saerdib

is it impossible decrypting online ID with Maas extension ?

Recommended Posts

please help me as soon as possible

all my data of my work in my external HDD was encrypted with Maas virus .

that was very harmful and bad to me so much more than you can imagine  ( since I don't have another copy of data and most xlsx files which I really need can't be recovered succesfully with recovery software )

I've learned that the process of decrypting ransom virus with online id & unique key look impossible ( at least , recently )

but I hope you find a solution and actively work for it. and I'm sure that you are doing your best for this case .

my personal online ID:
0239yjnkjddrtlOcGx5NH5gOrcJIXbn3gCiG8v5yNjLYxBCEn50jq

infected file extension : .Mass  ( New stop djvu ) which is recently undecryptable

Date of infection : 07 / 07 / 2020

The file that displays the ransom and payment information : __readme.txt

Email of criminals : [email protected]   and  [email protected]

should I backup my data in case a solution might appear or format my drive and try to recover some of my files ?

is it possible that compairing two same files ( the encrypted file and the original one before infection ) could help finding a solution soon if I upload them to you ?

plese I need your advice and thanks a lot

best regards

 

Share this post


Link to post
Share on other sites
5 hours ago, saerdib said:

should I backup my data in case a solution might appear or format my drive and try to recover some of my files ?

Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future.

We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:
https://www.bleepingcomputer.com/

If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:
https://www.bleepingcomputer.com/feed/

 

5 hours ago, saerdib said:

is it possible that compairing two same files ( the encrypted file and the original one before infection ) could help finding a solution soon if I upload them to you ?

Newer variants of the STOP/Djvu ransomware use RSA keys, which are impervious to most forms of attack.

Share this post


Link to post
Share on other sites
13 hours ago, GT500 said:

Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future.

We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:
https://www.bleepingcomputer.com/

If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:
https://www.bleepingcomputer.com/feed/

 

Newer variants of the STOP/Djvu ransomware use RSA keys, which are impervious to most forms of attack.

Hi,

 

I too was just infected with the .Maas virus and the decrypt_STOPDjvu tool cannot unlock the files as they have an online ID. My questions are;

How likely will a working tool to decrypte those files in the future be available?

Should I make an image of those files using Acron/just keep the files on another partition until a solution is available?

What is the best antivirus that protect against those sort of viruses without slowing the PC down as this is my gaming/video editing PC?

 

Thank You in advance.

 

Share this post


Link to post
Share on other sites
8 hours ago, Adam3k3 said:

How likely will a working tool to decrypte those files in the future be available?

We already have a decrypter for the STOP/Djvu ransomware. What it needs to decrypt your files is the private key for your ID, which only the criminals have.

 

9 hours ago, Adam3k3 said:

Should I make an image of those files using Acron/just keep the files on another partition until a solution is available?

Yes, we highly recommend making a backup of your encrypted files and keeping it in a safe place.

 

9 hours ago, Adam3k3 said:

What is the best antivirus that protect against those sort of viruses without slowing the PC down as this is my gaming/video editing PC?

We make an Anti-Virus called Emsisoft Anti-Malware that has good ransomware protection:
https://www.emsisoft.com/en/software/antimalware/

Share this post


Link to post
Share on other sites
On 7/11/2020 at 8:40 AM, GT500 said:

We already have a decrypter for the STOP/Djvu ransomware. What it needs to decrypt your files is the private key for your ID, which only the criminals have.

 

Yes, we highly recommend making a backup of your encrypted files and keeping it in a safe place.

 

We make an Anti-Virus called Emsisoft Anti-Malware that has good ransomware protection:
https://www.emsisoft.com/en/software/antimalware/

Thank You for the quick reply. I just have important to me questions if you don't mind.

1. What are the chances of criminals getting my desktop files transferred to them as I had a 50 MB desktop folder with important pictures?

2. How likely will a solution be found regarding my files without me gutting the key from the criminals since this is highly unlikely?

3. When I got infected, I noticed that my Google Chrome had a message saying that this browser is manged by someone else and that they may have access outside the browser. The question is: did they get access to my Gmail and Drive? I did not receive any login notification and have 2 step verification enabled. Also, should I change my password?

4. Speaking of passwords, do I need to change every site password since I have them stored in the browsers as well as the Last Pass extension. Should I change that as well?

Thank you once again for taking the time.

 

 

Share this post


Link to post
Share on other sites
1 hour ago, Adam3k3 said:

I just have important to me questions if you don't mind.

While GT500 is resting, I will try to answer your questions. Then you can compare answers.

1 hour ago, Adam3k3 said:

1. What are the chances of criminals getting my desktop files transferred to them as I had a 50 MB desktop folder with important pictures?

Most likely because the size is very small, and the files on the Desktop are a 'tasty' for any extortionist. 

1 hour ago, Adam3k3 said:

3. When I got infected, I noticed that my Google Chrome had a message saying that this browser is manged by someone else and that they may have access outside the browser. The question is: did they get access to my Gmail and Drive? I did not receive any login notification and have 2 step verification enabled. Also, should I change my password?

4. Speaking of passwords, do I need to change every site password since I have them stored in the browsers as well as the Last Pass extension. Should I change that as well?

To grabbing information from browsers and programs (including such well-known as 'Last Pass'), STOP Ransomware uses a whole set of tools for data theft. Ursnif is one of many the tools. They can change this in different versions of the 'STOP Ransomware'.

If your PC has become a de facto toy in the hands of extortionists and information thieves, then you need to use a secure (non-compromised) device to change passwords. This in ideal. 

If you do not have another device and the password store is not synchronized with other devices (smartphone, tablet, etc.), then it is necessary to check the affected PC as maximally as possible for the presence of active and dormant security threats.

Share this post


Link to post
Share on other sites
3 hours ago, Amigo-A said:

While GT500 is resting, I will try to answer your questions. Then you can compare answers.

Most likely because the size is very small, and the files on the Desktop are a 'tasty' for any extortionist. 

To grabbing information from browsers and programs (including such well-known as 'Last Pass'), STOP Ransomware uses a whole set of tools for data theft. Ursnif is one of many the tools. They can change this in different versions of the 'STOP Ransomware'.

If your PC has become a de facto toy in the hands of extortionists and information thieves, then you need to use a secure (non-compromised) device to change passwords. This in ideal. 

If you do not have another device and the password store is not synchronized with other devices (smartphone, tablet, etc.), then it is necessary to check the affected PC as maximally as possible for the presence of active and dormant security threats.

Thanks for the reply.

1. Is it 100%? I got the virus after downloading a torrent. I thought these type of viruses only encrypt your data. I have over 30 folders with files on the desktop so did the virus automatically upload everything? I switched off the internet not long after I got infected.

2. I changed my passwords and formatted the PC. Could the hackers log into my Google Drive/Gmail skipping the two step verfication despite me not receiving an alert on my phone/email?

Share this post


Link to post
Share on other sites
3 hours ago, Adam3k3 said:

2. I changed my passwords and formatted the PC. Could the hackers log into my Google Drive/Gmail skipping the two step verfication despite me not receiving an alert on my phone/email?

Two-factor authentication also has its own vulnerabilities. SMS is an unreliable security element.
If no one tried and logged into your account before you safely changed your passwords, then this time you probably have secured the data in the disk.

Share this post


Link to post
Share on other sites
4 hours ago, Adam3k3 said:

1. Is it 100%? I got the virus after downloading a torrent. I thought these type of viruses only encrypt your data. I have over 30 folders with files on the desktop so did the virus automatically upload everything?

No. In this case, it is wrong to talk about percentages.
Most likely, they could steal some data before they started encryption.
In extortion, encryption can be the second or even third element of an attack. For example, the model may be as follows: first, the Trojan downloader is introduced, then surveillance is carried out, desktop screenshots are taken and a list of frequently opened files and folders of visited sites is compiled. The obtained preliminary information is easily sent to the attacker server, processed, then a command is issued to additionally download the “interesting” parts. After downloading information to the attackers, with which they can blackmail and confirm the ability to decrypt files, a command is issued to encrypt the files. This may be of one or more days in the case of STOP Ransomware.

Above, I gave you a link to the analysis in which Ursnif takes top place. You can search by this name or use the links to articles that appear in this link if you click on the name 'Ursnif Malware'. It has been used to steal data for about 7 years or more. If the extortionists, who uses STOP Ransomware for encryption has adopted this tool, it means that it’s not just like that. 

Rest assured that they will try to get the maximum benefit out of affected PC if their malware is not destroyed.

 

Share this post


Link to post
Share on other sites
3 hours ago, Amigo-A said:

Two-factor authentication also has its own vulnerabilities. SMS is an unreliable security element.
If no one tried and logged into your account before you safely changed your passwords, then this time you probably have secured the data in the disk.

Thanks for the explanation. Once I got hit, I quickly downloaded avg antivirus, scanned everything then preformed system restore. I also switched off the internet from windows adapter. I now did a full system format after backing up my encrypted files. Also, I did not get a sign in notification for my Google account/ others in the past two days. I checked GDrive and Gmail and everything appears to be in place. I also changed my passwords. Fingers crossed that nothing was stolen. Thanks again.

Share this post


Link to post
Share on other sites
On 7/12/2020 at 10:19 AM, Adam3k3 said:

1. What are the chances of criminals getting my desktop files transferred to them as I had a 50 MB desktop folder with important pictures?

I'm not aware of any cases of files being stolen with the STOP/Djvu ransomware, however it's still entirely possible for them to alter tactics and do something like that. Several ransomwares that have been targeting businesses have already started stealing data for use as blackmail/extortion.

Of course, there's always the possibility that the computer was infected by other things as well, increasing the likelihood of data theft.

 

On 7/12/2020 at 10:19 AM, Adam3k3 said:

4. Speaking of passwords, do I need to change every site password since I have them stored in the browsers as well as the Last Pass extension. Should I change that as well?

Absolutely. The STOP/Djvu ransomware uses the Azorult trojan to steal passwords, so change any passwords you use.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.