Jump to content

Files Encrypted with .QLKM variant of STOP (Djvu) Ransomware


Recommended Posts

I got a machine with files encrypted with .qlkm ransomware as it states in the title. Person says it might have happened while trying to install a software from the torrents. 

  • Most of the files are encrypted.
  • I have taken backup of the system.
Quote
  • Personal ID:
    0274aSjeetpKEMhIkO1Ri3ICI46pGvUlG5NhV4Xe8icVXNMDB

 

  • Emsisoft submission portal, and decrypter detects encryption with online key

---> By layman (that i am) inspection, it seems to me that files located at longer paths were not encrypted e.g. file located at 
D:\1\2\3\4\5\6\7\file.jpg were unencrypted
I was able to retrieve files on the paths located this far.

  • It could be the limitation in character length of the path, or merely the subfolder length. Experts can weigh in on this.

---> I found these files on one of the folders that was hidden, which might be something interesting:
folder: .freedownloadmanager

---> Files (also attached, Pwd: encryptedpanda):

  • _readme.txt  (This is ransomware note)
  • README.txt.qlkm (this one is interesting, Maybe. Not sure. Will explain below)
  • uuid (Maybe interesting)

---> README.txt.qlkm:

I open this file with iCareDataRecovery file Preview, and see the following, among other unreadable stuff (the experts can checkout the file to see if unreadable stuff makes any sense)

Quote

tpKEMhIkO1Ri3ICI46pGvUlG5NhV4Xe8icVXNMDB{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

in the above strings, the read part is almost same as my persona ID mentioned in the ransomware note except the initial part in the personal ID: 0274aSjee
I am wondering what is the blue part of the string

The uuid file has this:      

Quote

u u i d
L { b 0 3 5 f b 4 d - a 0 8 a - 4 1 4 4 - b a 7 a - 2 c 7 a 0 f c 8 6 a 2 d }

again seems like some kind of key.

---> I have checked the MAC address of infected machine, does not seems to match any of the strings above.

---> The Windows defender reports "This Program has potentially unwanted behavior" for the following files detection:

  1. Driverpack_Solution
    Location:
    C:\Users\username\AppData\Roaming\DRPSu\PROGRAM\DriverPack-Cloud-New.exe
    C:\Users\username\AppData\Roaming\DRPSu\PROGRAM\HPNT.exe
  2. PUA: Win32/CandyOpen
    Files at:
    C:\3DP\Net\1812...
  3. A whole bunch of PUA: Win32/InstallCore
    at:
    C:\Users\username\Downloads\Programs\bitcomet_setup.exe
     

---> Ideas:
-> Can Emsisoft incorporate a functionality within its decrypter to scan the folders for files without ransomware extension (in  my case files without ending in .qlkm) and maybe mark them as files copy-able after building the tree structure to copy exact those files? Because these files avoided being encrypted and are good to copy.
-> Also a functionality of looking/restoring for shadow copies would be awsome. 

These functionalities would be tried after it is confirmed that the machine is infected with ransomware, and before trying to decrypt the files with EmsiSoft database decryption keys

__________

Looking forward to thoughts, and prayers.

 

encryptedpandaFiles.zip

Link to post
Share on other sites
15 hours ago, EncryptedPanda said:

Personal ID:
0274aSjeetpKEMhIkO1Ri3ICI46pGvUlG5NhV4Xe8icVXNMDB

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

 

15 hours ago, EncryptedPanda said:

Can Emsisoft incorporate a functionality within its decrypter to scan the folders for files without ransomware extension (in  my case files without ending in .qlkm) and maybe mark them as files copy-able after building the tree structure to copy exact those files? Because these files avoided being encrypted and are good to copy.

All of our decrypters are based on a common template that doesn't have this functionality. We do this to make development and maintenance of the decrypters faster and easier.

 

15 hours ago, EncryptedPanda said:

Also a functionality of looking/restoring for shadow copies would be awsome. 

ShadowExplorer has that functionality (be careful of the ads on the page). Windows 10 also has that feature built in when you right-click on a file, go to Properties, and go to the Previous Versions tab.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...