Ramsonware Stop DJVU "SGLH" Extension

Status
Not open for further replies.
P

Psoares

New Member
Thread author
Dec 14, 2020
6
Good afternoon,
First of all i would like to be thankfull and congratulate all people working and suporting users like me that come across to this kind of things..

A couple of weeks ago i to got my files on an external HDD encrypted by the "SGLH" extension (virus)..

In there i have thousands of photos of my son and personal works of all my life.. You can not imagine how i´m feeling right now.. i could k*** one of those bastards. Just point me one.. i´m a single worker and a father who surely does not deserve to go through this kind of thing..
We are living in a bloody world.. that´s what it is.

Bottom line... for all i´ve read so far.. and because i was hacked Online there´s nothing i can do so far.. just simple wait that a kind soul one of these days find a solution.

I´m going to kept the HDD waiting for that day cause i believe in the future somebody will come with a solution.

But this disgusts me and if one day I catch..

So i create this thread for others that surelly will come, and expect one day somebody could see this and response with a solution.

Best regards to all the people suporting.
 
  • Like
  • Sad
Reactions: SecurityResearcher, ForgottenSeer 89360 and Gandalf_The_Grey
struppigel

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Hello Psoares

I am Karsten and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.
  • Note: On weekends I might be slow to reply
-------------------------------------------------------------------

Step 1: Ransomware Identification

The file extension .igdm has been used by STOP/DJVU ransomware. STOP/DJVU ransomware variants after August 2019 are only decryptable if an offline key was used. For variants with an online key you cannot decrypt but repair certain file types.

Please upload an encrypted file and a ransom note to id-ransomware to confirm that it is indeed STOP/DVJU ransomware. Tell me the result.
 
  • Like
Reactions: ForgottenSeer 89360 and upnorth
P

Psoares

New Member
Thread author
Dec 14, 2020
6
Hello Struppigel,
Before i create this thread I allready have downloaded the "Emsisoft" and submit my HDD to it. It says:

"This ID appears to be an online ID. Decryption is impossible".

Thanks
 
  • Like
Reactions: ForgottenSeer 89360 and upnorth
struppigel

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
This ransomware is not decryptable if your files have been encrypted with an online key.

Your options without a backup:

1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Repair: Certain file types, mainly video and audio files, can possibly be repaired with tools like MediaRepair. But these files will loose some data.
3) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
4) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.

Please let me know if you want assistance with recovery or repair.
 
  • Like
Reactions: ForgottenSeer 89360 and upnorth
P

Psoares

New Member
Thread author
Dec 14, 2020
6
Hello again,

"Please let me know if you want assistance with recovery or repair."

Yes i´ll be thankfull on all help you may give me. Meanwhile... just bought an offical Internet security and installing..

Thanks in advance
 
  • Like
Reactions: ForgottenSeer 89360
struppigel

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
  • Please download Shadow Explorer
  • Right-click on the Shadow Explorer archive, click Extract all.. and confirm to extract the files
  • In the extracted folder, double-click on ShadowExplorerPortable.exe to run the program
  • Now you can see previous versions of the files on the system. Make sure the correct drive letter is selected (usually "C:" )
  • There is a date on the upper bar. Check if there is a date available that was before the ransomware attack. If the date isn't available, you don't have any shadow volume copies from before and recovery is not possible.
  • Within Shadow Explorer, navigate to files or folders you want to recover
  • To recover: Right-click and click Export... then choose a folder to save the files to and click OK
Let me know if this works.
 
  • Like
Reactions: Gandalf_The_Grey and ForgottenSeer 89360
P

Psoares

New Member
Thread author
Dec 14, 2020
6
Good afternoon Struppigel,

Did what you inform. The Shadow works fine just like you mention in "C:".

Some stuff recovered from "C" But no recover of what i need cause everything is on my external HDD.

Shadow recognize the folder "F: " of my HDD but nothing appears. So i change the settings and put the Hiden Files to be seen in the External HDD.
The external HDD has some backups in his own Recycle Bin but doesn´t allow me to access them.. :(
can´t even access the Volume System of the external HDD but it´s there.

So .. i´m stucked..
I don´t mind pay or reward someone who can restore my files. But never those bastards... if i do so it would be encourage those criminals and that i will never do... i can loose my data but i will never surrender to them. Ever!

Best regards
 
struppigel

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Let's try another tool. Be aware that this might not be successful either.
  • Please download PhotoRec, choose Windows 64-bit from that list.
  • Right-click on the testdisk-7.1.win64.zip archive and click Extract all.
  • Now navigate into the extracted folder and run qphotorec_win.exe
  • Select your Hard Disk from the list.
  • Make sure that FAT/NTFS/HFS+/ReiserFS is selected
  • Choose a destination for your recovered files by clicking on the "Browse" button
  • Now click "Search" and the tool will start recovering. Wait for it to finish, then click Quit
You will find recovered files in the selected destination folder.

Please tell me if this worked for you.
 
  • Like
Reactions: ForgottenSeer 89360
Status
Not open for further replies.

Similar threads

D
  • Locked
Unable to remove NanoPicoen extension malware
Replies
1
Views
487
Windows Malware Removal Help & Support
nasdaq
nasdaq
suthey1
  • Locked
Google Chrome Extension Can't Be Removed
Replies
6
Views
714
Windows Malware Removal Help & Support
nasdaq
nasdaq
meowwww
  • Locked
Need help removing a Google extension virus (?)
Replies
3
Views
521
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top