mourad 1 Posted May 3, 2020 Share Posted May 3, 2020 (edited) cryptage des fichier de mon ordinateur tout mes dossier d un virus extension txt et qewe. svp aider moi pour avoir une solutions Machine translation: File encryption of my computer all my files with a virus extension txt and qewe. please help me to have a solution Edited May 3, 2020 by Marcos Machine translation added Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 3, 2020 Administrators Share Posted May 3, 2020 Please provide: - a handful of examples of encrypted files (ideally Office documents) - the ransomware note with payment instructions - logs collected with ESET Log Collector (ESET must be installed and activated). Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 3, 2020 Share Posted May 3, 2020 This is DJVU, aka STOP ransomware. Based on what is posted here: https://geeksadvice.com/remove-djvu-ransomware-virus/ , the available decrypter won't work against .qewe file extension variants. Link to comment Share on other sites More sharing options...
mourad 1 Posted May 3, 2020 Author Share Posted May 3, 2020 (edited) all my files in my computer is crypted by virus extension txt et qwew pls help me Edited May 3, 2020 by mourad Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 3, 2020 Administrators Share Posted May 3, 2020 Since this is an English forum, we kindly ask you to post in English so that moderators and other users can understand you and be able to help. Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 3, 2020 Share Posted May 3, 2020 Additional confirmation this is STOP ransomware: Quote Any files that are encrypted with newer STOP (DJVU) Ransomware variants after August 2019 will have the .coharos, .shariz, .gero, .hese, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .nosu, .kodc, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe or .mpal extension appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov). Since switching to the New STOP Djvu variants (and the release of the .gero variant) the malware developers have been consistent on using 4-letter extensions. https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/ Extremely doubtful these files can be decrypted. Assuming you do not have a paid Eset license, go to the above linked website for additional assistance. If they can't help you, no one can. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 73 Posted May 3, 2020 ESET Insiders Share Posted May 3, 2020 Try here https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 3, 2020 Share Posted May 3, 2020 (edited) Quote The .qewe STOP variant is new and is currently not decryptable. WHEN / IF Emsisoft recovers the offline key, files encrypted by that key will be recoverable. https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/?p=4986391 Edited May 3, 2020 by itman Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 73 Posted May 3, 2020 ESET Insiders Share Posted May 3, 2020 Correct. But the Original Poster isn't likely an Eset customer, or they wouldn't likely have their files encrypted. Eset stops most variants, at least the known ones. So either follow Marcos' advice if they're Eset customers, and can install Log Collector, or try Emsisoft. Restoring from a backup, should they have one, is the only other feasible option. Link to comment Share on other sites More sharing options...
mourad 1 Posted May 4, 2020 Author Share Posted May 4, 2020 think you a lot off. I will try your solutions and afterwards we will discuss NewbyUser 1 Link to comment Share on other sites More sharing options...
mourad 1 Posted May 4, 2020 Author Share Posted May 4, 2020 virus redame.txt.qewe Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 73 Posted May 4, 2020 ESET Insiders Share Posted May 4, 2020 Then you may be not be in luck. Decryption hasn't been very successful with this variation. Hopefully you have backups. IV. Gero group (RSA)Gero subgroup: .gero, .hese, .geno, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .mike, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .kodc, .nosu, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal This is STOP/Djvu ransomware version, but the more recent versions .gero and .hese came out not decryptable. So you need to remove Gero ransomware and then attempt to restore encrypted files using data backups. Do not contact the criminals yourself, as they may attempt to take advantage of you or continue to extort you. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted May 4, 2020 Most Valued Members Share Posted May 4, 2020 3 hours ago, NewbyUser said: Then you may be not be in luck. Decryption hasn't been very successful with this variation. Hopefully you have backups. IV. Gero group (RSA)Gero subgroup: .gero, .hese, .geno, .xoza, .seto, .peta, .moka, .meds, .kvag, .domn, .karl, .nesa, .boot, .noos, .kuub, .mike, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .righ, .gesd, .merl, .mkos, .nbes, .piny, .redl, .kodc, .nosu, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal This is STOP/Djvu ransomware version, but the more recent versions .gero and .hese came out not decryptable. So you need to remove Gero ransomware and then attempt to restore encrypted files using data backups. Do not contact the criminals yourself, as they may attempt to take advantage of you or continue to extort you. Most usually people who pay their ransom get the decryption key back without any problem, but whatever if you try to decrypt with a decryptor that isn't supported , data could get damaged as far as I know. itman 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 4, 2020 Share Posted May 4, 2020 (edited) Per the bleepingcomputer.com link I posted previously: Quote Check the OS boot drive for the SystemID/PersonalID.txt file. It contains the ID's used in the encryption. If one of the ID's listed therein ends in 't1', at least some of your files were encrypted by the offline key. If none if the ID's listed therein end in 't1', ALL of your files were encrypted by an online key and cannot be decrypted. Clarifying the above. If at least one of the ID's listed ends in "t1," an off-line key was used to encrypt some of your files. A ransomware removal site/service with effort should be able to find that key which can be used to decrypt those files. Note: this does not imply all your files can be decrypted. If none of the ID's listed end in "t1," it is impossible to decrypt your files. Edited May 4, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts