Jump to content

Files encrypted with .vari extension

Mrack0

By Mrack0,
in Help, my files are encrypted!

 Share Followers 2

Recommended Posts

Amigo-A

Amigo-A 136

Posted
Posted

Attach a ransom note to your message, so that I can write this variant down.

This is the result of an attack of new version of STOP Ransomware.  It was only recorded today and could not be added to the decryptor.
In the future, when the key for this variant is purchased by someone and provided to the developers of the decryptor, the files can be decrypted.

You should check your PC for malware that ALWAYS remains after the STOP Ransomware and remove malware

You can use the tool from Emsisoft, scan Windows and attach a report to the message so that Emsisoft specialists can help you clean your PC. This is important, otherwise your PC will be attacked again and the files will be encrypted with a new variant that will never be decrypted.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted
2 hours ago, Jith Pillai said:

atQpRfpTf6bEEYHQxofqkrbRZ6xrCH6OD1M6h6t1

Such a case may have a happy ending when the decryption key will loaded into the decryptor. 
So far, this is a new version of STOP Ransomware and the decryption key has not been bought by anyone yet to share. 

There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to post
Share on other sites
Korid

Korid 0

Posted
Posted

Hello there, 

I am also facing problems with the attached ransomware

 

Your personal ID:
0246regyjnkjddrtatQpRfpTf6bEEYHQxofqkrbRZ6xrCH6OD1M6h6t1

 

System PersonalID

atQpRfpTf6bEEYHQxofqkrbRZ6xrCH6OD1M6h6t1.

The only was that we will be able to get back our files is if someone pays the ransom and the key is added to the database, or are there hopes that this problem will be resolved in time?

Thanks in advance for your time and effort.
 

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted
On 8/18/2020 at 6:16 AM, Korid said:

The only was that we will be able to get back our files is if someone pays the ransom and the key is added to the database

Yes, this is the only case so far.

The page 'Hot-STOP' contains a list of all versions and an indication of what was decrypted with the offline key.

.gero, .hese, .geno, .xoza*, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot*, .noos, .kuub, .reco, .bora, .leto*, .nols, .werd, .coot, .derp, .nakw*, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote*, .msop, .hets, .righ, .gesd*, .merl*, .mkos, .nbes, .piny*, .redl*, .kodc*, .nosu*, .reha, .topi, .npsg*, .btos*, .repp, .alka, .bboo*, .rooe*, .mmnn*, .ooss*, .mool*, .nppp, .rezm*, .lokd*, .foop*, .remk, .npsk, .opqz, .mado, .jope*, .mpaj*, .lalo*, .lezp*, .qewe*, .mpal*, .sqpc*, .mzlq*, .koti*, .covm, .pezi*, .nlah*, .kkll*, .zwer*, .nypd*, .usam, .tabe, .vawe, .moba*, .pykw*, .zida*, .maas, .repl*, .kuus*, .erif*, .kook*, .nile*, .oonn*, .vari*, 

The * sign indicates that the decryption key has not yet been received.

You can see that for some earlier versions did not receive the decryption key. 

The percentage of decryption of newer versions is small. Waiting can be occupied indefinitely.

Link to post
Share on other sites
GT500

GT500 859

Posted
Posted
4 hours ago, Korid said:

Your personal ID:
0246regyjnkjddrtatQpRfpTf6bEEYHQxofqkrbRZ6xrCH6OD1M6h6t1

This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant.

There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to post
Share on other sites
Korid

Korid 0

Posted
Posted

I just wanted to ask the following...

Your team actually discourages us from paying the ransom but at the same time you do tell us that the only way we are going to get our files back is through the generated key that will be sold to us by the Ransomware creators.

So currently my only hope of getting my files back is the really really slight chance of someone actually paying the hundreds of dollars they are asking AND the crooks actually being nice enough to provide us with the key, which then the aforementioned buyer will be nice enough to share with you( assuming he actually knows about the decryptor) and  then finally to run the decryptor using the key so that my files are decrypted?

Sounds like a long shot... Any practical other tutorials... I don't know something like a deep analysis and restoring of my whole system to the day before the encryption will have any effect whatsoever?

Thanks in advance for your time and effort!!

 

Link to post
Share on other sites
GT500

GT500 859

Posted
Posted
11 hours ago, Korid said:

Any practical other tutorials... I don't know something like a deep analysis and restoring of my whole system to the day before the encryption will have any effect whatsoever?

For most files there's nothing else that can be done. Like most other ransomware, STOP/Djvu attempts to clear restore points so the System Restore can not be used to restore old copies of files.

Some larger files can be recovered, however there will be a small amount of missing data at the beginning of the files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to post
Share on other sites
GT500

GT500 859

Posted
Posted
19 hours ago, Korid said:

If I restore my computer to an earlier point ( august 8th while this attack took place at 16th of August) will my files become available or not? There is a system restore point at that point

There shouldn't be any restore points to restore to. As I said, the ransomware clears them, meaning they are deleted. There are rare times when this fails, however there is no guarantee that the System Restore saved backups of any of your files to begin with, so even if the ransomware did fail to clear the System Restore points the odds of restoring the majority of your files this way are low.

Link to post
Share on other sites
GT500

GT500 859

Posted
Posted
12 hours ago, Mohsen said:

I have The same problem. My filllleeesss 😭

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to post
Share on other sites
miricky

miricky 0

Posted
Posted
On 8/18/2020 at 2:16 AM, Korid said:

The only was that we will be able to get back our files is if someone pays the ransom and the key is added to the database, or are there hopes that this problem will be resolved in time?

I think to get this through quickly for everyone, emissoft can crowd-source the ransom fee from those affected by the virus; use it to pay and get the keys.

Link to post
Share on other sites
GT500

GT500 859

Posted
Posted
18 hours ago, SimCom said:

Is there any solution for an online ID, or can there be a solution if we wait?

If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back. For now there's nothing that can be done about online ID's.

Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future.

We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:
https://www.bleepingcomputer.com/

If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:
https://www.bleepingcomputer.com/feed/

Link to post
Share on other sites
GT500

GT500 859

Posted
Posted
16 hours ago, miricky said:

I think to get this through quickly for everyone, emissoft can crowd-source the ransom fee from those affected by the virus; use it to pay and get the keys.

We only make decrypters and provide technical support. We don't attempt to negotiate with criminals, and we don't attempt to pay ransoms.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Followers 2
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 01/23/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...