Ravock 0 Report post Posted March 3 Hey guys, can you please lend me a hand? A friend got their files encrypted and they really need them back. Their personal ID is: 0184Asd374y5QJcl9AKinJpoFZAvJtOVIpBtJlF4pvNKSFQ61mZn Thanks in advance! Quote Share this post Link to post Share on other sites
GT500 808 Report post Posted March 4 13 hours ago, Ravock said: Their personal ID is: 0184Asd374y5QJcl9AKinJpoFZAvJtOVIpBtJlF4pvNKSFQ61mZn That's not much information to go on. The ID looks like it's from the STOP/Djvu ransomware, however without knowing the variant I can't say whether or not the files would be decryptable. They can give our decrypter a try, and it will output more information if it's not able to decrypt the files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Quote Share this post Link to post Share on other sites
Ravock 0 Report post Posted March 4 39 minutes ago, GT500 said: That's not much information to go on. The ID looks like it's from the STOP/Djvu ransomware, however without knowing the variant I can't say whether or not the files would be decryptable. They can give our decrypter a try, and it will output more information if it's not able to decrypt the files. There is more information at the following link:https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ I'm so sorry! I can give more info, but I don't know what you're looking for... Some pictures and .dat files have received the .mbed extension. There was a _readme text file with instructions, a email address and the personal code I posted here. I guess that's it. If there's any other info you need, let me know! Meanwhile, I'll have them try your decrypter. Fingers crossed! Quote Share this post Link to post Share on other sites
Amigo-A 131 Report post Posted March 4 Quote Extension: .mbed note: _readme.txt Email: [email protected], [email protected] Number ID: 184 (0184) This variant of Stop Ransomware: IV. Gero group (RSA) He has been known since November 2019. Quote Share this post Link to post Share on other sites
Ravock 0 Report post Posted March 4 3 hours ago, Amigo-A said: This variant of Stop Ransomware: IV. Gero group (RSA) He has been known since November 2019. Yes! That's the one! I looked at the decypter page and I couldn't find the mbed extention. So they've lost all their files? Quote Share this post Link to post Share on other sites
Amigo-A 131 Report post Posted March 5 The developers decided not to show supported extensions for group RSA Quote Share this post Link to post Share on other sites
GT500 808 Report post Posted March 5 There's a list of all known STOP ransomware extensions at the following link:https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/#entry4442422 The issue with keeping a list for the newer variants is that it needs updated constantly, and for a while there was a new variant every day. Our malware analysts didn't have time to keep lists like that up to date, and I didn't have any guarantee that I would be notified in a reasonable amount of time about a new variant to keep the list up to date, so we leave it up to BleepingComputer to tracker newer variants. Quote Share this post Link to post Share on other sites
Amigo-A 131 Report post Posted March 5 also my lists https://id-ransomware.blogspot.com/p/hot-stop.html - HOT STOP list in Englishhttps://id-ransomware.blogspot.com/2017/12/stop-ransomware.html - with Transaltion into English This is updated daily, starting with the very first days and with the very first variants. --- @Ravock The offline key for .mbed earlier was loaded into the decryptor. But, if you entered the correct ID in first message, then the decryptor should inform you, files were encrypted by the offline key Quote Share this post Link to post Share on other sites
Ravock 0 Report post Posted March 5 I had them try the decrypter and, sadly, the files were encrypted using an online key... As the program itself stated, decryption is now impossible, so they decided to keep the encrypted files hoping that someday they'll be able to recover them... This was my first interaction with an actual ransomware and it's incredibly cruel. They lost some very important pictures like wedding photos, some birthday photos, etc. Anyway, thanks so much for your help and I hope you guys continue to help those who need. Thank you! PS: They can't afford to pay the... "person"... that did this, they're charging around $900 that, when converted to our currency, becomes more than what a middle - low class family earns in a whole month. Quote Share this post Link to post Share on other sites
GT500 808 Report post Posted March 6 17 hours ago, Ravock said: PS: They can't afford to pay the... "person"... that did this, they're charging around $900 that, when converted to our currency, becomes more than what a middle - low class family earns in a whole month. That's unfortunately rather common with this ransomware. It's usually distributed via pirated software downloads (or fake movie or music downloads), and since a large number of people who tend to download pirated content happens to be those with limited incomes, they tend to be the people who are encountering this ransomware the most often. Quote Share this post Link to post Share on other sites
