Sagar_2020

Level 1
Hello Team,

Could you please help me to decrypt all files on my personal laptop.

1. My laptop is attacked by Ransomware i.e. .pezi , below is information , also text file demanding $490 ransome.
2. I have already tried steps given in one of your article - How to remove PEZI ransomware (Virus Removal Guide) - but didn't help.
3. Reason is - encryption is done using ONLINE key so EMSISOFT is unable to decrypt files.
4. this attack has happened on 1st of June 2020.

Please help me to recover/decrypt al files , Thank you much in advance.

Contactrestoreadmin@firemail.cc, helpmanager@mail.ch
Ransom amount$490/$980 in Bitcoins
 

nasdaq

Moderator
Verified
Staff member
Hello, Welcome to MALWARETIPS.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

.Pezi belongs to the family of ransomware called Djvu.

Navigate to this topic.

Submit a sample of the compromised files for their review.
They will reply and let you know what you are dealing with.

From what we know now, your files are not recoverable.
Your only solution would be to restore the files from a good backup if you have one.

The compromised files can be transferred to a CD or Flash drive.
Should a solution be found in the future you may be able to restore them.

Good luck.
<<<>>>
 

Sagar_2020

Level 1
Hello, Welcome to MALWARETIPS.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

.Pezi belongs to the family of ransomware called Djvu.

Navigate to this topic.

Submit a sample of the compromised files for their review.
They will reply and let you know what you are dealing with.

From what we know now, your files are not recoverable.
Your only solution would be to restore the files from a good backup if you have one.

The compromised files can be transferred to a CD or Flash drive.
Should a solution be found in the future you may be able to restore them.

Good luck.
<<<>>>
Sure, I will check then. Thank you. I was expecting some tools where I can decrypt files.
 

struppigel

Moderator
Verified
Staff member
3. Reason is - encryption is done using ONLINE key so EMSISOFT is unable to decrypt files.
...
I was expecting some tools where I can decrypt files.
Hello Sagar_2020,

Unfortunately you have an undecryptable version of STOP/DJVU ransomware encryption. That means there is no tool that will help you decrypt your files without a key. The only ones able to do that are the criminals who have the key.
Please be aware that there are currently also fake decrypters for STOP ransomware which will encrypt files a second time. If anyone claims they have a decrypter for STOP, do NOT trust them.

Your options now:

1) In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Backup your encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
3) There is of course always the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.

Please let us know if you have any questions.
 

struppigel

Moderator
Verified
Staff member
Hello. I have some good news, so I will re-open the topic.

There is a tool that can repair some audio and video files encrypted by STOP ransomware.
Please note that repairing is not the same as decrypting. Some data is still lost, so only certain file formats can be repaired.

You will need a non-encrypted file for each file type for reference.

Please reply back if you want to try this.
 
Last edited:

struppigel

Moderator
Verified
Staff member
The tool can repair 6 file types: MP3, WAV, MP4, MOV, M4V, 3GP
If you have such files encrypted by STOP ransomware, download and run MediaRepair.

For most file types, you need a reference file, that is a non-encrypted file of the same file format as the encrypted ones. Video files will need this reference file. File types like MP3 do not need one.
  1. Run MediaRepair.
  2. Select a file type
  3. Navigate to the folder with your encrypted files.
  4. Now select one of your encrypted files and click on the Test
    button
    to check if the file can be repaired (see image below to find the button)
    • Note: If the program tells you at this point that it cannot repair these files, abort and continue with another file type.
  5. Now select a reference file that is not encrypted and has the same file type and click on the Select Reference
    button (see image below).
    • Note: If you have several reference files, prefer the smallest.
  6. Select the encrypted files you want to repair and click on the Play
    button (below the file types) to start repair.
  7. Now wait for the program to finish.
  8. Navigate to your encryped files, you should find a folder named FIXED in there. This folder contains your repaired files.
Please report back to me and tell me if this worked for you.
 

Sagar_2020

Level 1
Hey @struppigel ,

Thank you for your update.

Unfortunately that given software didn't worked as epxected on my mp4 file. I tried the way that you have mentioned as is.
Media Repair accepted that file saying it can repair that file so after clicking Play button - it gave me below message however files at that location are not recovered.
1593285211649.png
When I went to that folder , I saw a text file created by Media Repair - it says , Please see aached .txt file for log.
Also I am attaching a mp4 file so that you can try it on your side.
**************
GOPR7456.MP4.pezi
Can't find header in sample.
760164508
760164508
0 bytes removed/added

========================================================

On the other hand - I tried different solution/apps which has helped me to recover few files like JPG , PDF, few MP4 files.

I have used Photorec which seems to be working good for me however 2 drawbacks I found with it.
1. it has not recovered full data/complete files.
2. when it recovers data - it does not keep file name same as encrypted so it is hard do to know by reading name which file it is. ( so filename is getting lost)

I am still unable to recover my JPEG, all JPG, PNG, MP4 file.s and also important one is I have small Dot Net project developed for my client which is lost.
that I am able to recover data using shadowexplorer however that back up is from 2 months back, it means I have to rework on the code that I have completed.
www.spyware-ru.com/en/how-to-remove-pezi-ransomware-decrypt-pezi-files/

Even that I can rework :( .

Also one more option I see is good but that is Fully Paid service u might be knowing it - Steller Data recovery - their primary searching app is giving me data however to recover I have to buy paid version which is again I am not ready to pay yet so lets see how it goes.

So please let me know what else we can try ? I am more interested in JPG, JPEG files because I will be loosing my whole photos from my last 2-3 years mobile photos backup. I will give you one copy of that file as well.
 

struppigel

Moderator
Verified
Staff member
Hi again. I am awake far too early and now I do have some time before we leave for a trip ;)

Thank you very much for the detailed feedback!

I am sorry to hear that it didn't work as expected. Sometimes, an essential structure of the file is encrypted and in those cases file recovery software fails to repair them.

Please put an encrypted file and a reference file of the same file type in a password protected archive.
E.g. using 7zip
  • right-click on the folder you want to send to me, click 7-zip, click add to archive
  • on the right lower part below "Encryption" enter the password "novirus" (without the quotes)
  • click "Ok" and wait for it finish
Now upload the password protected archive to a file sharing service (wetransfer.com, gofile.io, dropbox) and post the link.

Reason for the password: Some Antivirus scanners detect ransomware encrypted files although they are not malicious. The password will prevent them from doing that, so that file transfer services don't reject the upload.

1. it has not recovered full data/complete files.
About this point, other software will not be better either. These files are encrypted partially and the encrypted part is lost. File recovery software just uses everything that's not encrypted and tries to make a working file out of it again. That's why only part of the file is recovered.
If any software recovers complete files, it takes them from somewhere else, e.g., earlier versions you deleted, or similar.

So please let me know what else we can try ? I am more interested in JPG, JPEG files
JPEG files are hard to recover for file recovery software if the header is encrypted by ransomware because they need a human eye to make them look decent again.
Please take a look at this video (first half is enough). Note: The tool he uses is not for free.
What you can see here is: It is possible to repair your files, but it is a tedious task that's very hard to automate. I guess data recovery firms could do that but considering how long it takes to just do that for one file, it might cost quite some money.

 

struppigel

Moderator
Verified
Staff member
Hi Sagar_2020,

These files cannot be repaired by this tool. The corruption is too big to make it possible.
I am afraid, there isn't more I can do for you at this moment and I still advise you to keep the encrypted files in case something comes up later.

Since you reported success with some of the files using Photorec I will recommend this tool for others who are in the same situation.
 

Sagar_2020

Level 1
Thank you @struppigel , sure will keep those encrypted files.

Thanks for you time and efforts @struppigel and thanks to MalwareTips.com for helping people like us :( .

Please keep me in loop if something comes up from your side on this issue.

I will keep working on that issue and will keep you posted here. soon I will be going to one person who is Dealer of QuickHeal, he is going to try out some help from QH team if they solve it. so fingercrossed.
 
Top