Recommended Posts

Hi, my computer was infected with ransomware CARLOS.sqpc  I have already run  Malwarebytes to try and remove the virus (quarantined the report) I am unable to get into any of my locked files and have not been able to decrypt any files.  I have run FRST and EEK and saved the logs. How do I attach it to the message.

Share this post


Link to post
Share on other sites
Quote

.sqpc

Hello. Attach a ransom note and several encrypted files to the message first.

Or use the site https://dropmefiles.com/ to transfer files. Just drag the files to this page and you will receive a link.

In the same way, you can transfer log files.

.sqpc extension - this is the result of 'STOP Ransomware' encryption

.CARLOS extension - this is the result of 'another ransomware' encryption

Share this post


Link to post
Share on other sites
19 hours ago, Bonita Smith said:

How do I attach it to the message.

You can either drag and drop files into the field where you type your reply, or click the "Choose files" link at the bottom of the reply field.

Share this post


Link to post
Share on other sites

Hi Guy's

This is my Mother i have been trying to assist her where I can as i'm in IT aswell

here is the link with some rondsomware files

https://dropmefiles.com/d5QBf

 

thanks

  • Like 1

Share this post


Link to post
Share on other sites
6 hours ago, Amigo-A said:

Hello. Attach a ransom note and several encrypted files to the message first.

Or use the site https://dropmefiles.com/ to transfer files. Just drag the files to this page and you will receive a link.

In the same way, you can transfer log files.

.sqpc extension - this is the result of 'STOP Ransomware' encryption

.CARLOS extension - this is the result of 'another ransomware' encryption

https://dropmefiles.com/d5QBf

id ransomeware.JPG
Download Image

Share this post


Link to post
Share on other sites

Hello, Bonita Smith and Donnysmith7

For example, this your file:
IMG_2460.JPG.[C019BC27].[[email protected]].CARLOS.sqpc

IMG_2460.JPG.sqpc - Your file the IMG_2460.JPG first was encrypted with "STOP Ransomware" and added the extension .sqpc

Then he was encrypted with the Carlos-version (from Oled-Makop Ransomware family) and added the extension .[C019BC27].[[email protected]].CARLOS

Then it was encrypted again by "STOP Ransomware" and added the extension .sqpc

Share this post


Link to post
Share on other sites

Such activity of malware on your PC means that you downloaded and started something for a period of time from May 7 to May 11, 2020.

Moreover, at least one malware is still active on your PC and it needs urgently to be scanned and cleaned from malware "STOP Ransomware". 

Share this post


Link to post
Share on other sites

This situation is complicated by the fact that "Carlos" encrypted the ransom notes that left "STOP" and after it "STOP" did not leave new notes, because they were already left earlier, but damaged by "Carlos". 

Thus, if you look through all the files _readme.txt and do not find a note with text that can be read, then you do not have a ransom note  from "STOP".

You need to search also readme-warning.txt files, as they can be left by "Carlos".

Share this post


Link to post
Share on other sites

Hi.  I have looked all over and I am not finding any other readme.txt file.  I must have deleted the file.  I have backups of 90% of my files and folders.  There is just one that I need to have restored, and that is my .pst file. Do you have any solutions for this.

image.png.810e93f371025452489bc265c4c4e5fc.png
Download Image

I will wipe the drive and re-install all programs.

Share this post


Link to post
Share on other sites

The STOP/Djvu ransomware is easy to remove, and can be detected by most Anti-Virus software. We have a free scanner called "Emsisoft Emergency Kit" you can use if you'd like:
https://www.emsisoft.com/en/home/emergencykit/

After that, try running our STOP/.Djvu decrypter and let me know what ID it says your files have:
https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

More information is available at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites

Hi GT500

I ran "Emsisoft Emergency Kit" My Computer is clean, nothing Found

Then ran Decryption-tools/stop-djvu :    report  :File: C:\Users\Bonita\Videos\VEHICLE REG PAPERS\Thumbs.db.sqpc
No key for New Variant offline ID: 0KLrVHeAVnIO5BGYK4AZAam9bU1YcAOZPzSigbt1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future

I will add the log file for you.

any suggestions._readme.txt

eek scan.JPG
Download Image

log 2 stop djvu.txt

Share this post


Link to post
Share on other sites
Quote

No key for New Variant offline ID: 0KLrVHeAVnIO5BGYK4AZAam9bU1YcAOZPzSigbt1

If this offline ID was used, then after the decryptor receives the decryption key, some files can be decrypted.

This is in theory. If the files were encrypted three times, then the probability of complete decryption tends to 0.

Share this post


Link to post
Share on other sites
10 hours ago, Amigo-A said:

If the files were encrypted three times, then the probability of complete decryption tends to 0.

Only some of the files were encrypted multiple times, so the odds of recovery may not be zero depending on whether or not all STOP/Djvu encrypted files have the same ID.

 

17 hours ago, Bonita Smith said:

No key for New Variant offline ID: 0KLrVHeAVnIO5BGYK4AZAam9bU1YcAOZPzSigbt1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future

This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant.

There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Note that we may not be able to do anything about the files that were encrypted multiple times (the ones with an e-mail address in the names). Even if both ransomwares are decryptable, it's not abnormal for corruption to happen to encrypted files when more than one ransomware tries to encrypt them.

Share this post


Link to post
Share on other sites
On 5/15/2020 at 12:50 AM, Donnysmith7 said:

So will there be any possibility To decrypt the  .pst files which only has the .sqpc encryption? 

As long as the files have an offline ID, then they should be decryptable once we have the private key. When in doubt, run a file though the decrypter, and it will tell you whether a file's ID is online or offline.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.