Recommended Posts

Hi
My laptop has malicious .kodc and I can't access my files.
Please provide a way to remove this malware and restore my files.
I need just 1 file so much.is it possible to send you that to recover that?or help me to do it!
Here is the malicious message:

 

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-Oc0xgfzC7q
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0198nTsddikXZh3g0RU1jNq4l6rKC8DQhlIRWkDHqWDrb9SNJ

  • Sad 1

Share this post


Link to post
Share on other sites

Hello @mohammadali_149

Thank you for contacting Emsisoft Support.

KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU.

To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

 

Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

  • Like 1

Share this post


Link to post
Share on other sites

i installed STOP/DJVU decryption tool . here is the results :

 

Starting...

File: D:\proje uni\1-s2.0-S0001868615000767-gr1.jpg.kodc
No key for New Variant online ID: ikXZh3g0RU1jNq4l6rKC8DQhlIRWkDHqWDrb9SNJ
Notice: this ID appears to be an online ID, decryption is impossible

File: D:\proje uni\1.png.kodc
No key for New Variant online ID: ikXZh3g0RU1jNq4l6rKC8DQhlIRWkDHqWDrb9SNJ
Notice: this ID appears to be an online ID, decryption is impossible

File: D:\proje uni\1200px-B-spline_curve.svg.png.kodc
No key for New Variant online ID: ikXZh3g0RU1jNq4l6rKC8DQhlIRWkDHqWDrb9SNJ
Notice: this ID appears to be an online ID, decryption is impossible

...

Finished!

*Given the above result is it possible to recover information?
Or is this not possible at all?

Edited by GT500
Truncated log.

Share this post


Link to post
Share on other sites

As stated in my original post this variant is not supported by our decryption tool.  I had you run the tool for the sole purpose of deactivating and removing any malware installed by STOP/DJVU.

Share this post


Link to post
Share on other sites
On 2/6/2020 at 12:23 AM, Kevin Zoll said:

As stated in my original post this variant is not supported by our decryption tool.  I had you run the tool for the sole purpose of deactivating and removing any malware installed by STOP/DJVU.

How i can fix this?

  • Sad 1

Share this post


Link to post
Share on other sites

@Nauman

If our decryption tool states that it cannot decrypt your files, then the files cannot be decrypted.

General Notes With Regards to STOP/DJVU

 

  1. If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted.  That is not an error message.
  2. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys.
  3. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database.  Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key.
  4. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key.
  5. New Variant STOP/DJVU utilizes the RSA encryption algorithm.  RSA is considered a secure encryption method and is unbreakable using current technologies.  It is not reversible, cannot be cracked, and we are not able to generate a decryption key.  So do not send us encrypted files thinking we can recover your decryption key, we can't.

 

Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

Share this post


Link to post
Share on other sites
7 hours ago, waleed elhoseny said:

Well ... I will download the latest version of the program and I will tell you the result, my dear
Thank you

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

  • Like 1

Share this post


Link to post
Share on other sites

what's the meaning of this result?

Starting...

File: D:\proje uni\1-s2.0-S0001868615000767-gr1.jpg.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\1.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\1200px-B-spline_curve.svg.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\220px-NURBS_surface.png
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\220px-NURBS_surface.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\278295-59948e5334477ed2964afdd4-05.jpg.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\34.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\4-6.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\9.JPG.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\9464_html_m718ac829.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

Finished!
 

  • Like 1

Share this post


Link to post
Share on other sites

hi mohammadali_149 

7 hours ago, mohammadali_149 said:

what's the meaning of this result?

Starting...

File: D:\proje uni\1-s2.0-S0001868615000767-gr1.jpg.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\1.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\1200px-B-spline_curve.svg.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\220px-NURBS_surface.png
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\220px-NURBS_surface.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\278295-59948e5334477ed2964afdd4-05.jpg.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\34.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\4-6.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\9.JPG.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

File: D:\proje uni\9464_html_m718ac829.png.kodc
Error: The remote name could not be resolved: 'decrypter.emsisoft.com'

Finished!
 

يعنى ان البرنامج مش قادر يفك التشفير الخاص بملفاتك لان الشفرة جديدة ومش قادر يفك شفرتها حتى الان 

واعتقد انو جارى اكتشافطريقه لفك التشفير 

Share this post


Link to post
Share on other sites

@mohammadali_149

Quote

What does "Remote name could not be resolved" mean? It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link:
https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default

 

Share this post


Link to post
Share on other sites

Hi
My laptop has malicious .kodc and I can't access my files.
Please provide a way to remove this malware and restore my files.
I need my data as it is very important.
Here is the malicious message

 

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-Oc0xgfzC7q
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0198nTsddaA5314JEzsUiacrljoWYdQgAT7P0uwMCKB9yLzAu

 

i have download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

 

But on installing it is showing the error message

The application was unable to start correctly (0xc000007b). Click OK to close the application.

 

Please help me to decrypt my data as the whole data have extension .kodc 

for example:- a word document is just like abc.docx.kodc

Share this post


Link to post
Share on other sites
On 2/4/2020 at 9:13 PM, Kevin Zoll said:

Hello @mohammadali_149

Thank you for contacting Emsisoft Support.

KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU.

To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

 

Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

can you explain more about that part of your reply please?
 "First, it will deactivate and remove any malware that was installed by the ransomware This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. "

Share this post


Link to post
Share on other sites
18 hours ago, Yash Khurana said:

The application was unable to start correctly (0xc000007b). Click OK to close the application.

This is because you have Windows 7, which has an old version of the Microsoft .NET Framework, and the decrypter requires a newer version.

 

18 hours ago, Yash Khurana said:

Your personal ID:
0198nTsddaA5314JEzsUiacrljoWYdQgAT7P0uwMCKB9yLzAu

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites
13 hours ago, Mohamed_Ajlan said:

can you explain more about that part of your reply please?
 "First, it will deactivate and remove any malware that was installed by the ransomware This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. "

The STOP/Djvu ransomware creates a startup item to run when Windows starts, allowing it to encrypt any new files. It also creates a Scheduled Task that runs every so many minutes, allowing it to encrypt any new files that have been saved/created since the last time your computer was powered on or restarted.

Our STOP/Djvu decrypter will remove the startup item and the Scheduled Task, however it doesn't remove the malicious files themselves. You will still need to run an Anti-Virus scan with something like Emsisoft Emergency Kit in order to remove those.

  • Like 1

Share this post


Link to post
Share on other sites
19 minutes ago, GT500 said:

The STOP/Djvu ransomware creates a startup item to run when Windows starts, allowing it to encrypt any new files. It also creates a Scheduled Task that runs every so many minutes, allowing it to encrypt any new files that have been saved/created since the last time your computer was powered on or restarted.

Our STOP/Djvu decrypter will remove the startup item and the Scheduled Task, however it doesn't remove the malicious files themselves. You will still need to run an Anti-Virus scan with something like Emsisoft Emergency Kit in order to remove those.

aha i see , that is a great function , so is that action of removing startup item and the Scheduled Task automatically done when i launch the STOP/Djvu decrypter or i should press decrypt button and choosing all partitions on the scanning area or just system partition ?

Share this post


Link to post
Share on other sites
1 minute ago, Mohamed_Ajlan said:

aha i see , that is great function , so is that action of removing startup item and the Scheduled Task automatically done when i launch the STOP/Djvu decrypter or i should press decrypt button and choosing all partitions on the scanning area or just system partition ?

It's done automatically when the decrypter is opened (I would believe after you agree to the disclaimer), so you don't need to do anything extra in order for it to remove the startup item and Scheduled Task.

  • Like 1

Share this post


Link to post
Share on other sites
2 minutes ago, GT500 said:

It's done automatically when the decrypter is opened (I would believe after you agree to the disclaimer), so you don't need to do anything extra in order for it to remove the startup item and Scheduled Task.

that is wonderful and a quick way to stop the encryption process if it didn't encrypt all files yet  .
 Thank you for your response :) 

Share this post


Link to post
Share on other sites
On 5/3/2020 at 3:32 PM, kero said:

.kodc

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.