.STOP ransomware

[Yseurk]

Hello,

A friend of mine have been infected by a ransomware but I can't find any information about it on the Internet.

I heard a lot about STOP/DJVU ransomware, but I don't know if this one is really related to this family or not.

I tried online sources (Emisoft, Nomoreransom, Avast, etc), but none of them look like to know this extension file.

I'm mainly looking for information, and to know if there is a way to decrypt the files. I'm familiar with IT and security in general, and sorry for my English, I'm french

An example : producteur.txt.stoponionmail.com.idRP6SdVt.stop

I ran Emisoft Decryptor for STOP/DJVU, and it's still on "Starting ..." after 10 minutes for 1 file.



I also have a WeTransfer link if someone wants the encypted file (no sensible info inside). Could it be useful to share the ransom note too ?

Thanks for your time fellows

 

[struppigel]

Hello Yseurk,

Welcome to MT. This is no typical extension for STOP/DJVU ransomware but seems like something else. Can you please provide a ransom note and an encrypted file?

Karsten

 

[Yseurk]

Hello Yseurk,

Welcome to MT. This is no typical extension for STOP/DJVU ransomware but seems like something else. Can you please provide a ransom note and an encrypted file?

Karsten

Hello Struppigel,

Thanks for your time, here are the links :

Encrypted file : producteur.txt.stoponionmail.com.idRP6SdVt.stop
Ransom note : RECOVERY_INFORMATION.TXT

 

[struppigel]

Thank you. I got the files and you can delete them from the post again, if you want to.

This ransomware did not directly encrypt the files but put them into a password protected ZIP archive. That means all encrypted files are actually ZIP archives.

I highly recommend that you try to retrieve the malware binary from the system that was infected. It must contain the archive password. If you are lucky, the ransomware used only one password for all of the archived files. If you can get the malware binary somehow, please provide it for analysis. You can, e.g., upload it to Virustotal and post the link here. I will retrieve it from VirusTotal for inspection. From your posts on other sites you seem to know your way around FRST, so you will probably be able to find the binary without my assistance.

Alternatively you can try a password bruteforce tool for ZIP archives.

 

[Yseurk]

Thanks for your answer, I asked to the person but didn't get any reply for the time being, I'll try what you proposed and share the source if I can.

I keep the thread open 1-2 weeks, and will close it if the person doesn't respond me.

 

[Yseurk]

Hello,

For your information, the person told me that he opened a port on his router to allow him to use RDP from his office to his home, and that's probably how he have been hacked. He's familiar with IT but he's not a profesionnal, and opened port 3389 from world wide ... His computer was on Windows 10 1903, and the hacker also tried to encrypt his NAS, however the script seemed to not able to empty the recycle bin on the NAS, the file have been restored on the NAS.

The only thing I found was a folder named "WinRAR" that looks suspicious because it was created just before the encryption started, and WinRAR was not installed on the computer and the person told me he uses 7-zip instead of WinRAR. The folder only contained a file name "version.dat", I'll take a look at it but don't expect that much.

I told him that without the source file I can't do anything, besides the hacker seems to know what he does and I don't really think that he used a weak password for the archive files ... and I found any indictor of compromise of his computer, except this "WinRAR" folder.

The last advice I gave to the person was to store the disks where the files are encrypted for later, and to file a claim in case the hacker is found and the keys can be retrieved.

Thanks for your help guys I like this place, I think I'm gonna spend more time with you, I'm sure I have lot of things to learn from you

 

[struppigel]

Thank you for the update Yseurk. I am glad some of the files could be recovered. It is possible that there was no malware involved here and the hacker just used LOLBins to encrypt the files.
I woudn't count on them using a strong password. If the attacker did not think of cleaning the recycle bin on the NAS, other options might also still be available.
You can also try the usual recovery options: Shadow volume copies and file recovery tools. I am leaving instructions below.

1. File Recovery Software

• Please download PhotoRec, choose Windows 64-bit from that list.
• Right-click on the testdisk-7.1.win64.zip archive and click Extract all.
• Now navigate into the extracted folder and run qphotorec_win.exe
• Select your Hard Disk from the list.
• Make sure that FAT/NTFS/HFS+/ReiserFS is selected
• Choose a destination for your recovered files by clicking on the "Browse" button
• Now click "Search" and the tool will start recovering. Wait for it to finish, then click Quit

You will find recovered files in the selected destination folder.
If you had any external drives encrypted, you may try the same on them.

2. Shadow Explorer

• Please download Shadow Explorer
• Right-click on the Shadow Explorer archive, click Extract all.. and confirm to extract the files
• In the extracted folder, double-click on ShadowExplorerPortable.exe to run the program
• Now you can see previous versions of the files on the system. Make sure the correct drive letter is selected (usually "C:" )
• There is a date on the upper bar. Check if there is a date available that was before the ransomware attack. If the date isn't available, you don't have any shadow volume copies from before and recovery is not possible.
• Within Shadow Explorer, navigate to files or folders you want to recover
• To recover: Right-click and click Export... then choose a folder to save the files to and click OK