Want to decrypt my data

Status
Not open for further replies.

Tasneem Iqbal

New Member
Thread author
Jun 8, 2021
6
My data has been encrypted by unknown hacker. Please guide me in decrypting my data.
The notice after encryption is given below:

1623259937037.png


Best regards
 
  • Like
Reactions: Nevi

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
I am Karsten and will help you with malware-related problems.

Please familiarize yourself with the following ground rules before you start.
  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.
  • Note: On weekends I might be slow to reply
-------------------------------------------------------------------

Your system has been infected by STOP/DJVU ransomware. The files of this ransomware are only decryptable in very specific circumstances, if the key server could not be reached at the time of infection.
This is not the case for you because you have an online encryption. Your files cannot be decrypted without the key.

Your options without a backup:

1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Repair: Certain file types, mainly video and audio files, can possibly be repaired with tools like MediaRepair. But these files will loose some data.
3) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
4) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.

Please let me know if you want my assistance for the steps 1) and 2)
 
  • Like
Reactions: upnorth and Nevi

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
1. File Recovery Software
  • Please download PhotoRec, choose Windows 64-bit from that list.
  • Right-click on the testdisk-7.1.win64.zip archive and click Extract all.
  • Now navigate into the extracted folder and run qphotorec_win.exe
  • Select your Hard Disk from the list.
  • Make sure that FAT/NTFS/HFS+/ReiserFS is selected
  • Choose a destination for your recovered files by clicking on the "Browse" button
  • Now click "Search" and the tool will start recovering. Wait for it to finish, then click Quit
You will find recovered files in the selected destination folder.
If you had any external drives encrypted, you may try the same on them.

2. Shadow Explorer
  • Please download Shadow Explorer
  • Right-click on the Shadow Explorer archive, click Extract all.. and confirm to extract the files
  • In the extracted folder, double-click on ShadowExplorerPortable.exe to run the program
  • Now you can see previous versions of the files on the system. Make sure the correct drive letter is selected (usually "C:" )
  • There is a date on the upper bar. Check if there is a date available that was before the ransomware attack. If the date isn't available, you don't have any shadow volume copies from before and recovery is not possible.
  • Within Shadow Explorer, navigate to files or folders you want to recover
  • To recover: Right-click and click Export... then choose a folder to save the files to and click OK

3. Media Repair
The tool can repair 6 file types: MP3, WAV, MP4, MOV, M4V, 3GP
If you have such files encrypted by STOP ransomware, download and run MediaRepair.

For most file types, you need a reference file, that is a non-encrypted file of the same file format as the encrypted ones. Video files will need this reference file. File types like MP3 do not need one.
  1. Run MediaRepair.
  2. Select a file type
  3. Navigate to the folder with your encrypted files.
  4. Now select one of your encrypted files and click on the Test
    television_test.png
    button
    to check if the file can be repaired (see image below to find the button)
    • Note: If the program tells you at this point that it cannot repair these files, abort and continue with another file type.
  5. Now select a reference file that is not encrypted and has the same file type and click on the Select Reference
    folder_video.png
    button (see image below).
    • Note: If you have several reference files, prefer the smallest.
  6. Select the encrypted files you want to repair and click on the Play
    control.png
    button (below the file types) to start repair.
  7. Now wait for the program to finish.
  8. Navigate to your encryped files, you should find a folder named FIXED in there. This folder contains your repaired files.

media_repair_btns.png


Let me know if any of this works for you
 
  • Like
Reactions: upnorth and Nevi

Tasneem Iqbal

New Member
Thread author
Jun 8, 2021
6
Dear Karsten !
your suggested recovery measures did not work except only Photorec application worked and recovered files as mentioned in the notice:

1623394075626.png

But I do not know how they will be opened and on which medium. Please help!


regards
 
  • Like
Reactions: Nevi

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Those seem to be shockwave flash files. These aren't supported by browsers anymore. It's probably something your browser had in the cache at some point.
I am sorry it didn't work for you.
 
  • Like
Reactions: Nevi

Tasneem Iqbal

New Member
Thread author
Jun 8, 2021
6
Those seem to be shockwave flash files. These aren't supported by browsers anymore. It's probably something your browser had in the cache at some point.
I am sorry it didn't work for you.
Now what should I do? Is it impossible to somehow recover my data?
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Now what should I do? Is it impossible to somehow recover my data?
I am sorry, but there is nothing we can do at this point. The only people who can decrypt your files are the criminals and those aren't trustworthy. They might as well just take your money and leave.
 

Tasneem Iqbal

New Member
Thread author
Jun 8, 2021
6
I am sorry, but there is nothing we can do at this point. The only people who can decrypt your files are the criminals and those aren't trustworthy. They might as well just take your money and leave.
So sad...... ok now please give me some suggestions or recommendations to secure my data in future from this hacking.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
STOP ransomware commonly arrives with bad software downloads, in most cases these are cracks, game cheats, patches, keygens. So to avoid this ransomware specifically, it is best to not use illegal programs.

The best strategy to avoid ransomware having a leverage on your files is the creation of regular backups, e.g., to an external drive that is not always attached to the system.

Below is a list of general infection prevention tips for all kinds of malware:
  • Keep your programs always up-to-date, including the operating system, browsers, email programmes, everything that you use to interact with the web, and also your antivirus suite.
  • Use exactly one antivirus suite. Several will get in the way of each other, fight for resources, and potentially detect each other as malicious due to the way antivirus has to monitor the system.
  • Use browser plugins that prevent ads (aka adblockers) and execution of scripts, e.g., NoScript.
  • Be careful with email attachments and links. Those can potentially contain malware or lead to phishing sites.
  • Avoid using P2P software. This software is sharing files with lots of other computers. Infected files, especially worms, thrive in this environment.
  • Enable to view file extensions in file explorer, so that you can recognize double extensions. These are used by malware to trick you into executing their files, e.g. my_great_movie.mp4.exe
Do you have any remaining questions?
 
  • Like
Reactions: Nevi and upnorth

Tasneem Iqbal

New Member
Thread author
Jun 8, 2021
6
STOP ransomware commonly arrives with bad software downloads, in most cases these are cracks, game cheats, patches, keygens. So to avoid this ransomware specifically, it is best to not use illegal programs.

The best strategy to avoid ransomware having a leverage on your files is the creation of regular backups, e.g., to an external drive that is not always attached to the system.

Below is a list of general infection prevention tips for all kinds of malware:
  • Keep your programs always up-to-date, including the operating system, browsers, email programmes, everything that you use to interact with the web, and also your antivirus suite.
  • Use exactly one antivirus suite. Several will get in the way of each other, fight for resources, and potentially detect each other as malicious due to the way antivirus has to monitor the system.
  • Use browser plugins that prevent ads (aka adblockers) and execution of scripts, e.g., NoScript.
  • Be careful with email attachments and links. Those can potentially contain malware or lead to phishing sites.
  • Avoid using P2P software. This software is sharing files with lots of other computers. Infected files, especially worms, thrive in this environment.
  • Enable to view file extensions in file explorer, so that you can recognize double extensions. These are used by malware to trick you into executing their files, e.g. my_great_movie.mp4.exe
Do you have any remaining questions?
Thanks alot Sir. God bless you.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top