SalasKafa

New Variant offline ID

Recommended Posts

Hi,

Infected by .topi.. so after I remove the viruses I run the program and

I got this message in log section:

No key for New Variant offline ID: 7757TLxCRXnSjhJoq4TruFpvTlag0OKn6hPITYt1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future.

It's quite clear what it is written, but

is there any hope? :) Should I wait for any upgrade?

Source: https://howtofix.guide/topi-file-virus/#comment-2186

Share this post


Link to post
Share on other sites

Hello @SalasKafa

Thank you for contacting Emsisoft Support.

TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.

  • Thanks 1
  • Upvote 1

Share this post


Link to post
Share on other sites

Just be sure to make a backup of your encrypted files before you do anything, that way you'll have them in a safe place in case anything happens to them before you can decrypt them.

  • Like 1

Share this post


Link to post
Share on other sites

@Demonslay335

For everone who interested about this issue:

At first, the process was going excellent, some files decryted perfectly!! Later then, in the middle of the process " Results" section startes to give an error message >>

Error: The remote server returned an error: (403) Forbidden.

What does this mean? @Kevin Zoll @GT500

Share this post


Link to post
Share on other sites
10 hours ago, SalasKafa said:

Error: The remote server returned an error: (403) Forbidden.

What does this mean? @Kevin Zoll @GT500

It could mean some server-side trouble, or perhaps someone was working on something when you tried the decrypter. Give it another try, and I'll see if there are any known issue with the server right now.

  • Upvote 1

Share this post


Link to post
Share on other sites

Hello,

I run the program multiple times, it gave the same error or [not responding] issue occured everytime I tried. So, I had to try another way: Instead of scanning entire drivers at single time, I started the software - by selecting folders one by one - each time after process finished. This way take much more time than usual, of course... but it was worth it.

At the end, we can "officialy" say that the decryption of ID: 7757TLxCRXnSjhJoq4TruFpvTlag0OKn6hPITYt1 is completed perfectly!!  Now all files are as same as before the infection.

Thank you so much Emisoft :) I am so happy.

Beside that, I also got my lesson.. back up your files! :)

Have a good day dear friends.

Share this post


Link to post
Share on other sites

Hello

I am running into the same problem, as is highlighted by one user.

No key for New Variant offline ID: A9GoURN1YjdAQyaC6wsAFQH69tLYb2jZFkNvyct1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future

All of my files are encrypted. I can't open them. Could you please me?

Kind regards,

Deep State

Share this post


Link to post
Share on other sites

@Deepstate

That is the offline ID for .npsg / .btos, but we do not have the key for it.

@SalasKafa

I'm not sure how you'd get that error in the middle of the decryption process. The decryptor reaches out to the server upon the first file it encounters, and never has to call out again unless it finds a file with a different ID. I still have to look into why a 403 would even occur.

Are you sure the system is clean from malware? Perhaps something is interfering with the connection.

Share this post


Link to post
Share on other sites

@Demonslay335

Yes, I'm pretty sure. I did full system scan with multiple software(not simultaneously) and nothing seen so far.

@GT500 said that "...perhaps someone was working on something when you tried the decrypter."

I don't know, this might be the reason of the error(403). It's seems like server-side trouble, yes...

I'm not sure, but is this possible? I mean, if you spend much more time on decrypter(process), this can cause an time-delay. So, there is occur a 403??? 

Share this post


Link to post
Share on other sites
2 hours ago, SalasKafa said:

@GT500 said that "...perhaps someone was working on something when you tried the decrypter."

I don't know, this might be the reason of the error(403). It's seems like server-side trouble, yes...

I'm not sure, but is this possible? I mean, if you spend much more time on decrypter(process), this can cause an time-delay. So, there is occur a 403???

We're reasonably certain at this point that no one was working on the server at the time you encountered this error (very few people have access). @Demonslay335 will have to look into this further.

Share this post


Link to post
Share on other sites

Hello @m2413,

 

Welcome to the Emsisoft Support Forums.

 

Though those are offline IDs our decryption tool cannot decrypt your files as we are not in possession of the decryption key that matches your offline ID.

Share this post


Link to post
Share on other sites
1 hour ago, Kevin Zoll said:

Hello @m2413,

 

Welcome to the Emsisoft Support Forums.

 

Though those are offline IDs our decryption tool cannot decrypt your files as we are not in possession of the decryption key that matches your offline ID.

tnx

can decryption in future with new version app?

Share this post


Link to post
Share on other sites

Good day! 

Got the same problem here with alka file. No key for New variant. 

My offline ID is: 

j4mSCzF3yhC0DJadRCZ4Lxftlh8CY8isHUYeut1

Haven't back up my recent files which are so very important. Hope someone could help me. Thank you very much. 

Share this post


Link to post
Share on other sites

@m2413 and @Juroan24 private keys for offline ID's are added to our database once we are able to find them. Just run the decrypter once every week or two in order to see when we've added the private key for your variant.

  • Like 2

Share this post


Link to post
Share on other sites
On 2/1/2020 at 3:01 PM, SalasKafa said:

Alright then.. let's keep in touch if anything I can help you about that issue.

@Demonslay335 @GT500

We think it may be due to files missing their extension. Did you edit any of your files to try to remove the .topi from the end of your file names?

Share this post


Link to post
Share on other sites
5 hours ago, GT500 said:

@m2413 and @Juroan24 private keys for offline ID's are added to our database once we are able to find them. Just run the decrypter once every week or two in order to see when we've added the private key for your variant.

Thank for your help.

Share this post


Link to post
Share on other sites
6 hours ago, GT500 said:

We think it may be due to files missing their extension. Did you edit any of your files to try to remove the .topi from the end of your file names?

Hi @GT500,

No, I did not. Actually, I didn't change or edit anything after .topi infected. What I did was just using anti-malware tools and antivirus tools, then using decryptor.

Although there is no warning of the connection problem, maybe this issue has happened because of short-term lack of connection? (connection error from my side or from your side.)

Share this post


Link to post
Share on other sites
1 hour ago, Kevin Zoll said:

@SalasKafa If connection is lost for any reason then that could trigger the error yo got.

There was no connection lost as long as I observed, that's why I thought "maybe" there was a short-term connection lost that we couldn't seen (as a possibility).

Please don't get me wrong, I just said the possibilities that came to my mind. I have no intention of getting involved in your business, you are the expert :)

 

Share this post


Link to post
Share on other sites

Sometimes, we do not see the service interruption or it could be taking too long to respond .  Error 403 is an HTTP Response code for connection is refused as forbidden.  No idea why that happened.

Share this post


Link to post
Share on other sites

14543794_10154027003731139_1430232191952499141_o.jpg.topi
No key for New Variant online ID: QeTkSWKW60X4XF2D2njqs1TlAap82liTqLPIPv70
Notice: this ID appears to be an online ID, decryption is impossible

 

help me plzzzz

Share this post


Link to post
Share on other sites
20 hours ago, SalasKafa said:

Although there is no warning of the connection problem, maybe this issue has happened because of short-term lack of connection? (connection error from my side or from your side.)

The error is an HTTP status code, meaning the decrypter is connecting to our server and receiving "403" as the response. Normally that would mean it's trying to access something it's not supposed to, however that doesn't make sense in the case of the decrypter, unless something is modifying its communication with our servers.

Does the decrypter show the name of a file before the error message? I would be interested to know what information it's trying to send to the server when the error happens.

Share this post


Link to post
Share on other sites
10 hours ago, ayoubtdi said:

14543794_10154027003731139_1430232191952499141_o.jpg.topi
No key for New Variant online ID: QeTkSWKW60X4XF2D2njqs1TlAap82liTqLPIPv70
Notice: this ID appears to be an online ID, decryption is impossible

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites
On 2/6/2020 at 11:59 AM, GT500 said:

The error is an HTTP status code, meaning the decrypter is connecting to our server and receiving "403" as the response. Normally that would mean it's trying to access something it's not supposed to, however that doesn't make sense in the case of the decrypter, unless something is modifying its communication with our servers.

Does the decrypter show the name of a file before the error message? I would be interested to know what information it's trying to send to the server when the error happens.

@GT500

Sorry, no specific file name has been shown.

Actually, as I said earlier, the program started given these error messages in middle of the decryption process. That's why we can say that error messages has been given under every file because of decryptor was trying to decrpte files one by one.. I mean, I can say that I saw this message under every file the program tried to decrypt.

By the way, I'd like to reminder that after these errors I run program multiple times, and at the end decryptor worked perfectly and all files decrypted perfectly. Now, I got back all files as same as before.

On 1/31/2020 at 3:39 PM, SalasKafa said:

Hello,

I run the program multiple times, it gave the same error or [not responding] issue occured everytime I tried. So, I had to try another way: Instead of scanning entire drivers at single time, I started the software - by selecting folders one by one - each time after process finished. This way take much more time than usual, of course... but it was worth it.

At the end, we can "officialy" say that the decryption of ID: 7757TLxCRXnSjhJoq4TruFpvTlag0OKn6hPITYt1 is completed perfectly!!  Now all files are as same as before the infection.

Thank you so much Emisoft :) I am so happy.

Beside that, I also got my lesson.. back up your files! :)

Have a good day dear friends.

 

Share this post


Link to post
Share on other sites
12 hours ago, SalasKafa said:

By the way, I'd like to reminder that after these errors I run program multiple times, and at the end decryptor worked perfectly and all files decrypted perfectly. Now, I got back all files as same as before.

I'm glad to hear that. Be sure to get a good Anti-Virus and make regular backups so that it doesn't happen again.

  • Thanks 1

Share this post


Link to post
Share on other sites

hello,

I have a big problem in all my files

No key for New Variant offline ID: A9GoURN1YjdAQyaC6wsAFQH69tLYb2jZFkNvyct1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future

I am so sad about that.

 

Share this post


Link to post
Share on other sites

somebody help me? please

No key for New Variant online ID: xk68AT6EXHmqcnNCK3XZiLDSgGnS2qiZTn7TBe75
Notice: this ID appears to be an online ID, decryption is impossible
 

Share this post


Link to post
Share on other sites

Hi everyone. I have been doing a lot of research. The only thing we need to do is to wait for Emsisoft to upload the new decryption keys to their servers. There is nothing we can do. Uploading your Offline ID will not speed up the process.

Take note that there are multiple variants. They are doing the best they can.

Maybe we can make a crowdfunding for this heroes working on a decryption.

@João Luiz Sorry to tell you this, but if you have Online ID you are mostly rekt.

 

Share this post


Link to post
Share on other sites
9 hours ago, Shakal said:

No key for New Variant offline ID: A9GoURN1YjdAQyaC6wsAFQH69tLYb2jZFkNvyct1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future

It may take us some time to find the private key for that offline ID, and add it to our database. I recommend running the decrypter every week or two so that you can see when we've added it.

 

7 hours ago, João Luiz said:

No key for New Variant online ID: xk68AT6EXHmqcnNCK3XZiLDSgGnS2qiZTn7TBe75
Notice: this ID appears to be an online ID, decryption is impossible

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

 

6 hours ago, BbooRekt said:

Maybe we can make a crowdfunding for this heroes working on a decryption.

We do pay our analysts. ;)

While the guy writing decrypters for us isn't a volunteer, he does have a Patreon page, so if you or anyone else really wants to donate money then you can do so. Just keep in mind that this will not influence whether or not he can decrypt your files, as that's not something that's within his control, and normally he'll help whenever he can.

Share this post


Link to post
Share on other sites
On 1/30/2020 at 11:25 PM, Demonslay335 said:

@SalasKafa

Try running the decryptor again; we may have just received a key for that ID recently. 😉

What about .kodc encryption? Any news please?

Share this post


Link to post
Share on other sites

Help me

No key for New Variant online ID: 0m7Z0hqOm44qwprbSOmfAwcQz6Wt9spYIhHTem9S
Notice: this ID appears to be an online ID, decryption is impossible

Share this post


Link to post
Share on other sites
11 hours ago, altin said:

What about .kodc encryption? Any news please?

.kodc is a variant of STOP/Djvu. What applies to STOP/Djvu in general also applies to .kodc since it is the same thing. The only special consideration is that it is a newer variant, and thus is not decryptable unless you have an offline ID.

 

5 hours ago, Azroin said:

No key for New Variant online ID: 0m7Z0hqOm44qwprbSOmfAwcQz6Wt9spYIhHTem9S
Notice: this ID appears to be an online ID, decryption is impossible

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites

hi

 infected by  .mool 

No key for New Variant offline ID: uvEETK84RPC0Q5icp67CP746LJaCJuwq2tG9Kjt1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future.

😩 help me pls. all files got encrypted.
 

Share this post


Link to post
Share on other sites
13 hours ago, cpt-ghost said:

No key for New Variant offline ID: uvEETK84RPC0Q5icp67CP746LJaCJuwq2tG9Kjt1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future.

We don't have the private key for this offline ID yet. Once we're able to find it, we'll add it to our database, and then it should be possible for you to recover your files. I recommend running the decrypter once every week or two so that you can see when we've added the private key.

There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites
13 hours ago, GT500 said:

We don't have the private key for this offline ID yet. Once we're able to find it, we'll add it to our database, and then it should be possible for you to recover your files. I recommend running the decrypter once every week or two so that you can see when we've added the private key.

There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

My Id is the same "No key for New Variant offline ID: uvEETK84RPC0Q5icp67CP746LJaCJuwq2tG9Kjt1"
But I was infected with .bboo

Didn't know that same ID was used for different extensions.

Share this post


Link to post
Share on other sites
3 minutes ago, Demonslay335 said:

Some extensions they re-use the same offline ID and corresponding key. In this case, .bboo, .ooss, and .mool all have the same offline ID.

Nice, more chances to get it I guess. Just browsed your git, didn't get the idea about the stop_config.py file thought XD

Share this post


Link to post
Share on other sites

Hello, my name is Nuno, I'm from Portugal and I reeeealy need you help, please!!!!!

My laptop has been infected with this .nppp virus and all of my files from work from the past 4 years have been encrypted.

I've managed to clean the virus infections from the laptop with Malwarebytes (100% sure it's clean) but, when I run your program, it says that it doesn't posess the offline key, so it MAY decrypt my files in the future.

My PersonalID is: yUigCPpx6KxQZCQZfT8NsgOwnGDHwiQkVLy9UTt1

Can you please help me somehow?

I'm getting desperate with all the locked files from work!

Thank you

Share this post


Link to post
Share on other sites
6 minutes ago, Nuno_Santos said:

Hello, my name is Nuno, I'm from Portugal and I reeeealy need you help, please!!!!!

My laptop has been infected with this .nppp virus and all of my files from work from the past 4 years have been encrypted.

I've managed to clean the virus infections from the laptop with Malwarebytes (100% sure it's clean) but, when I run your program, it says that it doesn't posess the offline key, so it MAY decrypt my files in the future.

My PersonalID is: yUigCPpx6KxQZCQZfT8NsgOwnGDHwiQkVLy9UTt1

Can you please help me somehow?

I'm getting desperate with all the locked files from work!

Thank you

The only thing that we (everyone infected with an offline ID) can do is wait. Your information is clear: You have been infected. The good news is that it's an Offline ID witch might me possible to decrypt some day in the future.

This depends on the team getting that ID decrypted. That day (if it comes) it will be uploaded to their servers so the only thing you will need to do is to run the software again.

It's recommended to run it once per week to see if your ID was decrypted. (Of course, I'm running it 2 times per day, xD)

Patience is the key. Be sure to save your encrypted files for now.

 

  • Like 1

Share this post


Link to post
Share on other sites
2 hours ago, Nuno_Santos said:

My PersonalID is: yUigCPpx6KxQZCQZfT8NsgOwnGDHwiQkVLy9UTt1

That's an offline ID, but we may not have the private key for your variant yet. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key.

There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites
On 2/22/2020 at 4:51 AM, GT500 said:

That's an offline ID, but we may not have the private key for your variant yet. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key.

There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Thank you for your reply!

Can you advance if it will be a matter of time until the key will be added to your database, or is there a chance the key won't be added?

Sorry to insist, but I'm really aprehensive about all my work...

Thank you

Share this post


Link to post
Share on other sites
8 hours ago, Nuno_Santos said:

Can you advance if it will be a matter of time until the key will be added to your database, or is there a chance the key won't be added?

There's always a chance we may not get our hands on the key, but with offline ID's the odds of us being able to get the private key are fairly good.

 

15 hours ago, botchien20080 said:

good morning, 

Please help me key for decrypte my file

Do you know what variant of STOP/Djvu your files were encrypted by?

Share this post


Link to post
Share on other sites

hi,

 

Starting...

File: D:\.nppp\Inter\conta.txt.nppp
No key for New Variant online ID: ZcVtkftvTVjBddsT6qPSUevQWbPTyGXuQwHkfqgC
Notice: this ID appears to be an online ID, decryption is impossible

File: D:\.nppp\Inter\termo_cartao_1564422478775.pdf.nppp
No key for New Variant online ID: ZcVtkftvTVjBddsT6qPSUevQWbPTyGXuQwHkfqgC
Notice: this ID appears to be an online ID, decryption is impossible

Finished!
Starting...

File: D:\.nppp\Inter\conta.txt - Copia.nppp
No key for New Variant online ID: ZcVtkftvTVjBddsT6qPSUevQWbPTyGXuQwHkfqgC
Notice: this ID appears to be an online ID, decryption is impossible

File: D:\.nppp\Inter\conta.txt.nppp
No key for New Variant online ID: ZcVtkftvTVjBddsT6qPSUevQWbPTyGXuQwHkfqgC
Notice: this ID appears to be an online ID, decryption is impossible

File: D:\.nppp\Inter\termo_cartao_1564422478775.pdf.nppp
No key for New Variant online ID: ZcVtkftvTVjBddsT6qPSUevQWbPTyGXuQwHkfqgC
Notice: this ID appears to be an online ID, decryption is impossible

Finished!

 

Your personal ID:
0210a7d6ZcVtkftvTVjBddsT6qPSUevQWbPTyGXuQwHkfqgC

Help

 

Escopo - MAP - Sodexo Projeto.docx.nppp Janeiro- fevereiro 2019.xlsx.nppp

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.