Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

STOP Ransomware (.STOP .Djvu, .Puma, .Promo) Support Topic


  • Please log in to reply
12129 replies to this topic

#1 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:35 AM

Posted 10 February 2018 - 07:30 AM

According to information previously posted on the Emsisoft Forum, they no longer have any method to decrypt STOP (DJVU) Ransomware unless the encryption occurred before the 29th of August 2019. That means there is no way to decrypt files with ONLINE ID and some recent forms of STOP (DJVU).

 

Victims can keep trying the Emsisoft STOP Djvu Decryptor IF infected with an OFFLINE KEY but at this point it appears...

Emsisoft has discontinued development and stopped all support of the decryptor.

 

NOTE: See Post #2 for tools (JpegMedic ARWEJpegMedicMedia_Repair) which can be used to partially repair (not decrypt) JPEG and audio/video files (WAV, MP3, Mp4, M4V, MOV, 3GP) partially encrypted by ransomware.

 

 

 

Updated: 06/04/24

 

This topic is the primary support topic for assistance with STOP (DJVU) Ransomware. It includes an updated summary of this infection, it's variants and possible decryption solutions with instructions. Since switching to the New STOP Djvu variants (and the release of .gero) the malware developers have been consistent on using 4-letter extensions as noted here by Amigo-A (Andrew Ivanov). Some of these 4-letter extensions have been used (repeated) more than one time but have different version numbers.

 

See Post #2 for a LIST OF STOP DJVU Extensions:.

 

STOP Ransomware will leave files (ransom notes) named !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!RESTORE!!!.txt, !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!RESTORE_DATA!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!!SAVE_FILES_INFO!!!.txt and !readme.txt. The .djvu* and newer variants will leave ransom notes named _openme.txt, _open_.txt or _readme.txt

 
***IMPORTANT: @ ALL VICTIMS....
 
STOP (Djvu) Ransomware has two versions.
1. Old Version: Most older extensions, starting with .djvu (v013) up to .carote (v154)...decryption for most of these versions was previously supported by STOPDecrypter if infected with an OFFLINE KEY (and a few ONLINE KEYS). That same support has been incorporated into the new Emsisoft Decryptor/submission method for these old Djvu variants...the decrypter will only decrypt your files without submitting file pairs if you have an OFFLINE KEY.  For ONLINE KEY infection, read the instructions for using the submission portal.
 
2. New Version: The newest extensions released around the end of August 2019 AFTER the criminals made changes....starting with .coharos (v146) were never supported by STOPDecrypter.  However, OFFLINE IDs/KEYS for some newer variants have been obtained by Emsisoft and uploaded to their server. This is possible after a victim pays the ransom, receives a private key from the criminals and shares (donates) that key with the Emsisoft Team. ONLINE KEYS are UNIQUE for each victim and just like older versions, they are randomly generated in a secure manner and are impossible to decrypt without paying the ransom which is not advisable. Since ONLINE KEYS are unique and random for each victim, they cannot be shared or re-used by other victims. 

 

As a result of the changes made by the criminals, STOPDecrypter no longer is supported...it was discontinued AND replaced October 18, 2019 with the Emsisoft STOP Djvu Decryptor developed by Emsisoft and Demonslay335 (Michael Gillespie). However, the same STOPDecrypter support was incorporated into the new Emsisoft decryptor/submission method for most old Djvu variants.

A decryptor for the STOP Ransomware has been released by Emsisoft and Michael Gillespie that allows you to decrypt files encrypted by 148 variants of the infection for free....anyone who was infected after August 2019 cannot be helped with this service. With that said, it may be possible to decrypt using an offline key, so even with these variants there may be some success.

EVERYONE should ONLY be using the Emsisoft STOP Djvu Decryptor  <- Be sure to READ the INSTRUCTIONS in this article

 

The decryptor requires a working Internet connection in order to communicate with the Emsisoft server.

 

 
 USING EMSISOFT DECRYPTOR FOR STOP DJVU RANSOMWARE:
 
Emsisoft STOP Djvu Decryptor <- official authorized download link

There are limitations on what files can be decrypted. For all versions of STOP Djvu, files can be successfully decrypted if they were encrypted by an offline key that we have. For Old Djvu, files can also be decrypted using encrypted/original file pairs submitted to the STOP Djvu Submission portal; this does not apply to New Djvu after August 2019.

If you were infected after August 2019, then you are encrypted with a new version. In order to decrypt any of these new versions an OFFLINE ID with corresponding private key is required. If there is no OFFLINE KEY for the variant you are dealing with, Emsisoft cannot help you unless an OFFLINE KEY is retrieved and added to the Emsisoft server. If an OFFLINE KEY is obtained, it will be pushed to the server and automatically added to the decryptor. When you run the decrypter, it connects to the Emisisoft server and checks for updates if you have an active Internet connection. As such, you should download the decryptor to see if Emsisoft has been able to gain access to an OFFLINE KEY which can decrypt your files.

 

If you are infected with the .puma, .pumas, .pumax extension or  some UPPERCASE (.INFOWAIT, .DATAWAIT) extensions of the earlier STOP Ransomware variants, you should download and use the Emsisoft Decryptor for STOP Puma. The older .puma based variants used XOR encryption and these extensions can be decrypted by providing a single encrypted and original file pair over 150KB. The same applies to UPPERCASE extensions,,,provide a single encrypted and original file pair over 150KB.

Emsisoft STOP Djvu File Pairing Decryption Service does not support new variants if your files were encrypted after AUG 2019.

Notice: this service does not support the "New" variants that use RSA encryption. If your files were encrypted after August 2019, chances are it is the "New" version.

If you are able to use this service, be aware the decryptor can only decrypt files with the same first 5 bytes as what you submitted and you have to supply a file pair for each format you want to decrypt. A single file pair means an encrypted file AND a copy of its exact unencrypted original file (same size). Everyone can always find a clean unencrypted copy of an original file that was encrypted for a file pair in order to reconstruct/extrapolate the encryption keys.

  • Files you downloaded from the Internet that were encrypted and you can download again to get the original.
  • Pictures that you shared with family and friends that they can just send back to you.
  • Pictures you uploaded on social media or cloud services like Carbonite, OneDrive, iDrive, Google Drive, etc)
  • Attachments in emails you sent or received and saved.
  • Files on an older computer, flash drive, external drive, camera memory card or iphone where you transfered data to the infected computer.
  • Default or sample wallpapers/pictures that were shipped with your Windows version which you can get from another system running the same version.

 
ABOUT ONLINE & OFFLINE IDS / KEYS:
 
The Emsisoft STOP Djvu Decryptor supports and will only attempt to decrypt files if they were encrypted by one of the known STOP (Djvu) OFFLINE KEY's and some ONLINE ID's if a proper file pair is supplied to the submission portal as explained here by GT500.
 
For newer STOP (Djvu) variants, the criminals switched to a new cryptographically strong key protected by RSA Salsa20 algorithm. Every file is generated securely with a new key using UuidCreate (which internally uses CryptGenRandom) that cannot be brute-forced. The encryption is the exact same regardless of whether it is an ONLINE or OFFLINE KEY which encrypted your files.
 
If the malware is able to connect (communicate) with its command and control servers it will obtain and use a unique randomly generated ONLINE KEY which will allow it to keep encrypting files with that key from memory. The malware is programed to run itself on startup and a scheduled task every 5 minutes which allows it to keep repeating attempts to communicate with the servers and retrieve an ONLINE KEY. Without the master private RSA key that can be used to decrypt your files, decryption is impossible...the key is generated in a secure way that cannot be brute-forced. The public RSA key alone that encrypted the files is useless for decryption, therefore a malware sample of any particular variant is also useless for decryption since it only contains the public key. 
 
If the malware is unable to connect (communicate) with its servers and fails to get an ONLINE KEY it will give up and resort to using an OFFLINE KEY.  The OFFLINE KEY is a hard-coded built-in encryption KEY (used with a built-in OFFLINE ID) at the time the ransomware encrypted your files. Each variant extension only has one OFFLINE ID (a string of numbers and letters that identifies the infected computer to the ransomware) which generally ends in "t1" so they are usually easy to identify.

  • cZs3TaUYZzXCH1vdE44HNr1gnD2LtTIiSFFYv5t1
  • TLuCxxAdd5BLXYWIvnjsWaCNR5lWoznhlRTSott1

Since the OFFLINE KEY and ID only change with each variant/extension, everyone who has had their files encrypted by the same variant will have the same ID and the files will be decryptable by the same key (or "private key" in the case of RSA encryption).

 
- Decryption of new STOP (Djvu) variants is possible IF infected with an OFFLINE KEY using the Emsisoft Decryptor only after obtaining and sharing the corresponding private key from victims who paid the ransom for a specific variant.  OFFLINE KEYS will work for ALL victims who were encrypted by the same key. If there is no OFFLINE KEY available for any specific variant, then your files cannot be decrypted at this time. We have no way of knowing when or if a private key for an OFFLINE ID will ever be recovered and shared with Emsisoft.

 

However, at this point it appears Emsisoft has discontinued development and stopped all support of the decryptor.
 
- Decryption of new STOP (Djvu) variants is impossible IF infected by an ONLINE KEY without paying the criminals for that victim’s specific private key...these keys are unique for each victim and randomly generated in a secure manner. Emsisoft cannot help decrypt files encrypted with the ONLINE KEY due to the type of encryption used by the criminals and the fact that there is no way to gain access to the criminal's command server and retrieve this KEY. Therefore, ONLINE ID's are NOT supported by the Emsisoft Decryptor for new STOP (Djvu) versions if infected with an ONLINE KEY.

 

Some victims have files encrypted by both an OFFLINE KEY and an ONLINE KEY due to the malware running multiple times and making repeated attempts to get an ONLINE KEY, sometimes successfully communicating with the command and control server, sometimes failing to communicate and resorting to using an OFFLINE KEY. In such scenarios the Emsisoft Decryptor will only decrypt those files encrypted with the OFFLINE KEY.

The Emsisoft Decryptor will also tell you if your files are decryptable, whether you're dealing with an "old" or "new" variant of STOP/Djvu, and whether your ID is ONLINE or OFFLINE.
 
In regards to new variants of STOP (Djvu) Ransomware...decryption of data requires an OFFLINE ID with corresponding private key. Emsisoft can only get a private key for OFFLINE IDs AFTER a victim has PAID the ransom, receives a key and provides it to them so the key can be added to their database. Emsisoft has obtained and uploaded to their server OFFLINE IDs for many (but not all) of the new STOP (Djvu) variants as noted in Post #9297 and elsewhere in the support topic.

 

There is no timetable for when or if a private key for an OFFLINE ID will be recovered and shared with Emsisoft for any variant and no announcement by Emsisoft when they are recovered due to victim confidentiality. In fact many private OFFLINE KEYS are NEVER recovered and in most cases it's several months later when they are.
 
** If there is no OFFLINE ID for the variant you are dealing with, we cannot help you unless a private key is retrieved and added to the Emsisoft server / decryptor. If you run the Emsisoft Decryptor for a new variant with an OFFLINE ID which has not been recovered, the decrypter will indicate the following "error" under the Results Tab.

Error: No key for New Variant offline ID: ***************************t1
Notice: this ID appears to be an offline ID, decryption MAY be possible in the future.

That means for now, the only other alternative to paying the ransom, is to backup/save your encrypted data as is and wait for possible future recovery of a private key for an OFFLINE ID
 
If an OFFLINE ID is available for the variant you are dealing with and your files were not decrypted by Emsisoft Decryptor, then you most likely were encrypted by an ONLINE KEY and those files are not recoverable (cannot be decrypted) unless you pay the ransom to the criminals and receive the private key. Again, ONLINE ID's for new STOP (Djvu) variants are not supported by the Emsisoft Decryptor.
 
If you run the Emsisoft Decryptor for a new variant with an ONLINE ID, the decryptor will indicate there is "no key" under the Results Tab and note it is impossible to decrypt.

Error: No key for New Variant online ID ***************************
Notice: this ID appears to be an online ID. decryption is impossible

That means for now, if your files were encrypted with an ONLINE KEY, the only other alternative to paying the ransom, is to backup/save your encrypted data as is and wait for a possible future solution.

 
There are older STOP (DJVU) variants which are not decryptable. The Emsisoft decrypter is able to identify Old Variant IDs which it is unable to decrypt and note that under the Results Tab just as it does with new STOP (DJVU) variants which are not decryptable.

Unable to decrypt Old Variant ID: ***************************
First 5 bytes: *************

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


BC AdBot (Login to Remove)

 


#2 glenn_ITP

glenn_ITP

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 AM

Posted 22 February 2018 - 03:11 AM

LIST OF STOP DJVU ExtensionsUpdated: 06/04/24
 
Any files that are encrypted with older STOP (Djvu) Ransomware variants will have the .STOP, .SUSPENDED, .WAITING, .PAUSA, .CONTACTUS, .DATASTOP, .STOPDATA, .KEYPASS, .WHY, .SAVEfiles, .DATAWAIT, .INFOWAIT, .puma, .pumax, .pumas, .shadow, .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .djvut .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promock, .promoks, .promorad,, promorad2, .kroput, .kroput1, .charck, .pulsar1, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .verasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .forasom, .berost, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidon, .heroset, .myskle, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .tocue, .darus, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .coharos, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .stare, .cetori, .carote, or .shariz extension appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov).
 
Any files that are encrypted with newer STOP (Djvu) Ransomware variants after August 2019 will have the .gero, .hese, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .nosu, .kodc, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss. .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal, .sqpc, .mzlq, .koti, .covm, .pezi, .zipe, .nlah, .kkll, .zwer, .nypd, .usam, .tabe, .vawe, .moba, .pykw, .zida, .maas, .repl, .kuus, .erif, .kook, .nile, .oonn, .vari, .boop, .geno, .kasp, .ogdo, .npph, .kolz, .copa, .lyli, .moss, .foqe, .mmpa, .efji, .iiss, .jdyi, .vpsh, .agho, .vvoa, .epor, .sglh, .lisp, .weui, .nobu, .igdm, .booa, .omfl, .igal, .qlkm, .coos, .wbxd, .pola, .cosd, .plam, .ygkz, .cadq, .ribd, .tirp, .reig, .ekvf, .enfp, .ytbn, .fdcz, .urnb, .lmas, .wrui, .rejg, .pcqq, .igvm, .nusm, .ehiz, .paas, .pahd, .mppq, .qscx, .sspq, .iqll, .ddsg, .piiq, .miis, .neer, .leex, .zqqw, .pooe, .zzla, .wwka, .gujd, .ufwj, .moqs, .hhqa, .aeur, .guer, .nooa, .muuq, .reqg, .hoop, .orkf, .iwan, .lqqw, .efdc, .wiot, .koom, .rigd, .tisc, .mded, .nqsq, .irjg, .vtua, .maql, .zaps, .rugj, .rivd, .cool, .palq, .stax, .irfk, .qdla, .qmak, .futm, .utjg, .iisa, .pqgs, .robm, .rigj, .moia, .yqal, .wnlu, .hgsh, .mljx, .yjqs, .shgv, .hudf, .nnqp, .sbpg, .xcmb, .miia, .loov, .dehd, .vgkf, .nqhd, .zaqi, .vfgj, .fhkf, .maak, .yber, .qqqw, .qqqe, .qqqr, .yoqs, .bbbw, .bbbe, .bbbr, .maiv, .avyu, .cuag, .iips, .qnty, .ccps, .ckae, .gcyi, .eucy, .ooii, .jjtt, .rtgf, .fgui, .fgnh, .sdjm, .iiof, .fopa, .qbba, .vyia, .vtym, .kqgs, .xcbg, .bpqd, .vlff, .eyrv, .rguy, .uigd, .hfgd, .kkia, .ssoi, .mmuz, .pphg, .wdlo, .kxde, .udla, .voom, .mpag, .gtys, .tuid, .uyjh, .ghas, .hajd, .qpps, .qall, .dwqs, .vomm, .ygvb, .nuhb, .msjd, .jhdd, .dmay, .jhbg, .jhgn, .dewd, .ttii, .hhjk, .mmob, .mine, .sijr, .xcvf, .bbnm, .egfg, .byya, .hruu , .kruu, .ifla, .errz, .dfwe, .fefg, .fdcv, .nnuz, .zpps, .qlln, .uihj,.zfdv, .ewdf, .rrbb, .rrcc, .rryy, .bnrs, .eegf, .bbyy, .bbii, .bbzz, .hkg, .eijy, .efvc, .lltt, .lloo, .llee, .llqq, .dkrf, .eiur, .ghsd, .jjyy, .jjww, .jjll, ..hhye, .hhew, .hhyu, .hhwq, .hheo, .ggew, .ggyu, .ggwq, .ggeo, .oori, .ooxa, .vvew, .vvyu, .vvwq, .vveo, .cceq. .ccew, .ccyu, .ccwq, .cceo, .ccza, .qqmt, .qqri, .qqlo, .qqlc, .qqjj, .qqpp, .qqkk, .oopu, .oovb, .oodt, .mmpu, .mmvb, .mmdt, .eewt, .eeyu, .eemv, .eebn, .aawt, .aayu, .aamv, .aabn, .oflg, .ofoq, .ofww, .adlg, .adww, .tohj, .towz, .pohj, .powz, .tuis, .tuow, .tury, .nuis, .nury, .powd, .pozq, .bowd, .bozq, .zatp, .zate, .fatp, .fate, .tcvp, .tcbu, .kcvp, .kcbu, .uyro, .uyit, .mppn, .mbtf, .manw, .maos, .matu, .btnw, .btos, .bttu, .isal, .iswr, .isza, .znsm, .znws, .znto, .bpsm, .bpws, .bpto, .zoqw, .zouu, .poqw, .pouu, .mzqw, .mztu, .mzop, .assm, .erqw, .erop, .vvmm, .vvoo, .hhmm, .hhee, .hhoo, .iowd, .ioqa, .iotr, .qowd, .qoqa, .qotr, .gosw, .goaq, .goba, .cosw, .coaq, .coba, craa, .qazx, .qapo, .qarj, .dazx, .dapo, .darj, .tycx, .tywd, .typo, .tyos, .jycx, .jywd, .jypo, .jyos, .nifr, .nitz, .niwm, .kiop, .kifr, .kitz, .kiwm, .boty, .boza, .coty, .coza, .fofd, .foty .foza, .sato, .saba, .qopz, .qore, .gash, .gatz, .xash, .xatz, .xaro, .gaze, .gatq, .gapo, .vaze, .vatq, .vapo, .werz, .weqp, .weon, .nerz, .neqp, .neon, .ahtw, .ahgr, .ahui, .bhtw, .bhgr, .bhui, .tghz, .tgpo, .tgvv, .aghz, .agpo, .agvv, .wazp, .waqq, .wayn, .gazp, .gaqq, .gayn, .miza, .mitu, .miqe, .kizu, .kitu, .kiqu, .wsaz, .wspn, .wsuu, .poaz, .popn, .pouu, .yyza, .yytw, .yyza, .tasa, .taqw, .taoy, .jasa, .jaqw, .jaoy, .wzqw, .wzer, .wzoq, .wztt, .nzqw, .nzer, .nzoq, .nztt, .teza, .rzkd, .rzfu, .rzew, .rzml, .hgkd, .hgfu, .hgew, .hgml, .oopl, .ooty, .oohu, .ooza, .wwpl, .wwty, .wwhu, .wwza, .azqt, .azre, .azop, .azhi, .mzqt, .mzre, .mzop, .mzhi, .ttwq, .ttza, .ttap, .ttrd, .mlwq, .mlza, .mlap, .mlrd, .ptqw, .ptrz, .pthh, .itqw, .itrz, .ithh, .zpas, .zpww, .zput, .ppvs, .ppvw, .ppvt, .yzaq, .yzqe, .yzoo, jzeq, .jzie, .eqew, .eqza, .iicc, .gyew, .gyca, .gycc, .jazi, .jawr, .nbzi, .nbwr, .hhuy, .hhaz, .ljuy, .ljaz, .loqw, .lomz, .cdqw, .cdmx, .cdwe, .cdaz, .cdpo, .cdtt, .cdcc, .cdxx, .ldhy, .lkhy, .lkfr, .wisz, .wiaw,  .nood, .kool, .vook, .looy, .uajs, .uazq, .kaaa, .bgjs, .bgzq, .baaa, .qepi, .qehu, .geza, .paaa, .vepi, .vehu, .veza, .watz, .waqa, extension appended to the end of the encrypted data filename.

 
Note: .sspg, .iqll, .ddsg all have the same offline ID.

 

.btos    (V0618) Dec 2022 <- used previously .btos   (V0202) Jan 2020

.mzqw (V0635) Jan  2023 <- used previously .mzqw (V0625) Jan 2023
.pouu   (V0755) Jul   2023 <- used previously .pouu  (V0634) Jan 2023
.mzop  (V0796) Sep 2023 <- used previously .mzop  (V0637) Jan 2023
 

 
 
 
The Emsisoft decrypter supports the following STOP (Djvu) variants if you were hit by it's respective OFFLINE KEY.....djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, rumba, .promos, .promoz, .promock, .promorad, .promok, .promorad2, .kroput, .kroput1, .charck, .kropun, .doples, .luces, .luceq, .chech .pulsar1, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .raldug, .roland, .etols, .guvara, .norvas, .moresa, .verasto, .hrosas, .kiratos, .todarius, .roldat, .dutan, .sarut, .forasom, .berost, .shadow, .fordan, .codnat, .dotmap, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .lanset, .davda, .poret, .pidon, .muslat, .boston, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .berosuce, .herad, .gehad, .gusau, .madek, .tocue, .gusau, .madek, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ndarod, .access, .format, .nelasod, .mogranos, .lotej, .prandel, .zatrov, .masok, .cosakos, .nvetud, .kovasoh, .brusaf, .londec, .krusop.
 
Emsisoft has obtained and uploaded to their server OFFLINE IDs for the following new STOP (Djvu) variants....gero, .hese, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot, .derp, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .mkos, .nbes, .nosu, .reha, .topi, .repp, .alka, .nppp, .remk, .opqz, .mado, .covm, .usam, .tabe, .vawe,  .maas, .nile, .geno, .omfl, .nusm, .sspg, .iqll, .ddsg, .moqs, .koom, .wiot, .rigd, .nqsq, .iisa
 
Note: The Information about the list of extensions at the bottom of Amigo-A's The version numbers and extensions of STOP-Djvu Ransomware page stops at .rtgf (V0403). That most likely means any variants beyond .rtgf (V0403) are not decryptable.
 
 
 
ABOUT DATA RECOVERY & PARTIALLY ENCRYPTED FILES:
- All of the new STOP (Djvu) variants add 334 bytes to encrypted file size due to including the RSA-encrypted key, the ID and filemarker as explained here.

 
- STOP (Djvu) Ransomware only encrypts the first 150 KB of files and places a file marker in brackets (i.e. {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}) at the end of every encrypted file. Since only parts of the file may actually be encrypted, data recovery software sometimes work to recover partially encrypted files with certain ransomware infections. Data Recovery uses complex algorithms that search for pieces (fragments) of recoverable information left on the hard drive in order to guess where the file was originally physically stored. The recovery program then attempts to put back together that information in a salvageable format. However, if the data has been overwritten, complete recovery cannot be guaranteed. Data recovery does not decrypt encrypted data. Some STOP (Djvu) files that are in encrypted ZIP archives may also be recovered. See my comments in this this topic (Post #16) for more details in regards to the possible use of data recovery software.

 
JpegMedic ARWE and JpegMedic created by DecAns (Denis Anisimov) are tools for automatic batch recovery of JPEG files partially encrypted by STOP (Djvu) ransomware. For more information, please refer to Tool for batch recovery of JPEG files encryped by STOP (Djvu) or contact Jpegmedic Support (support@jpegmedic.com). UPDATE 01/14/22: JpegMedic ARWE is no longer available for free.

 

Media_Repair can be used to repair (not decrypt) audio/video files (WAV, MP3, MP4, M4V, MOV, 3GP) partially encrypted by ransomware.

 

Note: If JpegMedic is detected as a threat by Microsoft Defender Antivirus, be aware the detection is a "false positive" and can be ignored.

 
 
EMSISOFT STOP DJVU DECRYPTOR FAQS:
 
Why Emsisoft Decryptor will not run?

The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date or corrupted. We recommend installing the latest version of the .NET Framework... - and then trying the decrypter again.

Why is the decrypter stuck on "Starting"?.

When running the decrypter it will indicate "Starting" until it is able to find some. If the decrypter remains stuck on "Starting" for a long period of time, this means it is unable to find any encrypted files. The Emsisoft Decryptor looks for a specific filemarker the ransomware leaves on files it has encrypted. If the files do not have that filemarker, then they are not encrypted. 

What does "Remote name could not be resolved" mean? 

It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default.

While running Emsisoft Decryptor, victims may notice their files are briefly visible with their original extension but then revert to their encrypted state. This is by design...the decryptor prepares a copy of the encrypted file without the encrypted extension to safely work on it. The decryptor then checks for a key or keystream from the server, and if it fails, the decryptor reverts and deletes the copy it made in order to clean up after itself as explained here.
 
While running Emsisoft Decryptor, an "invalid file pair; "encrypted" file is not encrypted" occurs when the file you put in the "Encrypted file" field is missing the filemarker - this means either the malware didn't encrypt it at all, or it bugged out during the encryption as explained here.
 
While running Emsisoft Decryptor, an "Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel" occurs - this means that your computer doesn't support TLS 1.2 as explained here.
 
Emsisoft Decryptor does not need to be updated unless a bug (glitch) is discovered.

 
WARNING NOTEPlease DO NOT use or share download links for decrypter_2.exe. This was the shoddy decrypter written by the criminals which victims were using as a LAST RESORT. With the release of Emsisoft's decryptor. there is no need for victims to use this use this decrypter any more...the Emsisoft decryptor does everything it can do and more safely. All the download links for decrypter_2.exe have been removed and if anyone posts a new download link, that too will be removed.
.
 
OTHER IMPORTANT INFORMATION:
 

- Newer STOP (Djvu) Ransomware variants are known to cause dual (multiple) encryptions with more than one variant because the ransomware is loaded as a Scheduled Task and sets itself to run every 5 minutes.
 
- Newer STOP (Djvu) Ransomware variants (and other ransomwares) have been reported to spread by downloading & using  adware bundles, pirated software, activators for Office and Windows, cracks. and shady sites.

Using pirated software, fake/illegal activators for Windows & Office, torrents, keygens and other cracked software is a serious security risk (unsafe practice) which can make your system susceptible to a smörgåsbord of malware infections including ransomware resulting in the encryption of all your most valuable data as explained here (Post #11). That means all your personal data may be lost forever.
 
- Newer STOP (Djvu) Ransomware variants are also installing Password Stealing Trojans.

.
 
.
Hi
 
Just got a call from a customer with the above ransomware extention. Here is the ransomnote:
 
All your important files were encrypted on this PC.
All files with .SUSPENDED extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to contact us by email suspendedfiles@bitmessage.ch send us an email your !!!RestoreProcess!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.

Your personal id:
5QDwX38ApBptxAvLONsohcyWyDsZhoeW15GuYzU5
 
E-mail address to contact us:
suspendedfiles@bitmessage.ch
Reserve email address to contact us:
suspendedfiles@india.com
 
Posting to help others find info on this.



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:35 AM

Posted 22 February 2018 - 11:00 AM

I see your submission to ID Ransomware was not identified. I have only one other submission from Italy as well. May be something new, doesn't look familiar to me (then again all the ransom notes blur together anymore).

 

We will need the malware executable in order to properly identify and analyze it. I've put out a hunt on Twitter to see if anyone has spotted it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:01:35 PM

Posted 22 February 2018 - 11:09 AM

This is a new version of Ransomware, whom I descripted on December 25, 2018 as STOP Ransomware.
 
Analogous text of ransom note, the same sum of ransom.
Another extension, notes name and other e-mail.
Such changes is normal in the environment of Ransomware.
 
d1a3db50e15e.png
 
On February 10, 2018 was one more STOP-iteration.

Edited by Amigo-A, 22 February 2018 - 11:26 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#5 glenn_ITP

glenn_ITP

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 AM

Posted 23 February 2018 - 02:49 AM

I'll try to get a sample on monday when I will go pick up the infected pc.

Any specific I should be looking for?

#6 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:01:35 PM

Posted 23 February 2018 - 12:07 PM

These are some common folder variable locations malicious executables and .dlls hide:

  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\

Also check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware. 

 

 

Example of recommendation

https://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/?p=4383151


My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#7 glenn_ITP

glenn_ITP

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 AM

Posted 05 March 2018 - 03:07 AM

I totally forgot to get a sample... I'm sorry.



#8 quietman7

quietman7

    Bleepin' Gumshoe

  • Topic Starter

  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:35 AM

Posted 05 March 2018 - 04:57 PM

Does that mean you are still going to try and submit a sample?


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#9 ruthay

ruthay

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 18 April 2018 - 11:15 AM

Amigo-A, thank you for identifying my .WAITING ransomware  as a new version of this one! I can still send you a copy of the ransom note through SendSpace, if you need it but it requires an email address.

 

Are you still in need of a sample of the program? In an unfortunate turn of events, I fried the hard drives on that PC while trying to connect them to another computer to pull the un-encryped data off. New PCBs are on the way, so when I get those disks back up, I will try to get you a sample. Will probably be in mid May sometime as the PCBs are going to take 20 days to get here. Hopefully, I can get them working again

 

Thanks again!



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:35 AM

Posted 18 April 2018 - 12:15 PM

@ruthay

 

SendSpace does not require an email address. Just upload the file and share the link. Example instructions in the first post of this topic: https://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-exx-ezz-ecc-etc-decryption-support-requests/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 ruthay

ruthay

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 18 April 2018 - 12:25 PM

@Demonslay335

 

Thanks, I missed that.

 

Link to note: https://www.sendspace.com/file/sykx4j


Edited by ruthay, 18 April 2018 - 12:37 PM.


#12 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:01:35 PM

Posted 19 April 2018 - 01:18 PM

ruthay
 
Thank you. I corrected the entries in the digest according to the new information.
 
Let's hope together with you that your files will be liberated. 

Edited by Amigo-A, 19 April 2018 - 01:20 PM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#13 woji

woji

  •  Avatar image
  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 06 June 2018 - 11:59 AM

Hello.

A new version is in the world ... extension .CONTACTUS 

 

 

note: !!!RESTORE_FILES!!!

 

 

All your important files were encrypted on this PC.
 
All files with .CONTACTUS extension are encrypted.
 
Encryption was produced using unique private key RSA-1024 generated for this computer.
 
To decrypt your files, you need to obtain private key + decrypt software.
 
To retrieve the private key and decrypt software, you need to CONTACTUS us by email decryption@bitmessage.ch send us an email your !!!RESTORE_FILES!!!.txt file and wait for further instructions.
 
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
 
Price for decryption $600 if you contact us first 72 hours.
 
 
 
Your personal id:
 
pOVTnyE2aIwqpy9o6uXWfg00sCQC97ZuvP0cbURZ
 
 
 
E-mail address to contact us:
 
decryption@bitmessage.ch
 
Reserve e-mail address to contact us:
 
decryption@india.com
 
 
 
_____________
unfortunately, no sample found ... only encrypted files :(
i have backup, but it is very annoying


#14 quietman7

quietman7

    Bleepin' Gumshoe

  • Topic Starter

  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:35 AM

Posted 06 June 2018 - 03:23 PM

This variant was reported May 30th as noted here under === Update section === BLOCK OF UPDATES ===.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#15 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:01:35 PM

Posted 07 June 2018 - 02:02 AM

I added english text in block of updates. 
 
Unfortunately, I do not have any samples of this Crypto-Ransomware.
Perhaps, in bases of antivirus companies have this samples .
This encryption must be cracked. For this need to find samples of this Crypto-Ransomware.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 





6 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users


    Facebook (1)