Assigned STOP/DJVU ransomware .miia variant

This thread is being handled by a member of the staff.
Status
Not open for further replies.

datnguyen8128

New Member
Thread author
Jan 2, 2022
7
So about 3-4 days ago I was struck by this STOP/Djvu ransomware, .miia variant using an online key. I wasn't able to recover much file using PhotoRec as the hard drive that I was using for archiving our photos and videos was used over half. The SD card I plugged in at the moment was also encrypted. TunaDisk Media Recovery repaired some MP3s and MP4s but that wasn't much of what I've lost because Joep didn't find out a fix for big video files yet. Thanks if you helped, and also if you know any jpeg repair tool other than JPEG-Repair then please tell me.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Hello datnguyen8128,

You have done very good research and already found the relevant tools and possibilities to recover files.
Unfortunately there is not much else you can do. This variant of ransomware encryption is not breakable.

There are only two other things I want to mention:
1. If you have a cloud service like Google Drive, DropBox, OneDrive, you may be able to get previous versions of files.
2. If you have ransomware encrypted archives, remove the ransomware extension and try to extract files from them.

Apart from that you can only save the encrypted files alongside with a ransom note and wait for law enforcement to get hands on the criminal's keys.

I made a STOP/DJVU ransomware vaccine which may interest you as well (it is not a silver bullet, though): GitHub - struppigel/STOP-DJVU-Ransomware-Vaccine: Vaccine for STOP/DJVU ransomware, prevents encryption
The file can be downloaded here: Release STOP/DJVU Vaccine v1.0 · struppigel/STOP-DJVU-Ransomware-Vaccine
 

datnguyen8128

New Member
Thread author
Jan 2, 2022
7
Hello datnguyen8128,

You have done very good research and already found the relevant tools and possibilities to recover files.
Unfortunately there is not much else you can do. This variant of ransomware encryption is not breakable.

There are only two other things I want to mention:
1. If you have a cloud service like Google Drive, DropBox, OneDrive, you may be able to get previous versions of files.
2. If you have ransomware encrypted archives, remove the ransomware extension and try to extract files from them.

Apart from that you can only save the encrypted files alongside with a ransom note and wait for law enforcement to get hands on the criminal's keys.

I made a STOP/DJVU ransomware vaccine which may interest you as well (it is not a silver bullet, though): GitHub - struppigel/STOP-DJVU-Ransomware-Vaccine: Vaccine for STOP/DJVU ransomware, prevents encryption
The file can be downloaded here: Release STOP/DJVU Vaccine v1.0 · struppigel/STOP-DJVU-Ransomware-Vaccine
Hello struppigel,

A few months ago I was attacked by the same ransomware on my other laptop but it's .mmpa variant so I tried all steps I did on that other laptop to see if I can get back any file. Unfortunately no media was stored in an archive file so I guess I'll have to wait for any law enforcement or key breach possible and do recovery by hand for now.

I also downloaded your vaccine tool after looking up for similar threads on this forum and tried installing it but it says api-ms-win-core-path-l1-1-0.dll is missing (the reason seems to be the ransomware because it infected my Windows 10 partition and tried to encrypt all other drives/partitions but I was able to partly recover my Windows 7 partition using Shadow Copies on that Windows 7). Is there any way to fix this, because SFC didn't seem to be able to recover the DLL.

Also the ransomware seems to fail encrypting some deeply nested files (I think perhaps the directory length exceeded the limit or something).
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
You can create the vaccine manually.
Open notepad.

Copy and paste the following text (the content is important):

{"public_key":"this is a vaccine do not remove","id":" You were protected by STOP vaccine"}

Click on Save As ...

Now navigate to localappdata, generally this is in:
C:\Users\<username>\AppData\Local

Save the file under the name C:\Users\<username>\AppData\Local\bowsakkdestx.txt

A previously infected system may already have such a file there. But since you don't have the key, I recommend you replace it with the vaccine file. Otherwise a re-infection of your system may use the same key that was used before and you still can't decrypt the files.
Note: Security software might detect bowsakkdestx.txt as malicious because it belongs to STOP ransomware. But it is just a text file, it doesn't do anything else than sit there.
 

datnguyen8128

New Member
Thread author
Jan 2, 2022
7
You can create the vaccine manually.
Open notepad.

Copy and paste the following text (the content is important):

{"public_key":"this is a vaccine do not remove","id":" You were protected by STOP vaccine"}

Click on Save As ...

Now navigate to localappdata, generally this is in:
C:\Users\<username>\AppData\Local

Save the file under the name C:\Users\<username>\AppData\Local\bowsakkdestx.txt

A previously infected system may already have such a file there. But since you don't have the key, I recommend you replace it with the vaccine file. Otherwise a re-infection of your system may use the same key that was used before and you still can't decrypt the files.
Note: Security software might detect bowsakkdestx.txt as malicious because it belongs to STOP ransomware. But it is just a text file, it doesn't do anything else than sit there.
I've done it on both my infected W10 partition and uninfected W7 partition. Is there anything else?

Also here's a little update: I was able to repair quite a lot of photos I took on my DSC-S950 using JpegMedic ARWE, but some of them have to be calibrated to match the original pic. Joep suggested me to try it because his JPEG-Repair didn't work for me even when I put those same corrupted and reference files into JPEG-Repair.
 
  • Like
Reactions: Gandalf_The_Grey

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
I've done it on both my infected W10 partition and uninfected W7 partition. Is there anything else?

Also here's a little update: I was able to repair quite a lot of photos I took on my DSC-S950 using JpegMedic ARWE, but some of them have to be calibrated to match the original pic. Joep suggested me to try it because his JPEG-Repair didn't work for me even when I put those same corrupted and reference files into JPEG-Repair.

There is nothing else from me.

Thank you, I will recommend this tool as a possible way to repair JPEG files.
 

datnguyen8128

New Member
Thread author
Jan 2, 2022
7
There is nothing else from me.

Thank you, I will recommend this tool as a possible way to repair JPEG files.
I think you should recommend both tools (+ Media_Repair, also by Joep @ DiskTuna), as JPEG-Repair may not work for me but may work for others. After all, it still depends on the photo file size because the first 150KB of the file is encrypted.
 
  • Like
Reactions: Gandalf_The_Grey

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
I think you should recommend both tools (+ Media_Repair, also by Joep @ DiskTuna), as JPEG-Repair may not work for me but may work for others. After all, it still depends on the photo file size because the first 150KB of the file is encrypted.
Yes, I agree. I already knew MediaRepair and recommended it before, so I did not mention it.
 

datnguyen8128

New Member
Thread author
Jan 2, 2022
7
Also this thread is pretty old already but do you know how to fully remove the ransomware? Windows 7 works just fine but now I need to boot back into my Windows 10 to use PowerPoint 2016 and some apps I had on there. I scanned the W10 partition using Avast for like 3 times and removed all suspicious files using Unlocker 1.9.2 but I don't know if that much is safe enough yet.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Also this thread is pretty old already but do you know how to fully remove the ransomware? Windows 7 works just fine but now I need to boot back into my Windows 10 to use PowerPoint 2016 and some apps I had on there. I scanned the W10 partition using Avast for like 3 times and removed all suspicious files using Unlocker 1.9.2 but I don't know if that much is safe enough yet.
Hi again. I currently have no time to take care of this. Can either @nasdaq or @icotonev assist in cleaning this system?
 

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hi I', Nasdaq

Let's see what we can idenfy that may be causing issues.
Run this tool in your Windows 10 computer.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:
L7kNU5y.jpg

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

p.s.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>
 

datnguyen8128

New Member
Thread author
Jan 2, 2022
7
Hi I', Nasdaq

Let's see what we can idenfy that may be causing issues.
Run this tool in your Windows 10 computer.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:
L7kNU5y.jpg

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

p.s.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>
 

datnguyen8128

New Member
Thread author
Jan 2, 2022
7
My Addition.txt log. For some reason I can't paste or attach the FRST log post the reply with the FRST log pasted directly or attach the log with the reply.
 

Attachments

  • Addition.txt
    49.4 KB · Views: 24
Last edited:

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hi,

The FRST.TXT log must be too long to be posted please attach it as you did for the Additional.txt log.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top