Yosef Inmannuel

I have an offline and online ransomware decryptor.

Recommended Posts

Hi, I need an Emsisoft developer to answer me in order to send it to you. I bought the ransomware decoder of the month of January from some "hackers", where I only have to run a batch file in CMD, and he does everything: Decrypt the files (Online or Offline) and automatically save them to the hard disk Have more space. It worked for many because there are testimonials that decrypt recent ransomware files but not me, and I have my files encrypted. As it has not worked for me, I think of giving it to you so that if you can know how it works or you can get your keys, tell me. If you want more information here I am.

Share this post


Link to post
Share on other sites
Just now, Vicky said:

Is your file is encrypted with .kodc extn ? and which online/offline decrypter do you have?

Not I am infected with an older ransomware variant, but the decryptor can decrypt .kodc. The decryptor is developed by some hackers, and is made in batches in CMD.

Share this post


Link to post
Share on other sites

KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

 


Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU.

Any hacker telling you they can decrypt your files is either lying or they are the ones who encrypted your files in the first place.  This variant makes use of the RSA encryption algorithm.  If implemented correctly and it is a least 1024-bit encryption it is unbreakable using today's technology.  Theoretically RSA-1024 is breakable, but none of us will still be alive when it is successfully broken.

To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

 

Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

Share this post


Link to post
Share on other sites
49 minutes ago, Kevin Zoll said:

KODC es una variante más nueva de la familia de ransomware STOP / DJVU y no es compatible con nuestra herramienta de descifrado. A pesar de eso, me gustaría que ejecute la herramienta de descifrado STOP / DJVU de todos modos. Eso logrará un par de cosas. Primero, desactivará y eliminará cualquier malware instalado por el ransomware. Esto evitará que se cifren nuevos archivos y evitará que se vuelva a cifrar si los archivos se restauran desde una copia de seguridad. En segundo lugar, la herramienta de descifrado determinará la ID de los archivos cifrados. Cualquier ID que termine en t1 es una ID sin conexión, cualquier otra cosa es una ID en línea. Esto es importante ya que nos dice cómo se generó la clave de cifrado. Puede haber múltiples ID, especialmente si la comunicación entre el sistema de destino y el servidor de comando y control se interrumpe por cualquier motivo, o porque el cifrado del archivo se realizó por etapas para evitar la detección. Una ID sin conexión significa que el par de claves de cifrado se generó localmente y la clave de cifrado está codificada en un archivo. Una identificación en línea significa que el par de claves de cifrado se generó y almacenó en un servidor de control y comando remoto bajo el control de la banda de ransomware responsable de cifrar sus archivos.

 


¿Porque es esto importante? La identificación de los archivos es cómo se identifican las claves de cifrado privadas. Si tenemos una clave de cifrado privada que coincide con la ID de un archivo (s), entonces se puede usar para descifrar el archivo (s). Sin embargo, todo esto depende de que tengamos una clave de cifrado privada coincidente en nuestra base de datos. La desventaja de todo esto es que actualmente no poseemos claves de cifrado privadas para la variante KODC de STOP / DJVU.

Cualquier pirata informático que le dice que puede descifrar sus archivos está mintiendo o ellos son los que cifraron sus archivos en primer lugar. Esta variante utiliza el algoritmo de cifrado RSA. Si se implementa correctamente y es un cifrado de al menos 1024 bits, es irrompible con la tecnología actual. Teóricamente, RSA-1024 es rompible, pero ninguno de nosotros seguirá vivo cuando se rompa con éxito.

Para descargar la herramienta de descifrado STOP / DJVU, visite https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

 

Además, consulte https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ para obtener más información sobre la herramienta de descifrado STOP / DJVU.

So how can they decrypt the files with the decryptor, in my case I was infected by the .MEKA virus?  I can send you the decryptor they gave me with the indications for use, for you to see.

Share this post


Link to post
Share on other sites
9 minutes ago, Yosef Inmannuel said:

Where do I send it to you? Tell me your email

Hover over Demonslay335 avatar and select 'Message'' to send him a private message, in a zip file,  here on forum.

Share this post


Link to post
Share on other sites

I got this CMD file, however it didn't work for me. If you run it as .txt, you will see that it is a fake file, with simple codes. However there is the FireHunter file, it seems complete, I just don't know how to use it. If any Emsisoft specialist succeeds ...

Share this post


Link to post
Share on other sites

Moreover it's actually just a scam...

The "decryptor" he received was just a batch file that does absolutely nothing (the lab team got a good laugh, as did I), and the second one is an infected Mozilla Firefox installer that drops more malware. Do not run the "FireHunter" file.

Share this post


Link to post
Share on other sites
On 2/2/2020 at 3:51 AM, Vicky said:

@Yosef Inmannuel I want that deryptor. Can you please share decryptor zip file with me so i can decrypt my encrypt files. It will help me thanks in advance.

On 2/2/2020 at 4:21 PM, SM868 said:

@Yosef Inmannuel can you sent me the decryptor please. I got infected with the .KODC online version. 

Thanks.

For your own safety and security, never ask for files from people you don't know. In this case, you would have merely reinfected your computers, and run the risk of making your problems even worse.

Stick with solutions from the experts, and if someone promises a "solution" then give us a chance to verify it first. Our goal is to try to thwart these criminals and keep everyone safe, and if there's anything we believe has a reasonable chance of helping you then we'll let you know.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.