OGDO Ransomware Attack

[D_307]

My PC got infected by STOP/DJVU Ransomware the day before yesterday. All of my files have been encrypted and have gotten .ogdo extension.
After ##### tons of hours of Googling, I cannot say that I got a definite solution for removing the malware and decrypting the files. After uploading the infected files in website, www.nomoreransom.org, the result was that the files can't be decrypted. The website, MalwareTips Community, showed the similar conclusion. The malware can be removed but the encrypted files can't be decrypted. Also, there is potential risk of double encryption from using fake Ransomware.

I had just installed Windows 10 as I was stuck in 'Fix Automatic Repair' loop and even resetting the PC was not possible. To activate the Windows and Office, I downloaded "KMSpico", turned off the Defender and that's where it got infected. The Virus-Protection cannot be turned on right now.Talk about the series of bad luck.

I have started the following processes from
Remove OGDO ransomware (Virus Removal Guide)

STEP 1: Use Malwarebytes Free to remove OGDO ransomware
STEP 2: Use HitmanPro to scan for Trojans and other malware
STEP 3: Double-check for malicious programs with Emsisoft Emergency Kit
STEP 4: Restore the files encrypted by the OGDO ransomware


I have scanned twice by all three softwares, restarting after each scan. As I was using Chrome, the software were finding malware in Chrome's files. So, I stopped using Chrome and in the third time, all three softwares did not file any malware. I am currently reinstalling Windows.

I am not sure if I couldn't post here due to me being new user or I just didn't know how. I hope I have not done any mistakes. I have not used any Decryption too yet. I want to make sure that the malware has 100% gone from PC and if possible I want to decrypt the files as there are files about 600 GB and IDK where to put it if I have to wipe the drive later.

 

[struppigel]

Hello D_307,

I am Karsten and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.

• Read my instructions thoroughly, carry out each step in the given order.
• Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
• If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
• Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
• Back up important files before we start.

------------------------------------------------------

To activate the Windows and Office, I downloaded "KMSpico"

Beware: We discontinue assistance if we find instances of pirated programs on your system. Please make sure to remove all pirated software before you start.

Regarding STOP/DJVU ransomware: For your version the ransomware encrypted files can only be decrypted for free if the malware was not able to reach the key server at the time of infection. In those cases it uses a so called offline key. Only encryption that uses the offline key can be decrypted by Emsisoft's tool.
Do you have a ransom note that you can share here, so we can determine if the offline key was used?

I am currently reinstalling Windows.

Does that mean you don't need malware removal assistance?
If you reformat and reinstall Windows, it will get rid of most malware.

 

[D_307]

Hello D_307,

I am Karsten and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.

• Read my instructions thoroughly, carry out each step in the given order.
• Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
• If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
• Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
• Back up important files before we start.

------------------------------------------------------



Beware: We discontinue assistance if we find instances of pirated programs on your system. Please make sure to remove all pirated software before you start.

Regarding STOP/DJVU ransomware: For your version the ransomware encrypted files can only be decrypted for free if the malware was not able to reach the key server at the time of infection. In those cases it uses a so called offline key. Only encryption that uses the offline key can be decrypted by Emsisoft's tool.
Do you have a ransom note that you can share here, so we can determine if the offline key was used?


Does that mean you don't need malware removal assistance?
If you reformat and reinstall Windows, it will get rid of most malware.

 

[D_307]

Thankyou for your reply. I already reinstalled windows but I still want to make sure that the malware is removed. Also, as this is fresh Windows, there are not any pirated software installed. I will be uploading three files. Ransom Note, '_readme', 'FRST' and 'Addition.'

 

[struppigel]

Most ransomware, including STOP ransomware, doesn't persist but rather delete itself after infection. So the only things left after such an infection are additional malware (if one arrived, other malware may have used the same infection vector) and potential security holes. Since you reinstalled your system, it is currently as clean as it can get. As long as you stay away from activators, there is a good chance it will stay this way.

The ID in your ransom note indicates that the ransomware used an online key. That means decryption is currently not possible for free.
Your options now:

1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Repair: Certain file types, mainly video and audio files, can possibly be repaired with tools like MediaRepair. But these files will loose some data.
3) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
4) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.

Please let me know if you want my assistance to try any of these options (except paying).

 

[D_307]

Thank you for your reply. I will try the Recovery and Repair process. I want to know about the encrypted files. I got that the malware has gone after reinstallation but Will it be okay for me to store those files in my PC? Will that infect other files? Or do I have to wipe the drive completely?

 

[struppigel]

I got that the malware has gone after reinstallation but Will it be okay for me to store those files in my PC? Will that infect other files? Or do I have to wipe the drive completely?

These files are not infectious in your case. You can keep them without worry, including the ransom note.
I even recommend that you keep a backup of them in case there will be a decryption solution in the future.

• Please download Shadow Explorer
• Right-click on the Shadow Explorer archive, click Extract all.. and confirm to extract the files
• In the extracted folder, double-click on ShadowExplorerPortable.exe to run the program
• Now you can see previous versions of the files on the system. Make sure the correct drive letter is selected (usually "C:" )
• There is a date on the upper bar. Check if there is a date available that was before the ransomware attack. If the date isn't available, you don't have any shadow volume copies from before and recovery is not possible.
• Within Shadow Explorer, navigate to files or folders you want to recover
• To recover: Right-click and click Export... then choose a folder to save the files to and click OK

Let me know if this works.

 

[D_307]

Thanks for your reply. I tried Shadow Explorer but only date that was shown was the day I reinstalled Windows.

 

[struppigel]

Let's try another tool. But be aware that this might not be successful either.

• Please download PhotoRec, choose Windows 64-bit from that list.
• Right-click on the testdisk-7.1.win64.zip archive and click Extract all.
• Now navigate into the extracted folder and run qphotorec_win.exe
• Select your Hard Disk from the list.
• Make sure that FAT/NTFS/HFS+/ReiserFS is selected
• Choose a destination for your recovered files by clicking on the "Browse" button
• Now click "Search" and the tool will start recovering. Wait for it to finish, then click Quit

You will find recovered files in the selected destination folder.
If you had any external drives encrypted, you may try the same on them.

Please tell me if this worked for you.

 

[D_307]

I can't say it worked either. Most of the recovered files were system files. Maybe 2% of files were restored but same files were restored multiple times.

 

[struppigel]

Download and run MediaRepair.
The tool can repair 6 file types: MP3, WAV, MP4, MOV, M4V, 3GP

For most file types, you need a reference file, that is a non-encrypted file of the same file format as the encrypted ones. Video files will need this reference file. File types like MP3 do not need one.

1. Run MediaRepair.
2. Select a file type
3. Navigate to the folder with your encrypted files.
4. Now select one of your encrypted files and click on the Test
   
   button to check if the file can be repaired (see image below to find the button)
   • Note: If the program tells you at this point that it cannot repair these files, abort and continue with another file type.
5. Now select a reference file that is not encrypted and has the same file type and click on the Select Reference
   
   button (see image below).
   • Note: If you have several reference files, prefer the smallest.
6. Select the encrypted files you want to repair and click on the Play
   
   button (below the file types) to start repair.
7. Now wait for the program to finish.
8. Navigate to your encryped files, you should find a folder named FIXED in there. This folder contains your repaired files.

 

[D_307]

Thank you for your reply. It didn't work either. The files I really want to decrypt are photos and documents. Like, text files, html, docx, pdf.

 

[struppigel]

Unfortunately this is all we can do at this time. I am sorry that you lost your files.

You can keep a backup of your files and one ransom note and check from time to time if a solution is available. Especially the news section on Bleepingcomputer.com is fully up to date on ransomware decrypters.

Do you have any questions?

 

[D_307]

Thank you so much for helping me. I don't have anymore questions. You can close the thread. Thank you again.