit/stopdjvu/ and upload the files using the page's form.

Link to comment
Share on other sites
Amigo-A

Amigo-A

Posted
Posted

Here is a sample list where you can find the originals of the encrypted files (my article):

1) on flash drives, external drives, CD / DVD, memory cards of the camera, phone;
2) in attachments of emails sent or received by you;
3) among the copies of shared photos of friends, relatives (in their PC) that you gave;
4) among the uploaded photos in the social. networks, including via smartphone and tablet;
5) among the uploaded photos to cloud services (Google Disk,  OneDrive, Yandex Disk etc.);
6) on the sites of ads, where you could previously send photos or images;
7) among unencrypted files, copies, renamed files on your PC;
8 ) on an old PC or disk, from where you transferred photos and documents to a new PC;
9) you can re-upload from the Internet previously downloaded photos, pictures, etc .;
10) you can use sample images supplied with Windows;
11) take photos or pictures that you previously posted on the avatar on the forums.
12) extract previously deleted files from the Recycle Bin or restore it with a special program.
 
If decryption failed ...
 
It is possible that the original file was an inaccurate copy of the encrypted. This could be due to the fact that earlier you yourself reduced or corrected it in the editor, or uploaded to social networks, cloud services, and there the file was somehow automatically changed.
Look for more files and try different pairs of encrypted and original files with the same name. Very often files can have the same name, but are not a copy of each other. Vocabulary used in any language is limited. The possibilities of PCs, cameras and other devices for taking photos are also limited. In cameras and mobile devices, names for photos are given automatically according to a specific format, so photos with the name from IMG_0001.JPG to IMG_9999.JPG can be quite a lot in different years. Smartphones can give photos more original names, such as IMG_20171012_170451.jpg - here and the date of shooting, and the sequence number, because the repetition of the name is unlikely.

Link to comment
Share on other sites
Amigo-A

Amigo-A

Posted
Posted

It is very important to find and use the largest file of each file type for training the decryptor. 
If you find the original 3-5 MB photo-file (JPG, PNG), then all the smaller files will be decrypted. 
If you take a 100 kb file, then larger files will be decrypted only partially, to a size of 100 kb.

You need to try to do it. This is the only way to decrypt your files.

Link to comment
Share on other sites
Amigo-A

Amigo-A

Posted
Posted
17 minutes ago, cybermetric said:

The .hets variant is one of the 'new djvu' STOP variants.

Oops. Oh sure. Thanks @cybermetric

Sorry @Rushil Bhardwaj L
Many victims in different forums. I have to switch between topics and forums. 
It seems that I mixed up the topics and continued this, thinking about the old version that supports the training of the Decryptor. 

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
22 hours ago, Rushil Bhardwaj L said:

My laptop has been attacked by the old DJVU ransomware (the extension: .hets). I tried using the decryptor tool, but it was not able to help as the virus in my laptop is of the old variant.

That's a newer variant, not and older variant. I assume the decrypter told you otherwise? We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.

  • Like 1
Link to comment
Share on other sites
Rushil Bhardwaj L

Rushil Bhardwaj L

Posted
  • Author
Posted
14 hours ago, GT500 said:

That's a newer variant, not and older variant. I assume the decrypter told you otherwise? We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.

What am I supposed to do right now? Is there any other way u can help me decrypt the files?  Can the present decrypter, decrypt the files with .hets extension? 

Link to comment
Share on other sites
cybermetric

cybermetric

Posted
Posted
8 hours ago, GT500 said:

That's a newer variant, not and older variant. I assume the decrypter told you otherwise? We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.

We had a similar report in the BleepingComputer ransomware forum by one @wpuerta. Demonslay though it was because he wasn't connected to the internet while running the decrypter.

I tried running the decrypter on some files with internet disconnected and got this error for each file:

File: C:\Users\LDH\Pictures\Test\.MKOS with Offline Keys\NOTULEN RAPAT 26 Agustus 2019.pdf.mkos
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'
 

This is what I would have expected in such a case. 

  • Upvote 1
Link to comment
Share on other sites
GT500

GT500

Posted
Posted
On 1/25/2020 at 4:00 AM, Rushil Bhardwaj L said:

What am I supposed to do right now? Is there any other way u can help me decrypt the files?

Our recommendation is to make a backup copy of your encrypted files, and wait until the private keys are released publicly so that we can add them to the decrypter.

 

On 1/25/2020 at 4:00 AM, Rushil Bhardwaj L said:

Can the present decrypter, decrypt the files with .hets extension?

Only if the files have an offline ID.

Newer variants use RSA keys, and we need the private key to decrypt the files. We can only get private keys for offline ID's, and only if they are donated by those who have paid the ransom.

 

On 1/25/2020 at 10:45 AM, cybermetric said:

We had a similar report in the BleepingComputer ransomware forum by one @wpuerta. Demonslay though it was because he wasn't connected to the internet while running the decrypter.

I tried running the decrypter on some files with internet disconnected and got this error for each file:

File: C:\Users\LDH\Pictures\Test\.MKOS with Offline Keys\NOTULEN RAPAT 26 Agustus 2019.pdf.mkos
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'
 

This is what I would have expected in such a case. 

I assume he's already mentioned this at BleepingComputer, however he's discovered a bug that caused the decrypter to always say "Old Variant". This bug is now fixed, and version 1.0.0.4 of the decrypter should no longer be getting this wrong.

Link to comment
Share on other sites
ShadowPuterDude

ShadowPuterDude

Posted
Posted
4 hours ago, SONU GUPTA said:

Last I used stop djvu than show unable to decrypt old variant ID EO5cjlA1HBgOrsXLyaDMZGKREGmlfLtUGLejF9FC

That is an Online Key.  The decryption key for that ID is in the possession of the cyber-criminal responsible for encrypting your files.  It is not possible to decrypt your files using third-party decryption tools.

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
18 hours ago, SONU GUPTA said:

My laptop was infacted by .lapoi ransomware and I used many decryptor but can't decrypt data 

Last I used stop djvu than show unable to decrypt old variant ID EO5cjlA1HBgOrsXLyaDMZGKREGmlfLtUGLejF9FC

Plz sir help me and provide strong decryptor for this .lapoi virus.....

That's an older variant of STOP/Djvu, however since you have an online ID you'll need to supply file pairs via our online submission form to help the decrypter "learn" how to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
  • 2 months later...
kamatchikumar

kamatchikumar

Posted
Posted

I tried decryption. it works good. it decrypt my 30% of files. remaining files show 

Quote

File: F:\photos\Harini\IMG_20160529_114343634.jpg.sarut
Unable to decrypt Old Variant ID: nrSkiJStFeenovqw3IeWeDgaL8GWTXhKNByLSO45
First 5 bytes: FFD8FFE124

Please help to decrypt my files. all are my baby photos. 

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
21 hours ago, kamatchikumar said:

File: F:\photos\Harini\IMG_20160529_114343634.jpg.sarut
Unable to decrypt Old Variant ID: nrSkiJStFeenovqw3IeWeDgaL8GWTXhKNByLSO45
First 5 bytes: FFD8FFE124

You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
mohammed amin

mohammed amin

Posted
Posted

 

File: D:\Recoverit 2020-04-13 at 10.03.48\E\Lost Location\whitelist.conf.hrosas
Unable to decrypt Old Variant ID: UiPNyyTkVT5NVS8XXLfGTY5EViyx7xXdY4lbctUe
First 5 bytes: 636F6D2E74

File: D:\Recoverit 2020-04-13 at 10.03.48\E\Lost Location\whitelist.conf.vwici.hrosas
Unable to decrypt Old Variant ID: UiPNyyTkVT5NVS8XXLfGTY5EViyx7xXdY4lbctUe
First 5 bytes: 522C7FE6E7

File: D:\Recoverit 2020-04-13 at 10.03.48\E\Lost Location\Backup Files 2019-04-22 065308\Backup files 5.zip.hrosas
Unable to decrypt Old Variant ID: UiPNyyTkVT5NVS8XXLfGTY5EViyx7xXdY4lbctUe
First 5 bytes: 504B050600

Finished!

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
5 hours ago, mohammed amin said:

File: D:\Recoverit 2020-04-13 at 10.03.48\E\Lost Location\whitelist.conf.hrosas
Unable to decrypt Old Variant ID: UiPNyyTkVT5NVS8XXLfGTY5EViyx7xXdY4lbctUe
First 5 bytes: 636F6D2E74

You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
  • 10 months later...
GT500

GT500

Posted
Posted
9 hours ago, Yasir Ejaz said:

Unable to decrypt Old Variant ID: SLsdLUC3v9g1bkjBtckoeBRPcBOXPaNoAlFmzlEF

You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2022 Emsisoft - 05/21/2022 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...