Semkov

Encrypted photos with .redmat

Recommended Posts

Hello team Emsisoft. 

I am from Bulgaria. Since June 2019, my files are encrypted with .redmat. I was waiting for solutions. Yesterday I have downloaded Emsisoft StopDJVU decryptor. Some of my photos were decrypted successfully and some of them not (1-2% decrypted). After that, i have uploaded on your site some encrypted photos and their originals, which I found on my other devices. Can you tell me why the decryption works only for this small percentage of photos and what I have to do? I can send you my ID but I prefer to be in private message. Also, the Emsisoft decryptor says: "Unable to decrypt Old Variant ID". Thank you for your support. 

Share this post


Link to post
Share on other sites

The FAQ already explains this...

Quote

What is a file pair? This refers to a pair of files that are identical (as in they are the exact same file), except one copy is encrypted and the other is not. Our decryption service can analyze the differences between an encrypted file and an original unencrypted copy of the same file, allowing it to determine how to decrypt that type of file. For most victims with an older variant of STOP/Djvu, submitting file pairs will be the only way they will get their files back.

File pairs only work for one type of file. Due to the way encryption works in STOP/Djvu, file pairs can only help the decryption service figure out how to decrypt one type of file. For instance, if you submit a file pair for an MP3 file, then the decrypter will be able to decrypt all of your other MP3 files, however it won't be able to decrypt any other type of file. There are some exceptions to this, such as certain newer Microsoft Office documents (such as DOCX and XLSX) since those files are technically ZIP archives.

The decrypter can't decrypt all of my pictures even though I submitted file pairs for them? JPEG/JPG images have a format oddity that causes file pairs to be specific to each source of pictures, rather than the file format in general. As an example, if you have pictures from two different cameras, and submit a file pair from the group of pictures from one of the cameras, then the decrypter will only be able to decrypt files from the camera that the file pair came from. In order to decrypt all JPEG/JPG images, you will need to submit file pairs from every source you've obtained those pictures from.

 

Share this post


Link to post
Share on other sites

Thank you, but I have uploaded photos from all three cameras that I used for the encrypted photos. Also, I have noticed that some of the photos which have been decrypted successfully dosen't have anything in common with the original photos, that I have uploaded before the decryption process. For example, the photos are from different periods and some of the photos I have been uploaded are not from the period of the successfully decrypted photos. Sorry for my bad English. I have read most of the topics and just trying to understand how the ransomware works and give Emsisoft team a different case so I can help to myself and other victims, because I have lost all of my photos because of my stupidity. Greetings. 

Share this post


Link to post
Share on other sites

The issue is that JPEG/JPG files don't all have the same first 5 bytes, however the files that can be decrypted have to have the same first 5 bytes as the files you use as file pairs. The decrypter actually tells you the first 5 bytes when trying to decrypt files, that way you can check and see which files have the same first 5 bytes and try to see if you can find a valid file pair for them.

My recommendation is to upload as many file pairs as you can for your pictures. If you don't have any more, then try to see if there are any encrypted files that you downloaded from the Internet, or that you have copies on USB flash drives/CD's/DVD's/etc, or that you gave to friends or family members.

Share this post


Link to post
Share on other sites

Thank you GT500. I will try to find more photos, but I am not sure i will succeed. Those it mean, that if i won't find any copyes, I won't be able to decrypt my photos? Also, what is the case with the video files. Is it easier with them?

Share this post


Link to post
Share on other sites
1 minute ago, Semkov said:

Those it mean, that if i won't find any copyes, I won't be able to decrypt my photos?

That's correct.

 

1 minute ago, Semkov said:

Also, what is the case with the video files. Is it easier with them?

Most other file formats aren't as difficult as JPG, and you'll only need one file pair per format. The biggest exception to this is TXT files, which aren't decryptable at all because the first 5 bytes of TXT files is never the same.

Share this post


Link to post
Share on other sites

Thank you for your fast answer. I won't delete my photos. I will wait for solution in future. I know that my chances are close to zero but... Greetings from Bulgaria. 

Share this post


Link to post
Share on other sites
20 hours ago, rohietsethi19 said:

Hi, 

I have only the encryted file .redmat and don't have the other copy. How can I get the files back from the ransomware..Is there any chance

If you have an online ID, then you have to have an original/unencrypted copy of each type of file you want to decrypt (or at least for each "first 5 bytes" the decrypter lists in its log). Without file pairs, it isn't possible to generate a keystream that can be used to decrypt your files.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.