Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

I got ransomeware .cdxx attacked! (STOP Djvu)


  • This topic is locked This topic is locked
1 reply to this topic

#1 viethtse06141

viethtse06141

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 28 February 2024 - 03:01 AM

Hello guys! I was attacked by ransomware after dowloaded and open a cracked video editing software
 
Mod Edit by quietman7: Removed link(s) to possible malware...see here
 
_Readme.txt:
ATTENTION!
 
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $1999.
Discount 50% available if you contact us first 72 hours, that's price for you is $999.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
 
 
To get this software you need write on our e-mail:
support@freshingmail.top
 
Reserve e-mail address to contact us:
datarestorehelpyou@airmail.cc
 
Your personal ID:
0847ASdwtfpDQfmDPvWsQ3uLXSCMfXlyduJVsbYDfbgxsoCd
 
after that, I got a note: my computer was hacked,... payment about 1999$ for decryption file and all my file has .cdxx extension
(reset windows and used Adwcleaner to clean the virus after that)
 
 
then, I tried emisoft to decrypt my file with emisoft but it returns:
"Error: No key for New Variant online ID: tfpDQfmDPvWsQ3uLXSCMfXlyduJVsbYDfbgxsoCd
  Notice: this ID appears to be an online ID, decryption is impossible"
 
Most of my files are JPG, PNG and MP4
I tried some software to solve it like: photorec, video repair tool, shadowExploer, stella data recovery,... but my file after decryption are corrupted
 
can anyone help me please?
Thanks a lot!

Edited by quietman7, 28 February 2024 - 11:54 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 28 February 2024 - 09:30 AM

Please do not post active links to possible malware (malicious files), including links which may lead to sites where infections have been contracted and spread. If it is malicious, we don't want other members accidentally clicking on such links and infecting their machines. All such links will be removed to protect other members reading our forum topics.
 
Samples of any suspicious executable's (installer, malicious files) that you suspect were involved in causing the infection can be submitted (uploaded) to VirusTotal for analysis and provide a link to the results...this is the safest way of sharing malware since only vetted researchers can access it. Doing that may be helpful with analyzing, investigating, identification of the ransomware and possibly finding a flaw which could be useful for decryption of encrypted data.
 

Using pirated softwarefake/illegal activators for Windows & Officetorrentskeygens and other cracked software is a serious security risk (unsafe practice) which can make your system susceptible to a smörgåsbord of malware infections including ransomware resulting in the encryption of all your most valuable data, in many cases beyond recovery as explained here (Post #11).

 

 
 
You are dealing with a newer variant of STOP (Djvu) Ransomware as explained here by Amigo-A (Andrew Ivanov). Since switching to the new STOP Djvu variants (and the release of .gero) the malware developers have been consistent on using 4-letter extensions.
 
The .djvu* and newer variants will leave ransom notes named _openme.txt_open_.txt or _readme.txt
 
Please read the first page of the STOP (Djvu) Ransomware Support Topic for a summary of this infection, it's variants, any updates and possible decryption solutions using the Emsisoft STOP Djvu Decryptor. See Post #2 for tools (JpegMedic ARWEMedia_Repair) which can be used to partially repair (not decrypt) JPEG and audio/video files (WAV, MP3, Mp4, M4V, MOV, 3GP) partially encrypted by ransomware.
 
In regards to new variants of STOP (Djvu) Ransomware...decryption of data requires an OFFLINE ID with corresponding private key. Emsisoft can only get a private key for OFFLINE IDs AFTER a victim has PAID the ransom, receives a key and provides it to them so the key can be added to their database.
 
If infected with an ONLINE KEY, decryption is impossible without the victim’s specific private key. ONLINE KEYS are unique for each victim and randomly generated in a secure manner with unbreakable encryption. Emsisoft cannot help decrypt files encrypted with the ONLINE KEY due to the type of encryption used by the criminals and the fact that there is no way to gain access to the criminal's command server and retrieve this KEY. ONLINE ID's for new STOP (Djvu) variants are not supported by the Emsisoft Decryptor.
 
The Emsisoft Decryptor will also tell you if your files are decryptable, whether you're dealing with an "old" or "new" variant of STOP/Djvu, and whether your ID is ONLINE or OFFLINE.
 
If you run the Emsisoft Decryptor for a new variant with an ONLINE ID, the decryptor will indicate there is "no key" under the Results Tab and note it is impossible to decrypt.

Error: No key for New Variant online ID ***************************
Notice: this ID appears to be an online ID. decryption is impossible

That means for now, if your files were encrypted with an ONLINE KEY, the only other alternative to paying the ransom, is to backup/save your encrypted data as is and wait for a possible future solution.
 

** If there is no OFFLINE ID for the variant you are dealing with, we cannot help you unless a private key is retrieved and provided to Emsisoft. Thereafter, any files encrypted by the OFFLINE KEY for that variant can be recovered using the Emsisoft DecryptorThere is no timetable for when or if a private key for an OFFLINE ID will be recovered and shared with Emsisoft and no announcement by Emsisoft when they are recovered. That means victims should keep reading the support topic for updates or run the decryptor on a test sample of encrypted files every week or two to check if Emsisoft has been able to obtain and add the private key for the specific variant which encrypted your data. 

 

However, at this point it appears Emsisoft has discontinued development and stopped all support of the decryptor.

  
** If an OFFLINE ID is available for the variant you are dealing with and your files were not decrypted by Emsisoft Decryptor, then you most likely were encrypted by an ONLINE KEY and those files are not recoverable (cannot be decrypted) unless you pay the ransom to the criminals and receive the private key. 
 
You need to post any questions in the above support topic. If you have followed those instruction and need further assistance, then you still need to ask for help in that support topic.
 
Rather than have everyone with individual topics and to avoid unnecessary confusion, this topic is closed.
 
Thanks
The BC Staff


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users