Mh.hemmat

I got some of my encrypted files back

Recommended Posts

Hello.
After several days of dealing with this KODC ransomware, I realized that it has some weaknesses.
Some videos as well as MP3 and wav files, and few folders remain completely intact.

The virus is also weak in encrypting certain formats, such as zip and mp3.

About zip files:
Remove the .KODC extension from the end of the file and open it. Only one file may have a problem and the rest may still be usable.
(This method does not work for all zip files.)

About mp3 files:
Remove the .KODC extension from the end of the file and open it with KMPlayer. Your file will probably run! However, your file is still encrypted.
To decrypt, open the file (After removing the kodc extension from the end) in "Freemake Video Converter" and convert it to mp3.

 

This method may also be usable for other stop djvu extensions.

If this works for anyone, please let me know.

  • Like 1

Share this post


Link to post
Share on other sites
17 hours ago, Mh.hemmat said:

Hello.
After several days of dealing with this KODC ransomware, I realized that it has some weaknesses.
Some videos as well as MP3 and wav files, and few folders remain completely intact.

The virus is also weak in encrypting certain formats, such as zip and mp3.

About zip files:
Remove the .KODC extension from the end of the file and open it. Only one file may have a problem and the rest may still be usable.
(This method does not work for all zip files.)

About mp3 files:
Remove the .KODC extension from the end of the file and open it with KMPlayer. Your file will probably run! However, your file is still encrypted.
To decrypt, open the file (After removing the kodc extension from the end) in "Freemake Video Converter" and convert it to mp3.

 

This method may also be usable for other stop djvu extensions.

If this works for anyone, please let me know.

Does it work on mpaj extension virus? 

Share this post


Link to post
Share on other sites
18 hours ago, Mh.hemmat said:

Some videos as well as MP3 and wav files, and few folders remain completely intact.

They're not completely intact. The STOP/Djvu ransomware only encrypted a small part of the beginning of files, and some large files (assuming the file format is tolerant of some missing data at the beginning of the file) can still be opened despite the encryption. Note that some data will probably be missing from files that are recovered this way, and not all files can be recovered this way.

 

42 minutes ago, Kiran2020 said:

Does it work on mpaj extension virus? 

That's another variant of the STOP/Djvu ransomware.

  • Like 1

Share this post


Link to post
Share on other sites
13 hours ago, Kiran2020 said:

Does it work on mpaj extension virus? 

It probably works for that too. But I'm not sure.

 

12 hours ago, GT500 said:

They're not completely intact.

I don't know why, but some of my folders are intact, and no files have been encrypted in these folders, and even the KODC extension has not been added to their name.
For example, a game was installed on one of these folders, and I can still play it. You know a game contains dozens of audio, image, DLL, etc, and none of them are lost.

 

12 hours ago, GT500 said:

The STOP/Djvu ransomware only encrypted a small part of the beginning of files,

If the ransomware encrypts only a small portion of the file, then there must be a way to recover a significant amount of them.
I mean, the encrypted section should be replaced with data that makes the rest of the file executable.
Isn't it possible to create a decryptor that works this way?

Share this post


Link to post
Share on other sites
On 4/16/2020 at 3:25 PM, Mh.hemmat said:

I don't know why, but some of my folders are intact, and no files have been encrypted in these folders, and even the KODC extension has not been added to their name.

That means something stopped the ransomware before it could finish encrypting your files.

 

On 4/16/2020 at 3:25 PM, Mh.hemmat said:

If the ransomware encrypts only a small portion of the file, then there must be a way to recover a significant amount of them.

Some file formats that are tolerant of damaged data can be recovered if the files are large enough, however there will be missing data (specifically at the beginning of the files).

Share this post


Link to post
Share on other sites
On 4/17/2020 at 12:55 AM, Mh.hemmat said:

It probably works for that too. But I'm not sure.

 

I don't know why, but some of my folders are intact, and no files have been encrypted in these folders, and even the KODC extension has not been added to their name.
For example, a game was installed on one of these folders, and I can still play it. You know a game contains dozens of audio, image, DLL, etc, and none of them are lost.

 

If the ransomware encrypts only a small portion of the file, then there must be a way to recover a significant amount of them.
I mean, the encrypted section should be replaced with data that makes the rest of the file executable.
Isn't it possible to create a decryptor that works this way?

Not Working on Mpaj extension. Tried that free video converter. 

Share this post


Link to post
Share on other sites
3 hours ago, Kiran2020 said:

Not Working on Mpaj extension. Tried that free video converter.

The extension is irrelevant. They are all variants of the same ransomware, and all use the same encryption method. The issue is many file formats aren't tolerant of missing/corrupted data at the beginning of the file, which is why they only need to encrypt the beginning of files to hold them for ransom. Sadly file recovery software is only rarely able to repair files that have had the beginning of the file encrypted like this.

Share this post


Link to post
Share on other sites

Archives are also not fully encrypted; only the first few files are damaged in them.

If you use the wizard of the archiver program, you can unzip the files, and then delete the damaged ones.

  • Like 1

Share this post


Link to post
Share on other sites
44 minutes ago, Amigo-A said:

Archives are also not fully encrypted; only the first few files are damaged in them.

If you use the wizard of the archiver program, you can unzip the files, and then delete the damaged ones.

Hi Amigo 
you mean that compressing my important data to big archives my fight back the ransomware encryption effect ?

Share this post


Link to post
Share on other sites

Eh, if know be  in advance ... 😃

Only STOP Ransomware does that. Others encrypt or corrupt archives with all files. Maybe not all, there are many, can't check all.

  • Like 1

Share this post


Link to post
Share on other sites
21 hours ago, Mohamed_Ajlan said:

you mean that compressing my important data to big archives my fight back the ransomware encryption effect ?

That wouldn't help after the files have already been encrypted, You would have needed to do it before they were encrypted.

The better solution to prevent data loss due to ransomware is to save copies of important files on some sort of external media (USB hard drives, USB flash drives, tape backup drives, etc) and then keep that media disconnected from the computer when you're not saving backups to it. Remember, if your computer can access your files, then so can a ransomware infection.

  • Like 1

Share this post


Link to post
Share on other sites

I followed your instructions with regards to the zip files, and it totally worked!!! Thank you, I was able to extract everything in intact!!! By any chance, do you know a way to recover those that are in jpg format?

Share this post


Link to post
Share on other sites

I have know, that a maximum of 0x500000 bytes (~ 5 MB) of data is encrypted at the beginning of each file. 
If for a large archive this may be critical for several files in the archive, then for photographs this may be more critical.

But encryption is changing, @Demonslay335 can tell more precisely. 

Share this post


Link to post
Share on other sites
20 hours ago, nadine021 said:

I followed your instructions with regards to the zip files, and it totally worked!!! Thank you, I was able to extract everything in intact!!! By any chance, do you know a way to recover those that are in jpg format?

JPG files don't all have the same first 5 bytes, so they're a little more difficult. Usually you need to have a file pair for each source the JPG files came from. A source could be a camera, a photo editing software, a phone, etc.

Share this post


Link to post
Share on other sites
On 5/25/2020 at 10:43 AM, GT500 said:

JPG files don't all have the same first 5 bytes, so they're a little more difficult. Usually you need to have a file pair for each source the JPG files came from. A source could be a camera, a photo editing software, a phone, etc.

I have few original as well as infected with me. Is that possible to find out infection from rest files of my pc? 

Share this post


Link to post
Share on other sites
On 5/24/2020 at 2:30 PM, nadine021 said:

I followed your instructions with regards to the zip files, and it totally worked!!! Thank you, I was able to extract everything in intact!!! By any chance, do you know a way to recover those that are in jpg format?

What u followed plz explain may b useful to us. 

Share this post


Link to post
Share on other sites
11 minutes ago, Kiran2020 said:

What u followed plz explain may b useful to us. 

I followed this one:

“About zip files:
Remove the .KODC extension from the end of the file and open it. Only one file may have a problem and the rest may still be usable.
(This method does not work for all zip files.)”

 

Once you’ve opened the zipfile, copy and paste its contents to a new folder. The contents will then become reusable.

Share this post


Link to post
Share on other sites
22 hours ago, Kiran2020 said:

I have few original as well as infected with me. Is that possible to find out infection from rest files of my pc? 

First and foremost, your files aren't "infected". They're encrypted.

You need at least one original JPG file from each source you've obtained them from. Check and see if you've ever shared any of your JPG files with others. Have you sent any via e-mail, or shared them via file sharing services (OneDrive, Google Drive, Dropbox, etc)? Have you copied them to USB flash drives, CD's or DVD's, or external hard drives?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.