Jump to content

Recommended Posts

cryptage des fichier de mon ordinateur tout mes dossier d un virus extension txt et qewe. svp aider moi pour avoir une solutions

 

Machine translation:

File encryption of my computer all my files with a virus extension txt and qewe. please help me to have a solution

Edited by Marcos
Machine translation added
Link to post
Share on other sites
  • Administrators

Please provide:
- a handful of examples of encrypted files (ideally Office documents)
- the ransomware note with payment instructions
- logs collected with ESET Log Collector (ESET must be installed and activated).

Link to post
Share on other sites
  • Administrators

Since this is an English forum, we kindly ask you to post in English so that moderators and other users can understand you and be able to help.

Link to post
Share on other sites

Additional confirmation this is STOP ransomware:

Quote

Any files that are encrypted with newer STOP (DJVU) Ransomware variants after August 2019 will have the .coharos, .shariz, .gero, .hese, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .nosu, .kodc, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe or .mpal extension appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov). Since switching to the New STOP Djvu variants (and the release of the .gero variant) the malware developers have been consistent on using 4-letter extensions.

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

Extremely doubtful these files can be decrypted. Assuming you do not have a paid Eset license, go to the above linked website for additional assistance. If they can't help you, no one can.

Link to post
Share on other sites
Quote

The .qewe STOP variant is new and is currently not decryptable.

WHEN / IF Emsisoft recovers the offline key, files encrypted by that key will be recoverable.

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/?p=4986391

Edited by itman
Link to post
Share on other sites

Correct. But the Original Poster isn't likely an Eset customer, or they wouldn't likely have their files encrypted. Eset stops most variants, at least the known ones. So either follow Marcos' advice if they're Eset customers, and can install Log Collector, or try Emsisoft. Restoring from a backup, should they have one, is the only other feasible option.

Link to post
Share on other sites

Then you may be not be in luck. Decryption hasn't been very successful with this variation. Hopefully you have backups.

 

IV. Gero group (RSA)
Gero subgroup: .gero, .hese, .geno, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .mike, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .kodc, .nosu, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal

 

This is STOP/Djvu ransomware version, but the more recent versions .gero and .hese came out not decryptable. So you need to remove Gero ransomware and then attempt to restore encrypted files using data backups. Do not contact the criminals yourself, as they may attempt to take advantage of you or continue to extort you. 

Link to post
Share on other sites
  • Most Valued Members
3 hours ago, NewbyUser said:

Then you may be not be in luck. Decryption hasn't been very successful with this variation. Hopefully you have backups.

 

IV. Gero group (RSA)
Gero subgroup: .gero, .hese, .geno, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .mike, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .kodc, .nosu, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal

 

This is STOP/Djvu ransomware version, but the more recent versions .gero and .hese came out not decryptable. So you need to remove Gero ransomware and then attempt to restore encrypted files using data backups. Do not contact the criminals yourself, as they may attempt to take advantage of you or continue to extort you. 

Most usually people who pay their ransom get the decryption key back without any problem, but whatever if you try to decrypt with a decryptor that isn't supported , data could get damaged as far as I know.

Link to post
Share on other sites

Per the bleepingcomputer.com link I posted previously:

Quote

Check the OS boot drive for the SystemID/PersonalID.txt file. It contains the ID's used in the encryption.

If one of the ID's listed therein ends in 't1', at least some of your files were encrypted by the offline key.

If none if the ID's listed therein end in 't1', ALL of your files were encrypted by an online key and cannot be decrypted.

Clarifying the above.

If at least one of the ID's listed ends in "t1," an off-line key was used to encrypt some of your files. A ransomware removal site/service with effort should be able to find that key which can be used to decrypt those files. Note: this does not imply all your files can be decrypted.

If none of the ID's listed end in "t1," it is impossible to decrypt your files.

Edited by itman
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...