Ravock

Encrypted files. Help please!

Recommended Posts

Hey guys, can you please lend me a hand?

A friend got their files encrypted and they really need them back.

Their personal ID is:

0184Asd374y5QJcl9AKinJpoFZAvJtOVIpBtJlF4pvNKSFQ61mZn

Thanks in advance!

Share this post


Link to post
Share on other sites
13 hours ago, Ravock said:

Their personal ID is:

0184Asd374y5QJcl9AKinJpoFZAvJtOVIpBtJlF4pvNKSFQ61mZn

That's not much information to go on. The ID looks like it's from the STOP/Djvu ransomware, however without knowing the variant I can't say whether or not the files would be decryptable. They can give our decrypter a try, and it will output more information if it's not able to decrypt the files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites
39 minutes ago, GT500 said:

That's not much information to go on. The ID looks like it's from the STOP/Djvu ransomware, however without knowing the variant I can't say whether or not the files would be decryptable. They can give our decrypter a try, and it will output more information if it's not able to decrypt the files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

I'm so sorry! I can give more info, but I don't know what you're looking for...

Some pictures and .dat files have received the .mbed extension.

There was a _readme text file with instructions, a email address and the personal code I posted here.

I guess that's it.

If there's any other info you need, let me know!

Meanwhile, I'll have them try your decrypter.

Fingers crossed!

Share this post


Link to post
Share on other sites
3 hours ago, Amigo-A said:

This variant of Stop Ransomware: IV. Gero group (RSA)

He has been known since November 2019.

Yes! That's the one!

I looked at the decypter page and I couldn't find the mbed extention.

So they've lost all their files?

Share this post


Link to post
Share on other sites

The developers decided not to show supported extensions for group RSA

Share this post


Link to post
Share on other sites

There's a list of all known STOP ransomware extensions at the following link:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/#entry4442422

The issue with keeping a list for the newer variants is that it needs updated constantly, and for a while there was a new variant every day. Our malware analysts didn't have time to keep lists like that up to date, and I didn't have any guarantee that I would be notified in a reasonable amount of time about a new variant to keep the list up to date, so we leave it up to BleepingComputer to tracker newer variants.

Share this post


Link to post
Share on other sites

also my lists :) 

https://id-ransomware.blogspot.com/p/hot-stop.html - HOT STOP list in English
https://id-ransomware.blogspot.com/2017/12/stop-ransomware.html -  with Transaltion into English

This is updated daily, starting with the very first days and with the very first variants. 

---

@Ravock

The offline key for .mbed earlier was loaded into the decryptor.
But, if you entered the correct ID in first message, then the decryptor should inform you, files were encrypted by the offline key

Share this post


Link to post
Share on other sites

I had them try the decrypter and, sadly, the files were encrypted using an online key...

As the program itself stated, decryption is now impossible, so they decided to keep the encrypted files hoping that someday they'll be able to recover them...

This was my first interaction with an actual ransomware and it's incredibly cruel.

They lost some very important pictures like wedding photos, some birthday photos, etc.

Anyway, thanks so much for your help and I hope you guys continue to help those who need.

Thank you!

PS: They can't afford to pay the... "person"... that did this, they're charging around $900 that, when converted to our currency, becomes more than what a middle - low class family earns in a whole month.

Share this post


Link to post
Share on other sites
17 hours ago, Ravock said:

PS: They can't afford to pay the... "person"... that did this, they're charging around $900 that, when converted to our currency, becomes more than what a middle - low class family earns in a whole month.

That's unfortunately rather common with this ransomware. It's usually distributed via pirated software downloads (or fake movie or music downloads), and since a large number of people who tend to download pirated content happens to be those with limited incomes, they tend to be the people who are encountering this ransomware the most often.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.