all my files are encrypted with .omfl virus....

[stop 0]

Hi. Check my result:

 

Result:
We have identified "STOP (Djvu)". This ransomware may be decryptable under certain circumstances.
Please refer to the appropriate guide for more information.

Identified by:

ransomnote_email: [email protected]
sample_extension: .omfl
sample_bytes: [0x1FA1 - 0x1FC7] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D
Click here for more information about STOP (Djvu).
Case number: 726d8b53b044eb07e9af232ab5373643a40bca9e1611006311

 

Removed ransomware virus on my computer. But i'm not sure. And not format yet.

Emsisoft stop/djvu decryptor tool doesn't decrpyt my files. How can i solve this problem?

Thanks.

 

My system: Win7 x64 with SSD (Intel system)

_readme.txt

[GT500 886]

This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant.

There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

[stop 0]

Why Emsisoft Decryptor Tool not updating? Still at 1.0.0.5.

[stop 0]

This virus(.omfl) why not infected in some files(steam etc.)? Isn't 154kb and over ?

[GT500 886]

12 hours ago, stop said:

Why Emsisoft Decryptor Tool not updating? Still at 1.0.0.5.

It doesn't need to be updated.

 

12 hours ago, stop said:

This virus(.omfl) why not infected in some files(steam etc.)? Isn't 154kb and over ?

The ransomware will only encrypt certain types of files.

[stop 0]

13 hours ago, GT500 said:

It doesn't need to be updated.

Why? Sorry, i don't understand what you mean.

Look at this man:

 

On 1/19/2021 at 9:24 AM, GT500 said:

This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant.

There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

"This is a newer variant of STOP/Djvu..." and "however we don't yet have the private key" you said.

If it's the new variant, why not update it to fix the new variant virus?

 

This is the _readme.txt file content:

ATTENTION!

Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-egvXx8HqOt
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
0272omflAsdhkioO7OVYUyivYvPEI6nuQIcKXNx74ml0mkowpmDzt1

[stop 0]

URL the virus came to me: ******************* (Please don't click this URL)

 

Edited January 30 by GT500
Removed links.

[GT500 886]

9 hours ago, stop said:

If it's the new variant, why not update it to fix the new variant virus?

Because the decrypter already supports it. The reason it can't decrypt files encrypted by this newer variant is due to the fact that we don't have the private key for it's offline ID. We have to wait for a victim with an offline ID who paid the ransom to donate their private key to us.

[GT500 886]

9 hours ago, stop said:

URL the virus came to me: ******************* (Please don't click this URL)

Please don't post malicious links on our forums.

If you would like for us to analyze a file, or a malicious URL (aka. link), then run it through VirusTotal and post the link to the analysis here for us to review. We can download files from VirusTotal, so anything you upload there we have access to.

[Lara_H 1]

On 1/30/2021 at 8:28 AM, GT500 said:

Because the decrypter already supports it. The reason it can't decrypt files encrypted by this newer variant is due to the fact that we don't have the private key for it's offline ID. We have to wait for a victim with an offline ID who paid the ransom to donate their private key to us.

I have the same problem too:(( Well this is the victim you're talking about so are you researching this? And when he informs you how will you inform us? Thanks

[GT500 886]

12 hours ago, Lara_H said:

I have the same problem too:(( Well this is the victim you're talking about so are you researching this? And when he informs you how will you inform us? Thanks

This ransomware hasn't changed much since it was first analyzed over 2 years ago. The only major change was when they switched to using RSA keys, which is what makes the ransomware non-decryptable. Right now there's no way to decrypt files that have been encrypted by the STOP/Djvu ransomware without having the private key for the ID embedded in the encrypted files.

[Lara_H 1]

12 hours ago, GT500 said:

This ransomware hasn't changed much since it was first analyzed over 2 years ago. The only major change was when they switched to using RSA keys, which is what makes the ransomware non-decryptable. Right now there's no way to decrypt files that have been encrypted by the STOP/Djvu ransomware without having the private key for the ID embedded in the encrypted files.

Now there's no way but maybe in the future isn't it:(  So please let me know then, ok? Thank you very much for your reply..

[GT500 886]

11 hours ago, Lara_H said:

Now there's no way but maybe in the future isn't it:(  So please let me know then, ok? Thank you very much for your reply..

If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back.

Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future.

We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:
https://www.bleepingcomputer.com/

If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:
https://www.bleepingcomputer.com/feed/

[Lara_H 1]

12 hours ago, GT500 said:

If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back.

Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future.

We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:
https://www.bleepingcomputer.com/

If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:
https://www.bleepingcomputer.com/feed/

Thank you very much for your reply, again.. I have already backed up my encrypted files. I'm just waiting for the time.. Will the site www.bleepingcomputer.com you say will publish the solution about OMFL decryptor? Ok, i will follow.. Thanks again:)

[GT500 886]

11 hours ago, Lara_H said:

Will the site www.bleepingcomputer.com you say will publish the solution about OMFL decryptor?

They'll usually publish a news article when a new decrypter is released, or when there's major news about an older decrypter being updated to decrypt more victims' files. They also have a help and support topic on their forums for STOP/Djvu, which you can monitor if you'd like:
https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

[Lara_H 1]

By the way, i will ask something:
When i enter this site: https://decrypter.emsisoft.com/submit/stopdjvu and when i click browse take in "Encrypted file" OK. but second part it wants "Original file" so which file is? (If the original file does not exist anyway, i could open that file anyway)..

Is the "Original file" is it Randome Note i take in but doesn't accept so announcing ""Invalid file pair; each file must be
larger than 150KB"" so what does this mean or what file is this file if not?

 

[Amigo-A 142]

@Lara_H

Quote

If the original file does not exist anyway, i could open that file anyway

Selam. Günaydın! 

It is possible that when translated into Turkish, the recommendation changes its meaning. The word order in the Turkish sentence is different from the English one. 

You must find at least one unencrypted file and use it along with its encrypted copy.
If you find a file with the same name, but not the one that was encrypted, then decryption will not work.
 

Here is a sample list, use it you can find the originals of the encrypted files:

1) on flash drives, external drives, CD / DVD, memory cards of the camera, phone;
2) in email-attachments of emails sent or received by you;
3) among the copies of shared photos of friends, relatives (in their PC) that you gave;
4) among the uploaded photos in social. networks, including via smartphone and tablet;
5) among the uploaded photos to cloud services (Google Disk,  OneDrive, Yandex Disk, etc.);
6) on the sites of ads, where you could previously send photos or images;
7) among unencrypted files, copies, renamed files on your PC;
8) on an old PC or disk, from where you transferred photos and documents to a new PC;
9) you can re-upload from the Internet previously downloaded photos, pictures, etc .;
10) you can use sample images supplied with Windows;
11) use photos or pictures that you previously posted on the avatar on the forums.
12) extract previously deleted files from the Recycle Bin or restore them with a special program.

 

If decryption failed...
 
It is possible that the original file was an inaccurate copy of the encrypted. This could be due to the fact that earlier you yourself reduced or corrected it in the editor, or uploaded it to social networks, cloud services, and there the file was somehow automatically changed.
Look for more files and try different pairs of encrypted and original files with the same name. Very often files can have the same name but are not a copy of each other. Vocabulary used in any language is limited. The possibilities of PCs, cameras, and other devices for taking photos are also limited. In cameras and mobile devices, names for photos are given automatically according to a specific format, so photos with the name from IMG_0001.JPG to IMG_9999.JPG can be quite a lot in different years. Smartphones can rename photos with more original names, such as IMG_20171012_170451.jpg - here and the date of shooting, and the sequence number because the repetition of the name is unlikely.

[Lara_H 1]

Thank but i did not understand anything at all..
If i had the original file, i wouldn't have been hacked anyway:) my files already with OMFL..

and then the first enter click "Encrypted file" should it be Randome note is it? and second click "Original file" too must be encrypted file, is it?

[Amigo-A 142]

Quote

"Original file" too must be encrypted file, is it?

No.

Encrypted file - a file with OMFL extension.

Original file - an unencrypted file that has not yet been encrypted.

The ransom note _readme.txt is not needed here.

[Amigo-A 142]

But the service page you are trying to use is for files that were encrypted by the old version.

In your case, the omfl extension refers to the new version STOP Ransomware.

[Lara_H 1]

OK, thanks again. I will try what you wrote or i have to wait sanguinely for the new variant..

[GT500 886]

On 4/10/2021 at 3:27 PM, Lara_H said:

By the way, i will ask something:
When i enter this site: https://decrypter.emsisoft.com/submit/stopdjvu and when i click browse take in "Encrypted file" OK. but second part it wants "Original file" so which file is? (If the original file does not exist anyway, i could open that file anyway)..

Is the "Original file" is it Randome Note i take in but doesn't accept so announcing ""Invalid file pair; each file must be
larger than 150KB"" so what does this mean or what file is this file if not?

That upload form is only for older variants of the STOP/Djvu ransomware. It doesn't work with newer variants, since they use RSA keys.

[Lara_H 1]

I mean, I'm unfortunate in every way:) I have nothing to do except to wait..

[GT500 886]

3 hours ago, Lara_H said:

I mean, I'm unfortunate in every way:) I have nothing to do except to wait..

There is some information on repairing video files and some audio/music files available at the more information link I posted earlier. I'll paste it below:

Quote

Are there any ways to recover/repair files that can't be decrypted? In most cases this is not possible, however there is a tool called DiskTuna that can help repair some videos that have been encrypted. This tool was made by a third-party, and they are not affiliated with us, however one of our developers has verified that it does work in at least some cases. You can find more information at this link.

 

[Amigo-A 142]

In addition, archive files are not fully encrypted. Usually, the first 1-2 files are damaged.

You can extract all the files, and then determine which file with errors is damaged.

[Lara_H 1]

16 hours ago, GT500 said:

There is some information on repairing video files and some audio/music files available at the more information link I posted earlier. I'll paste it below:

 

Thanks but i dont need recovery photos, i need just recovery documents for example "txt or text" .... I use Recuva/Shadow Explorer/Shadow CopyView programs and i recovered files including 2018  but doesn't show (no recovery) 2019-2020 years..

[GT500 886]

6 hours ago, Lara_H said:

Thanks but i dont need recovery photos, i need just recovery documents for example "txt or text" .... I use Recuva/Shadow Explorer/Shadow CopyView programs and i recovered files including 2018  but doesn't show (no recovery) 2019-2020 years..

Unfortunately text files won't be possible to decrypt without a private key, and even with one I'm not sure if our decrypter will do it. They don't have a file header, so there's no way for the decrypter to tell what they are in order to verify that they decrypted successfully.

[stop 0]

To summarize, Emsisoft Decryptor Tool doesn't work. :)) Unfortunately, the cure for this is not here. :(

[GT500 886]

5 hours ago, stop said:

To summarize, Emsisoft Decryptor Tool doesn't work. :)) Unfortunately, the cure for this is not here. :(

It only works on newer variants if it has a private key for the encrypted files. Since there is a different private key for every ID, and it isn't possible to the private keys in most cases, it's usually impossible to decrypt files that have been encrypted by STOP/Djvu.

Due to how the ransomware encrypts files, some types of files can be repaired as they are only partially encrypted, however only certain file formats are tolerant of missing data and thus those that aren't can't be recovered in this way. The article "About the STOP/Djvu Decrypter" I've linked to previously covers this along with what software can help with repairing files.