Jump to content

.reha

Obi

By Obi,
in Help, my files are encrypted!

 Share

Recommended Posts

Obi

Obi

Posted
Posted

Hello there, My little brother tried to download a game on my laptop and now almost all of my media are encrypted by .reha virus, I tried many things including decryption and recovery apps but nothing has worked in my case, I believe I've already removed the virus.... please help I've important project files that I've been working on for the last 3 months and now it's all gone!!

Link to comment
Share on other sites
ShadowPuterDude

ShadowPuterDude

Posted
Posted

Hello @Obi,

 

Welcome to the Emsisoft Support Forums.

 

Hello #{ticket.customer.firstname}, 

Thank you for contacting Emsisoft Support.

REHA is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the REHA variant of STOP/DJVU.

To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

  • Upvote 1
Link to comment
Share on other sites
GT500

GT500

Posted
Posted
8 hours ago, Obi said:

@Kevin Zoll I tried your software yesterday but It didn't work, However I tried downloading it again one hour ago and it WORKED man, It WORKED, I'm so so grateful.

We just added the private key for .reha offline ID's on Thursday, which is why it suddenly was able to decrypt your files.

Thanks for letting us know that it worked. 👍

  • Like 1
  • Thanks 1
Link to comment
Share on other sites
GT500

GT500

Posted
Posted
14 minutes ago, AhF said:

Hey there , my files is still encrypted. any idea why  ?

Assuming you have a variant of STOP/Djvu, it's probably because you have an online ID, however without further information I can only make assumptions. ;)

Link to comment
Share on other sites
AhF

AhF

Posted
Posted
46 minutes ago, GT500 said:

Assuming you have a variant of STOP/Djvu, it's probably because you have an online ID, however without further information I can only make assumptions. ;)

I have .reha encryption . I indeed get the message that my id is online and encryption is impossible . Is it true  or I just have to wait my turn ? 

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
2 minutes ago, AhF said:

Is it true  or I just have to wait my turn ?

Online ID's mean your files have a unique public and private key, which only the criminals have access to, so decryption is impossible. The only way we can decrypt files that have an offline ID is due to the fact that files with offline ID's share the same keys regardless of the computer the files were encrypted on, so we can use the same private key on any files that have the same offline ID. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
On 2/8/2020 at 2:20 AM, Rajitha said:

Here's the ID Your personal ID:
0199a7d6a8sda7757TLxCRXnSjhJoq4TruFpvTlag0OKn6hPITYt1

As Kevin said, this is an offline ID. I recommend running the decrypter once every week or two so that you can see when we've added the private key for your variant.

There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
ShadowPuterDude

ShadowPuterDude

Posted
Posted

Hello @Mr.Sate

Thank you for contacting Emsisoft Support.

REHA is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the REHA variant of STOP/DJVU.

General Notes With Regards to STOP/DJVU

 

  1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
  2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
  3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
  4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
  5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.
  6. What does "Remote name could not be resolved" mean?  It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

Link to comment
Share on other sites
  • 4 weeks later...
GT500

GT500

Posted
Posted
12 hours ago, mahdi_attacker said:

Your personal ID:
0199a7d6a8sdakFnYextglL1kyST67ldEtMraxMbc6dz0ciB2AJLc

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
  • 3 weeks later...
GT500

GT500

Posted
Posted
11 hours ago, muhammad izzuddin said:

Your personal ID:
0199a7d6a8sdazwsxQpZ2s4WmLWohxoPoOwo57oPIYqqCdSnXbGZn

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
  • 3 weeks later...
GT500

GT500

Posted
Posted
11 hours ago, Llew said:

Your personal ID:
0199a7d6a8sdaGoWnVWLp2iE4qsGSAwN0TcGPUkRl1lwknuoiqT4

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
  • 4 weeks later...
GT500

GT500

Posted
Posted
13 hours ago, Vlad D. said:

Your personal ID:
0199a7d6a8sdaj3ndfw4w8hMLitjt6IDCRyoS7yCgQpiI6KYqyWLT

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to comment
Share on other sites
  • 5 weeks later...
  • 1 month later...
GT500

GT500

Posted
Posted
10 hours ago, Vlad D. said:

.reha Will it ever be resolved?

If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2022 Emsisoft - 05/19/2022 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...