Jump to content

Files are encrypted with .coos and decryption is impossible


Recommended Posts

Hi,

My files got encrypted a couple minutes/hours ago and I cannot decrypt them with the decrypter. Based on my files and information the ransomware is "STOP (Djvu)". Is there anyway I can still decrypt these files? 

The files end with .coos

Indy

  • Sad 1
Link to post
Share on other sites

I see in the decryptor that it appears to have a online ID, in the post you send me it says that decryption is impossible with an online id. Is is a good idea for me to leave my computer (desktop) alone for a while or are my important files basically not coming back ever again?

Thanks a lot for the quick reaction by the way! You're amazing!

 

Link to post
Share on other sites

This ransomware may still be active on your system. It is necessary to check the PC and save the found malicious files in quarantine.

Thanks!

You read that right. For a long time, this Help remains valid. Unfortunately, if the ransomware was performing online-encryption, then most likely the files will not be able to decrypt. But each case requires study. Extortionists can change something at any time.

Link to post
Share on other sites

I scanned my computer on malware and put the malware in quarantine. 

Should I just wait now, or do I have to take further action?

I'm sorry, first time I have ransomware on my computer. 😄

And how do stay up to date on the new versions on this ransomware?

Link to post
Share on other sites

You need to wait. A support specialist will tell you how best to do it. We have a time difference of 10-11 hours.

This new variant of "STOP ransomware" and needs to research.

Link to post
Share on other sites
10 hours ago, IndySlot said:

Should I just wait now, or do I have to take further action?

Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future.

We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:
https://www.bleepingcomputer.com/

If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:
https://www.bleepingcomputer.com/feed/

Link to post
Share on other sites

_readme.txtsir please my pc infected by .coos ransomware virus with online key: zOwuuF28V80ZDzE4dI6E1siTfpgrHOM0QmT2yZO2

i restore my windows and scanned it with many malware software like malwarebytre , spy hunter , Emsisoft Internet Security and GridinSoft Anti-Malware and im looking for decrypt my data

it is very importatnt thing all of my work and my data

_readme.txt master.prproj.coos

Link to post
Share on other sites
8 hours ago, Papai said:

In my case, an online ID. They tried to sign into my social networking accounts too. Lost all crucial data.

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

The information at the link includes this, but the ransomware also downloads and runs the Azorult trojan, which steals your passwords.

Link to post
Share on other sites
7 hours ago, EhabAdel said:

sir please my pc infected by .coos ransomware virus with online key: zOwuuF28V80ZDzE4dI6E1siTfpgrHOM0QmT2yZO2

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

 

7 hours ago, EhabAdel said:

i restore my windows and scanned it with many malware software like malwarebytre , spy hunter , Emsisoft Internet Security and GridinSoft Anti-Malware and im looking for decrypt my data

Emsisoft Internet Security is a discontinued product, and hasn't been updated in years. If you really do have it installed, note that it won't be able to detect the STOP/Djvu ransomware, and that it is too old to receive database updates.

Here are links to our currently available products which we still maintain:

Link to post
Share on other sites

Someone posted a link to something called "DiskTuna" claiming it can recover files. The post has since been hidden, and I have asked our lab team to look at the program as it seems a bit fishy (as in potentially unsafe) to me.

Link to post
Share on other sites
13 hours ago, AD Music said:

I got my files encrypted with .coos extension :[ is there literally any way i can get back my only one mp3 file

Im soo sad :,(

It might be possible to use software intended for recovering MP3 files, as the ransomware only encrypts a small portion of the beginning of the files. Larger files that are in formats that are tolerant of missing data can actually be recovered, and some music and video formats fall into that category.

Link to post
Share on other sites

 Sayın Emisoft Desteği; 27 .12. 2020 tarihinde dizustu bilgisayarıma .igal uzantılı virüs girdi C ve D de bulunan 700GB tüm arşivim (pdf, rar, mp3, wav, exel, word, jpeg.pnp,) şifrelendi virüs taraması yaptırdım açılmıyor Bu. igal uzantılı virüs için çözüm nedir ne yapmalıyım. beni aydınlatırsanız memnun olurum.

_readme.txt asus pc için guncelleme.jpg.igal 2015 Yılı Mizan.pdf.igal

Edited by halcetin
Dosya eklemeyi unutmuştum onları ekledim.
Link to post
Share on other sites
12 hours ago, halcetin said:

Sayın Emisoft Desteği; 27 .12. 2020 tarihinde dizustu bilgisayarıma .igal uzantılı virüs girdi C ve D de bulunan 700GB tüm arşivim (pdf, rar, mp3, wav, exel, word, jpeg.pnp,) şifrelendi virüs taraması yaptırdım açılmıyor Bu. igal uzantılı virüs için çözüm nedir ne yapmalıyım. beni aydınlatırsanız memnun olurum.

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

 

Google tarafından sağlanan çeviri:
Bu, STOP / Djvu'nun daha yeni bir çeşididir. Çevrimdışı bir kimliğiniz varsa, bu varyant için şifre çözme anahtarını bulup veritabanımıza ekledikten sonra dosyalarınızı kurtarabilmeniz gerekir. Ancak, çevrimiçi bir kimliğiniz varsa (ki bu daha olasıdır), dosyalarınızı kurtarmanız mümkün olmayacaktır. Aşağıdaki bağlantıda daha fazla bilgi var:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to post
Share on other sites

  Özür dilerim. Çevrim dişı kimlik varsa anlamadığımdan soruyorum. virusu yayan kişinin  PC bıraktıgı notun içinde beni oku   t1 ile biten Kişisel Kimlikten    bahsediyorsanız var. ilk  mesajımda size gönderdim         Sizin kimlik  ID     bu var    uzantı   .igal

Link to post
Share on other sites
16 hours ago, halcetin said:

  Özür dilerim. Çevrim dişı kimlik varsa anlamadığımdan soruyorum. virusu yayan kişinin  PC bıraktıgı notun içinde beni oku   t1 ile biten Kişisel Kimlikten    bahsediyorsanız var. ilk  mesajımda size gönderdim         Sizin kimlik  ID     bu var    uzantı   .igal

Yes, I was referring to the Personal ID in the "_readme.txt" file that you attached to your post. It's an offline ID, so if you just run the decrypter once every week or two then if someone sends us a private key for this variant the decrypter should start decrypting your files once we add the private key to our database.

Google tarafından sağlanan çeviri:
Evet, gönderinize eklediğiniz "_readme.txt" dosyasındaki Kişisel Kimliğe atıfta bulunuyordum. Bu çevrimdışı bir kimliktir, bu nedenle şifre çözücüyü haftada bir veya iki kez çalıştırırsanız, biri bize bu değişken için özel bir anahtar gönderirse şifre çözücü, özel anahtarı veritabanımıza ekledikten sonra dosyalarınızın şifresini çözmeye başlamalıdır.

Link to post
Share on other sites
10 hours ago, GT500 said:

Yes, I was referring to the Personal ID in the "_readme.txt" file that you attached to your post. It's an offline ID, so if you just run the decrypter once every week or two then if someone sends us a private key for this variant the decrypter should start decrypting your files once we add the private key to our database.

Google tarafından sağlanan çeviri:
Evet, gönderinize eklediğiniz "_readme.txt" dosyasındaki Kişisel Kimliğe atıfta bulunuyordum. Bu çevrimdışı bir kimliktir, bu nedenle şifre çözücüyü haftada bir veya iki kez çalıştırırsanız, biri bize bu değişken için özel bir anahtar gönderirse şifre çözücü, özel anahtarı veritabanımıza ekledikten sonra dosyalarınızın şifresini çözmeye başlamalıdır.

What decrypter should i use,

And what is private key ?

Link to post
Share on other sites
14 hours ago, AD Music said:

What decrypter should i use

Our decrypter is available at the following link:
https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

Note that it can only decrypt files that have offline ID's, and only if we have received the private key from a victim who has paid the ransom.

 

14 hours ago, AD Music said:

And what is private key ?

The STOP/Djvu ransomware uses RSA keys, and there are always two keys (public and private). The public key is used when encrypting files, and the private key is used when decrypting files. In the case of STOP/Djvu the private keys are stored in a database that only the criminals have access to, so we can only get them if a victim pays the ransom and donates the private key to us.

Link to post
Share on other sites
2 hours ago, jonnel said:

New Variant online ID: e5WgM05s0iMJ8aghw5tNWbl5jYI0X1guY7GSFdW5 

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to post
Share on other sites
  • 3 weeks later...

Hi,

So quite a while ago I backed up a lot of files that where encrypted by the ransomware. All the files are on a external hard drive safely stored without access to my computer.

What is the best way to check if those files are decryptable? Just sticking it back in my computer with a fresh install of windows doesn't seem like the best (safe) way to do it.

How can I safely scan the files with the emsisoft decrypter?

Link to post
Share on other sites
11 hours ago, IndySlot said:

Just sticking it back in my computer with a fresh install of windows doesn't seem like the best (safe) way to do it.

It will be safe as long as you don't try to open any files.

You can also run an Anti-Virus scan on the backed up files to see if the backup contains the ransomware, that way it can be safely removed.

Link to post
Share on other sites

I tried the decryption tool, but it appears I have an online ID.

What is the best way to know when maybe in the future it will be able to decrypt?

So that I don't have to consistently try decrypting once in a while.

I read in your message that there is a small chance of decrypting online ID's in the future.

Link to post
Share on other sites
15 hours ago, IndySlot said:

What is the best way to know when maybe in the future it will be able to decrypt?

We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:
https://www.bleepingcomputer.com/

If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:
https://www.bleepingcomputer.com/feed/

 

15 hours ago, IndySlot said:

I read in your message that there is a small chance of decrypting online ID's in the future.

If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...