Jump to content

Help, my files are encrypted!


Recommended Posts

I think this is an Iranian-Russian-Chinese-Turkish - india virus
This email address belongs to the Ministry of Information Technology of Iran

[email protected];
[email protected];
[email protected];
[email protected];
[email protected];
[email protected];
[email protected];
[email protected];
[email protected];
[email protected]iran.ir;
[email protected];
[email protected]iran.ir;
[email protected]india.com;
[email protected];
[email protected];
[email protected] (first noticed in ZIPE variant);
[email protected] (first noticed in MOBA variant);
[email protected] (first noticed in YGKZ variant);
[email protected] (first noticed in SSPQ variant);

This site is iran.ir for this ministry.
It is a disgrace that the Iranian government is behind this dirty and organized crime
To extort dollars due to the low value of the Iranian rial against the dollar

 

whois  of  iran.ir

Updated 34 days ago
% This is the IRNIC Whois server v1.6.2.
% Available on web at http://whois.nic.ir/
% Find the terms and conditions of use on http://www.nic.ir/
% 
% This server uses UTF-8 as the encoding for requests and responses.

% NOTE: This output has been filtered.

% Information related to 'iran.ir'


domain:		iran.ir
ascii:		iran.ir
remarks:	(Domain Holder) Iran Information Technology Organization (ITO)
remarks:	(Domain Holder Address) ITO Central Building, Entrance #22, Seyed-khandan Cross, Tehran, Iran, Tehran, Tehran, IR
holder-c:	ir933-irnic
admin-c:	ir933-irnic
tech-c:		ir933-irnic
bill-c:		to52-irnic
nserver:	ns1.iran.ir
nserver:	ns2.iran.ir
nserver:	inns1.iran.ir
last-updated:	2019-03-12
expire-date:	2022-04-08
source:		IRNIC # Filtered

nic-hdl:	ir933-irnic
org:		Iran Information Technology Organization (ITO)
e-mail:		@ito.gov.ir
address:	ITO Central Building, Entrance #22, Seyed-khandan Cross, Tehran, Iran, Tehran, Tehran, IR
phone:		+982184802666
fax-no:		+982184802668
source:		IRNIC # Filtered

nic-hdl:	to52-irnic
org:		Fanavarie Etelaate Towseye Saman (Mihannic)
e-mail:		@mihannic.com
source:		IRNIC # Filtered

domain:		iran.ir
ascii:		iran.ir
remarks:	This domain is only available for registration under certain conditions
source:		IRNIC # Filtered


Please publish

Link to comment
Share on other sites

That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019.

Please refer to this forum post for more information: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

To summarize, an online ID is impossible to decrypt with current technology. An offline ID is decryptable if any one victim with the same ID pays for the encryption key and reports it to us, so we can add it to our decrypter. Your ID is an offline ID, so there is some hope that with time, an encryption key will be reported to us so we can add it to our decrypter.

Link to comment
Share on other sites

On 6/28/2021 at 12:48 AM, Arman Sabti said:

I think this is an Iranian-Russian-Chinese-Turkish - india virus

There is no proof for Turkey, China, India, Russia.
'STOP Ransomware' was initially distributed from Ukraine, then they changed places, domains, URLs, email and could use the postal resources of other countries, including Iran. Anyone can register an email address and correspond with it use.

We do not know anything else, we do not collect personal information about extortionists and cyber fraudsters. The investigation should be carried out by the cyber police and other special services.

Link to comment
Share on other sites

On 6/28/2021 at 12:38 AM, Arman Sabti said:

this is my personal ID:
0305ewgfDdppmn5q6DzrybvhIkCuuqaearFxJ8Rc3difSaWft1

Good, you have an offline ID. 

This is how the decryptor informs that it does cannot decrypt the files now because it does not yet have the decryption key for this variant.

Its addition to Decryptor depends on the voluntary transfer of the key so that others victims can decrypt the files without paying a ransom. But we cannot predict when someone will share the purchased key with the 'Emsisoft Decryptor' developers.
The encrypted files need to be saved to an external drive to prevent encryption from being repeated by another ransomware attack.

Highly undesirable try different software that is not designed to decrypt files after the 'STOP Ransomware'. 
Other software can damage your files and make decryption impossible. 
If you are doing experiments, make a copy of the encrypted files for testing.

  • Like 1
Link to comment
Share on other sites

This 'STOP Ransomware' enters the PC due to the fact that it is poorly protected. People often use free antivirus programs with the 'Free' label in the name. None of these programs will protect PC from programs similar to 'STOP Ransomware', because basic protection is not capable of this feat.
If users used comprehensive protection of the 'Internet Security' class, then it would help protect PC from ransomware attacks.
There is no 100% protection against malware, but what the 'Free' antivirus gives is 1-2 percent protection. 

After this attack, PCs could have stayed other malware elements. This maybe is an 'info-stealer and something else. Therefore, it is urgent to conduct a full check and destroy malware.
Use an antivirus such as Emsisoft Anti-Malware to effectively remove the malware. 
You can get a free trial 30-days version of Emsisoft Anti-Malware here: https://www.emsisoft.com/en/home/antimalware/ 

Link to comment
Share on other sites

@Arman Sabti

After you scan your PC and clean it of malicious files, you can move on to the next step. 

I recommend this method only when there is no other way, or when the affected user cannot wait long ... You decide what action to take.

If you have encrypted archives, you can partially recover them. Only 1-2 files are damaged there. The extension can be removed, and the files must be extracted. Everything except 1-2 files will be fixed. If there is only 1 file in the archive, then it will most likely be unrecoverable.

There is an alternative (additional) way to recover some media files:
WAV, MP3, MP4, M4V, MOV, 3GP.

https://www.disktuna.com/media_repair-file-repair-for-stop-djvu-mp3-mp4-3gp 

But before trying the alternative variant with media files, it is recommended that you make a copy of the encrypted files. Something will be restored better, something will be restored worse. 

An alternative method for other files has not yet been found. 

 

Link to comment
Share on other sites

On 6/29/2021 at 1:22 PM, Amigo-A said:

There is no proof for Turkey, China, India, Russia.
'STOP Ransomware' was initially distributed from Ukraine, then they changed places, domains, URLs, email and could use the postal resources of other countries, including Iran. Anyone can register an email address and correspond with it use.

We do not know anything else, we do not collect personal information about extortionists and cyber fraudsters. The investigation should be carried out by the cyber police and other special services.

Hello
You are absolutely right, but I have a lot of Iranian domains
From nic.ir website.
This website does not allow anyone to register specific domains, such as iran.ir.
And creating this email is completely impossible unless you have access to the organization's servers.
If you have such access, it will be taken away from you immediately without any reason for ownership.
That's why I conclude that this is a kind of failure of these servers
for some reason
1) Cyber attacks
2) Extortion of dollars due to the low value of Rials
Please contact the International Police if you have access
 

Thank You

  • Like 1
Link to comment
Share on other sites

According to new information, a decryption key for the iqll variant has been added to the Emsisoft Decryptor today.

You can try, maybe the files can already be decrypted.
I recommend doing a test on a small group of files first.

  • Like 1
Link to comment
Share on other sites

8 hours ago, MariuszK said:

This is an off line ID?

Yes. Newest variant - 0311 with .leex extension. But it's too early to rejoice, the key has not yet been added to the Decryptor. I'll tell you what to do.

This 'STOP Ransomware' enters the PC due to the fact that PC is poorly protected. People often use free antivirus programs with the 'Free' label in the name. None of these programs will protect PC from programs similar to 'STOP Ransomware', because basic protection is not capable of this feat.
If users used comprehensive protection of the 'Internet Security' class, then it would help protect PC from ransomware attacks.
There is no 100% protection against malware, but what the 'Free' antivirus gives is 1-2 percent protection. 

After this attack, PCs could have stayed other malware elements. This maybe is an FickerStealer and something else. Therefore, it is urgent to conduct a full check and destroy malware.
Use an antivirus such as Emsisoft Anti-Malware to effectively remove the malware. 
You can get a free trial 30-days version of Emsisoft Anti-Malware here: https://www.emsisoft.com/en/home/antimalware/ 

 

Link to comment
Share on other sites

8 hours ago, MariuszK said:

0311ewgfDdLTYv5JAYPKU9SqYbMp9sbHbkMoA4JlKc46dTaLt1 

Good, you have an offline ID. 

Add to Decryptor the decryption key depends on the voluntary transfer of the key so that others victims can decrypt the files without paying a ransom. But we cannot predict when someone will share the purchased key with the 'Emsisoft Decryptor' developers.
The encrypted files need to be saved to an external drive to prevent encryption from being repeated by another ransomware attack.

Highly undesirable try different software that is not designed to decrypt files after the 'STOP Ransomware'. 
Other software can damage your files and make decryption impossible. 
If you are doing experiments, make a copy of the encrypted files for testing.

Link to comment
Share on other sites

After you scan your PC and clean it of malicious files, you can move on to the next step. 

I recommend this following method only when there is no other way, or when the affected user cannot wait long ... You decide what action to take.

1) If you have encrypted archives, you can partially recover them. Only 1-2 files are damaged there. The extension can be removed, and the files must be extracted. Everything except 1-2 files will be fixed. If there is only 1 file in the archive, then it will most likely be unrecoverable.

2) There is an alternative (additional) way to recover some media files:
WAV, MP3, MP4, M4V, MOV, 3GP.

https://www.disktuna.com/media_repair-file-repair-for-stop-djvu-mp3-mp4-3gp

But before trying the alternative variant with media files, it is recommended that you make a copy of the encrypted files. Something will be restored better, something will be restored worse. 

An alternative method for other files has not yet been found.

Link to comment
Share on other sites

It's more difficult with pictures. They are more compressed and less fragmented than video files, so the cipher damages them much.

If you transferred a collection of photos from one disk to another and after that did not fill this place on the disk with anything, then using data recovery programs you can recover some of the photos from the previous location. 

  • Like 2
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...