Ransomware attack
- Thread starter Ugyen
- Start date
- Status
Hello Ugyen,
I am Karsten and will gladly help you with any malware-related problems.
Please familiarize yourself with the following ground rules before you start.
The file extension .erif has been used by STOP/DJVU ransomware. STOP/DJVU ransomware variants after August 2019 are only decryptable if an offline key was used. For variants with an online key you cannot decrypt but repair certain file types.
Please upload an encrypted file and a ransom note to id-ransomware to confirm that it is indeed STOP/DVJU ransomware. Tell me the result.
Regarding your DM. Please talk to your cousin. Maybe they have a backup of the files. I know you are probably afraid to tell anyone that this happened, but you have to own up to it.
I am Karsten and will gladly help you with any malware-related problems.
Please familiarize yourself with the following ground rules before you start.
- Read my instructions thoroughly, carry out each step in the given order.
- Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
- If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
- Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
- Back up important files before we start.
- Note: On weekends I might be slow to reply
The file extension .erif has been used by STOP/DJVU ransomware. STOP/DJVU ransomware variants after August 2019 are only decryptable if an offline key was used. For variants with an online key you cannot decrypt but repair certain file types.
Please upload an encrypted file and a ransom note to id-ransomware to confirm that it is indeed STOP/DVJU ransomware. Tell me the result.
Regarding your DM. Please talk to your cousin. Maybe they have a backup of the files. I know you are probably afraid to tell anyone that this happened, but you have to own up to it.
Please use this decrypter for STOP ransomware from Emsisoft.
If it tells you that your files were encrypted with an online key, we cannot decrypt the files.
This is the most likely case, though. Please tell me if it worked.
If it tells you that your files were encrypted with an online key, we cannot decrypt the files.
This is the most likely case, though. Please tell me if it worked.
Please ask if there is any backup of the data on the system. Currently there is no way to get it back the way it was before.
Your options without a backup:
1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Repair: Certain file types, mainly video and audio files, can possibly be repaired with tools like MediaRepair. But these files will loose some data.
3) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
4) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.
Let me know if you want my assistance in any of these options (except for paying the ransom).
Your options without a backup:
1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Repair: Certain file types, mainly video and audio files, can possibly be repaired with tools like MediaRepair. But these files will loose some data.
3) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
4) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.
Let me know if you want my assistance in any of these options (except for paying the ransom).
- Please download Shadow Explorer
- Right-click on the Shadow Explorer archive, click Extract all.. and confirm to extract the files
- In the extracted folder, double-click on ShadowExplorerPortable.exe to run the program
- Now you can see previous versions of the files on the system. Make sure the correct drive letter is selected (usually "C:" )
- There is a date on the upper bar. Check if there is a date available that was before the ransomware attack. If the date isn't available, you don't have any shadow volume copies from before and recovery is not possible.
- Within Shadow Explorer, navigate to files or folders you want to recover
- To recover: Right-click and click Export... then choose a folder to save the files to and click OK
I am sorry to hear that.
Unfortunately don't know of any way to repair PDF files encrypted by STOP. I suggest making a backup in case something changes in the future.
Do you have any other questions?
- Status
You may also like...
-
Unknown ransomware - .dthnrHygS extension (Session messenger note)- Started by matei33m
- Replies: 9
-
Help with .wwty ransomware decryption – Online ID- Started by sofiane1226
- Replies: 3
-
ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants- Started by Khushal
- Replies: 3
-
How a CPU spike led to uncovering a RansomHub ransomware attack
- Started by Khushal
- Replies: 1
-
