STOP Ransomware (.STOP .Djvu, .Puma, .Promo) Support Topic

@all

 

They've made some changes to the malware starting with the .rumba extension. I have updated the decrypter to support this new encrypted file format if you were hit by the offline key.

 

There is a new offline key embedded in the decrypter (v2.0.1.0) for ID D02NfEP94dKUO3faH1jwqqo5f9uqRw2Etn2lP3VB. If you have this ID, the decrypter will now be able to decrypt your files.

 

 

 

https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip

 

 

 

 
I'am from indonesia, please help to @kNN @Demonslay335 .. Laptop infected with .pdff 
 
 
 
trying with STOP! decryptor from @Demonslay335 nothing help because its different Personal ID.
 
 
 
this is the log from decryptor
http://prntscr.com/m9xh0v
 
 
[!] No keys were found for the following IDs:
[*] ID: mXqz4Z3FFZYcYsu6hPRQbYwAOfSPEgW1dnAhmDX2
Please archive these IDs and the following MAC addresses in case of future decryption:
[*] MAC: EC:0E:C4:3E:C9:8F
[*] MAC: 00:00:00:00:00:00:00:E0
This info has also been logged to STOPDecrypter-log.txt
 
this is sample https://drive.google.com/open?id=1AhflsyzOQGx5mASgv7Ea8Ztvdxgxad6G
 
Any help very appreciate, Thanks in advance
 

belum semua bisa pake itu gan baru beberapa ID aja yang bisa
 

Ane kena awal pas ni virus baru release kena pdff ane, ente daerah mna gan

 

halo gan, ane juga kena semalem. mohon bantu pencerahannya gan

@all

 

They've made some changes to the malware starting with the .rumba extension. I have updated the decrypter to support this new encrypted file format if you were hit by the offline key.

 

There is a new offline key embedded in the decrypter (v2.0.1.0) for ID D02NfEP94dKUO3faH1jwqqo5f9uqRw2Etn2lP3VB. If you have this ID, the decrypter will now be able to decrypt your files.

 

 

 

https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip

 

1000x Thanks, you are the best.  Thank you for your support!! I' am very happy, again I can use my files. You are the GOD !!!!

Hi, I'm from indonesia, need your help @kNN @Demonslay335
 

MAC address : 50:5B:C2:B8:1C:ED

Personal ID : 027sng9SwkMQ3C3zP6yNcemHZZ52xPO1IJ9lRaafN6u

 

infected with .rumba


encrypted and decrypted file : https://ufile.io/ttvec


Best regards, Thank you

Edited by Cokgolok, 21 January 2019 - 03:16 PM.

Hi,

My friends laptop data has been encrypted with ransomware having extension .tfude. I download STOPDecrypter v2.0.1.0 but after running to infected file it decrypt the files but they are unable to open.

 

I tried to share snap of files but its not pasted here. i can share files if you wanted for further analysis.

 

Note from Ransomware is below:

 

Hello, if possible, please help with .tfudet:

 

@all
 
They've made some changes to the malware starting with the .rumba extension. I have updated the decrypter to support this new encrypted file format if you were hit by the offline key.
 
There is a new offline key embedded in the decrypter (v2.0.1.0) for ID D02NfEP94dKUO3faH1jwqqo5f9uqRw2Etn2lP3VB. If you have this ID, the decrypter will now be able to decrypt your files.
 

 

 
https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip

Hello sir.

I have seen your message in the topic and i've tried to decrypt rumba files but there's a problem with this. I have decrypt the files with that decrypter and i got the normal file but the file didn't act like the original file. For example a docx file is empty when i decrypted it.

Plus i have both .rumba extension and .ilrkdszxe extension in the same file. There is a sample of both files. When i decrypted the rumba file i got rid of rumba but ilrkdszxe still stays. Is there any solution for this? I got over 6 thousands pictures inflected by that bleep. I have no backup or something. I am desperate like hell

https://ufile.io/oaat7
https://ufile.io/9l7gt

Hello ,

Rumba







To get this software you need write on our e-mail:
pdfhelp@india.com

Reserve e-mail address to contact us:
pdfhelp@firemail.cc

Your personal ID:
027OvtLrLmeryfCqytqt1RBbEMCEF4rsN4yIfBU0K3Z

...Plus i have both .rumba extension and .ilrkdszxe extension in the same file. There is a sample of both files. When i decrypted the rumba file i got rid of rumba but ilrkdszxe still stays. Is there any solution for this? ...

Crypto malware can be responsible for dual (multiple) infections since it will encrypt any directory or file it can read/write to. Ransomware does not care about the contents of the data or whether your files or drives are already encrypted...it will just encrypt (re-encrypt) them again. Even the same ransomware can encrypt data multiple times with different strains. That means dealing with both ransomwares and both ransom demand payments in order to decrypt data.

 

Based on infection rates we see, you are most likely infected with a variant of GandCrab V5.

• GandCrab V5 (V5.0.1) will have a random 5 character extension (i.e. .fbkdp .ibagx .qikka) appended to the end of the encrypted data filename and leave files (ransom notes) named [random extension]-DECRYPT.html (i.e. qikka-DECRYPT.html, eiuhtxjzs-DECRYPT.html).
• GandCrab V5.0.2 and beyond will have a random 5-9 character extension (i.e. .fnxfavh, .eiuhtxjzs, .ilrkdszxe) appended to the end of the encrypted data filename and leave files (ransom notes) named [random extension]-DECRYPT.html (i.e. fnxfavh-DECRYPT.html, eiuhtxjzs-DECRYPT.html).
• GandCrab V5.0.4+ will have a random 5-10 upper-case character extension (i.e. .XMMFA, .LUKIZQW, .TKKLKM, .PFBRBHHEVM) appended to the end of the encrypted data filename and leave files (ransom notes) named [random upper-cased extension]-DECRYPT.txt (i.e. LUKIZQW-DECRYPT.txt, TKKLKM-DECRYPT.txt).
• GandCrab V5.1+, like its predecessors, will also have a random 5-10 upper-case character extension appended to the end of the encrypted data filename.

Bitdefender released a free decrypter for victims of GandCrab V1 with the .GDCB extension and a free decrypter for victims of GandCrab V4, early versions of V5 recognizable by their extensions...V4 .KRAB and V5, V5.0,1, V5.0.2, V5.0.3 random 5-9 character (i.e. .fbkdp .ibagx .qikka .eiuhtxjzs9) respectively. Files encrypted by GandCrab V5.0.4+ are not decryptable at this time without paying the ransom since these versions have been reported to break the BitDefender decryption tool so it will not work.

• GandCrab Ransomware Help & Support Topic (.GDCB, .CRAB & CRAB-DECRYPT.txt)

Hello,

 

here is Holger from Germany, i have the same problem like them most here i think 

STOPDecrypt says :

 

MAC: 00:1A:4D:5A:32:BD 

 

it will be very important to recover all my pictures and the bachup of it is infectet too...

 

i´m confused with sending an encrypted file and an original file, i have only encrypted files, i looking for something to decrypt back to original file ?!?!?

 

 

Thanks for your help 

 

 

Hi!

 

I have received all your messages, I have to check them.

Please, a lot of you have sent useless messages, please, follow the following steps to send me messages:

- Only one message and thread with all the needed information (encrypted and decrypted file, MAC address and personalID in the ransom note)

- Send personalID and mac address as text in the message (no photos, no files). It is easier to check.

- Send the infomation, do not send a message to just say your are infected, i am not going to reply to this messages. Just send the information.

- Send the files compressed as ZIP (no RAR or any other format)

- Upload your files to a service in which I do not need to register to download your files (for example: https://uploadfiles.io)

 

Send only what is neccesary and send it as soon as possible. A lot of you won't be able to decrypt your files because the time has passed and there is no way to recover the encryption key. Time is VERY important.

Hii i got infected by .djvut like a week ago 

0226se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0

-Mac address : 02-03-35-61-62-61

-Zip file : https://ufile.io/x8opd

Hello,

 

here is Holger from Germany, i have the same problem like them most here i think 

STOPDecrypt says :

 

MAC: 00:1A:4D:5A:32:BD 

 

it will be very important to recover all my pictures and the bachup of it is infectet too...

 

i´m confused with sending an encrypted file and an original file, i have only encrypted files, i looking for something to decrypt back to original file ?!?!?

 

 

Thanks for your help 

 

 

Hello,

 

here is Holger from Germany, i have the same problem like them most here i think 

STOPDecrypt says :

 

Unidentified ID: iW1iatU8mul2teup8JklhDNiHiGH5Lpaij4ITpVS

MAC: 00:1A:4D:5A:32:BD 

 

it will be very important to recover all my pictures and the bachup of it is infectet too...

 

i´m confused with sending an encrypted file and an original file, i have only encrypted files, i looking for something to decrypt back to original file ?!?!?

 

 

Thanks for your help 

 

 

Hi, Holger.

What they mean by decrypted file is the original version of a now encrypted file, a version you can recover by downloading exactly the same file or recovering it from your inbox/sent tray in your mail. For example, I sent them a .pdf file that was encrypted and a normal version of the same file that i rescued from my mail because I had sent it months ago to someone else.

I don't know if I made myself clear.

...i´m confused with sending an encrypted file and an original file, i have only encrypted files, i looking for something to decrypt back to original file ?!?!?...

In the majority of these cases, victims who say decryption failed or they cannot find a file usually misunderstand where they can find them or what is needed. You only need a single file pair for the decrypter to work...an encrypted file and its exact unencrypted original.

Everyone can always find a clean unencrypted copy of an original file version that was encrypted in order to make a pair...files you downloaded from the Internet that were encrypted and you can download again to get the original; pictures that you shared with family and friends that they can just send back to you; default or sample wallpapers and pictures that were shipped with your Windows version which you can get from another system running the same Windows version.