โปรแกรมถอดรหัส Ransomware อัพเดตล่าสุด 2019 โปรแกรมชื่อ STOPDecrypter
ดาว์นโหลดได้ที่ STOPDecrypter v188.8.131.52 with more OFFLINE keys.
บริการปรึกษา กู้ข้อมูล ป้องกัน กรณี Ransomware ติดต่อ โทร 0635525296 ไลน์ a.andaman
OFFLINE ID: ljT0FEceXZLV8Gyhp3cCAcKbq8v85tmqMgqrVCt2
OFFLINE ID: faLqfTl9yJBMMKsPhAv8WKbIdsFgqRtco70kHSt1
OFFLINE ID: 7wlgj03aBeU43xA1mJMBMvyvGs6wERcrV31xRrt1
OFFLINE ID: 61K3jGfHzi5nWYLCgt3ZT7zGffHm0DNV9TGbdit1
OFFLINE ID: bDDtqPBV1xkOfMNIpmkdcyeVXG71BNezzpQwsKt1
This topic is the primary support topic for assistance with STOP (DJVU) Ransomware. It includes an updated summary of this infection, it’s variants and possible decryption solutions with instructions (including what to do if the STOPDecrypter does not work).
Any files that are encrypted with STOP (DJVU) Ransomware will have the .STOP, .SUSPENDED, .WAITING, .PAUSA, .CONTACTUS, .DATASTOP, .STOPDATA, .KEYPASS, .WHY, .SAVEfiles, .DATAWAIT, .INFOWAIT, .puma, .pumax, .pumas, .shadow, .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .djvut .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promock, .promoks, .promorad, .promok, .promorad2, .kroput, .kroput1, .charck, .pulsar1, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat,.roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .verasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .forasom, .berost, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidon, .heroset, .myskle, .boston, .muslat, .gerosan, ,vesad, .horon, .neras, .truke, .dalle or .lotep, .nusar, .litar or .besub extension appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov).
STOP Ransomware will leave files (ransom notes) named !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!RESTORE!!!.txt, !!!!RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!RESTORE_DATA!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !!!SAVE_FILES_INFO!!!.txt, !readme.txt, _openme.txt, _readme.txt, _open_.txt.
***IMPORTANT: @ ALL VICTIMS….
- Before asking questions not answered below, PLEASE READ these Frequently Asked Questions (FAQs).
- If the answer to your question is in the FAQs, there is no reason to ask it again in your posting or via a PM.
Please be patient. Demonslay335, like all Staff members, Security Colleagues and Security Experts, is a volunteer who assists members as time permits. He is inundated with numerous support requests and it may take some time to get a reply. Although he tries, Demonslay335 cannot possibly answer everyone individually or immediately but he is still actively involved with helping victims. If you already have posted your information in this topic or sent Demonslay335 a PM with it, there is no need to do it again. If you have not heard back from Demonslay335, that means he recorded your information but cannot help you with decryption at the moment. Post #1166.
We are trying to help in the background….I cannot answer everyone individually. There is literally nothing further I can do with this ransomware but archive the information requested from victims, and move on. If you don’t hear from me, then I likely just recorded your info and moved on. If you do hear from me, it will only be if you didn’t supply proper info, or if I have “good” news far in the future. I’m not going to sit here and reply to the topic every single time someone posts their info just to say “I archived your case”. If you posted in this topic, or PM’d me and see I’ve read the PM, then I’ve archived your case.
Dr.Web may be able to help decrypt some earlier UPPERCASE variants of STOP Ransomware (i.e. .STOP, .KEYPASS, .DATAWAIT, .INFOWAIT, etc)…see these instructions by Emmanuel_ADC-Soft. Please be aware that Dr.Web cannot decrypt other STOP (DJVU) Ransomware variants.
Demonslay335 (aka Michael Gillespie) released a free decryption tool (STOPDecrypter) for victims of the .puma, .pumas and .pumax variants. The decrypter includes a BruteForcer only for .puma based variants which use XOR encryption, a simple symmetric cipher that is relatively easy to break. The decrypter tool requires victims to provide an encrypted and original file pair greater than 150KB.
- STOPDecrypter v184.108.40.206 <- current version & authorized download link which never changes
Note: STOPDecrypter should be run as an Administrator from the Desktop.
01/17/19: STOPDecrypter updated to include decryption support for the .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet). if you were hit by the OFFLINE KEY as explained in Post #305. STOPDecrypter will check the filemarker at the end of files so it can support future extensions not previously reported. A list of all supported extensions is provided in the About section. Victims of the .djvu* variants need to provide their ransom note, personal ID in the ransom note, MAC (physical) Address of the infected computer and an encrypted and original file pair…follow these instructions. You can use a third-party sharing site (Google Drive, OneDrive, DropBox SendSpace) to send the file pair and provide a link in your PM. If you are unable to contact anyone via PM, then just post the required information in this support topic.
01/21/19: STOPDecrypter updated to include support for the .rumba variant and the new encrypted file format if you were hit by the OFFLINE KEY as explained in Post #451. Victims of the .rumba variant who have NOT already posted their info in this support topic, grab the information STOPDecrypter gives and copy/paste it in a PM as explained in Post #467. We DO NOT need encrypted & original file pairs for this or newer variants. If we find a way to use such pairs, we will ask for them on an individual basis.
02/23/19: STOPDecrypter updated to include support for the .promos variant if you were hit by the OFFLINE KEY as explained in Post #1094. The OFFLINE KEY is still the same as for the .djvu* variants, but they changed the underlying key for this extension only.
03/07/19: STOPDecrypter updated to include support with new OFFLINE KEYS for the following variants as explained in Post #1200.
.promoz, .promock, .promorad, .promok
03/11/19: STOPDecrypter updated to include support with a new OFFLINE KEY for the following variant as explained in Post #1251.
03/13/19: STOPDecrypter updated to include support with a new OFFLINE KEY for the following variant as explained in Post #1305.
03/25/19: STOPDecrypter updated to include support with new OFFLINE KEYS for the following variants as explained in Post #1482.
.kroput1, .charck, .kropun, .doples, .luces, .luceq, .chech, .pulsar1, .proden
03/28/19: STOPDecrypter updated to include support with new OFFLINE KEYS for the following variants as explained in Post #1580.
.drume, .tronas, .trosak, .grovas
04/0919: STOPDecrypter updated to include support with new OFFLINE KEYS for the following variants as explained in Post #1759.
.grovat, .raldug, .roland
04/27/19: STOPDecrypter updated to include support with new OFFLINE KEYS for the following variants as explained in Post #2160.
.etols, .guvara, .norvas, .moresa, .verasto, .hrosas
05/01/19: STOPDecrypter updated to include support with new OFFLINE KEYSs for the following variants as explained in Post #2364.
05/07/19: STOPDecrypter updated to include support with new OFFLINE KEYS for the following variants as explained in Post #2664.
.roldat, .dutan, .sarut, .forasom, .berost
05/17/19: STOPDecrypter updated to include support with new OFFLINE KEYS for the following variants as explained in Post #3042.
.shadow, .fordan, .codnat, .dotmap
05/23/19: STOPDecrypter updated to include support with new OFFLINE KEYS for the following variants as explained in Post #3268.
.ferosas, .rectot and added support for .INFOWAIT (a much older variant)…check the README.txt for details on that extension
05/30/19: STOPDecrypter updated to include support with new OFFLINE KEYS for the following variants as explained in Post #3450.
.skymap, .mogera, .rezuc.
STOPDecrypter supports and will only attempt to decrypt files if they were encrypted by one of the known STOP (DJVU) OFFLINE KEY’sretrieved by Demonslay335 and embedded in his decrypter (or one you provide with a key). The OFFLINE KEY is a hard-coded key that is used if the malware failed to get an ONLINE KEY from it’s command and control servers while you were online at the time the ransomware encrypted your files.
If the malware is able to reach it’s command server it will obtain and use an ONLINE KEY (unique to each victim)…it the malware is unable to communicate with it’s command server, then the malware will give up and resort to a hard-coded OFFLINE KEY. Some victims may have both an OFFLINE & ONLINE KEY. This is due to the malware running multiple times and making multiple attempts to get an ONLINE KEY, sometimes successfully communicating with the server, sometimes failing to communicate and resorting to an OFFLINE KEY.
If you were provided a key by either Demonslay335 or kNN, enter it via the Settings -> Set Djvu Key option. For personal ID, the decrypter will accept either the 40 character string at the end of encrypted files (not the one in braces, the string just before that) or the 43 character string in the ransom note. The ID pulled from the encrypted file is the same as the ransom note, except the note prepends 3 numbers to it…the personal ID is not your key. Do not touch the Settings if you have not been explicitly told to do so. If you enter anything incorrect into this screen, the decrypter will corrupt your data. More information can be found the FAQs and Post #305.
STOPDecrypter will be able to decrypt files for the following personal ID’s (OFFLINE KEY’s) related to the variant extensions as noted above when the tool was updated:
- 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0 – .djvu* variants, .promos
- D02NfEP94dKUO3faH1jwqqo5f9uqRw2Etn2lP3VBb – .rumba
- cZs3TaUYZzXCH1vdE44HNr1gnD2LtTIiSFFYv5t1 – .promoz, .promock, .promorad
- TLuCxxAdd5BLXYWIvnjsWaCNR5lWoznhlRTSott1 – .promok
- 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDosJ24DmXt1 – .promorad2
- upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1 – .kroput, .kroput1
- neFMH56G5TY6gLqHS6TpWwfIPJF1mKg4FvpeNPt1 – .charck
- 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 – .kropun
- rdSXuFaXQZ5zsBX7nzxYC2hgkTkducsD7tuV95t1 – .doples, .luces, .luceq, .chech
- AlMcLobh5J6wVB2Iy10guKr1kpSuFBWfXIsI6Et1 – .pulsar1
- abIsuTknpjAqoGRR7OZL5HDDmc843XjBxrQOIot1 – .proden
- dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 – .drume, .tronas, .trosak
- sC0oYeg1wSkjbjkEwQcxTXzA0EOp8Tnc35seYQt1 – .grovas
- vElBnRCjG17HPbVSb8mw2WKW8uIBUDp5gbuiZat1 – .grovat, .raldug
- R11Dxz37SHHVuv5otlFtzJiXUIPwPzmP6gV8gmv9 – .roland
- r77yXePcnmrctJPWrZCcbJgUlAtOa1FC9Na710t1 – .etols, .guvara
- 1OcNMvbG9a2vBz0BdsXRX88kjuVX9ku4EmR64St1 – .norvas
- PBADSc0wL8KOzd5eGIaVThjIPeGxRqrsQgvU3qt1 – .moresa
- fCuKTg0kzQEXr1ewwlkMM3sl8ZzT1uEg7811p2t1 – .verasto
- qn2YpOJW8NoI4X3pchKLemMVHE6hbUPemTQPlMt1– .hrosas
- e4Z7Ued2uSyQfbA7vS8VKtF2dGKGH8qEQ4E1Uht1 – .kiratos
- 54SYshdMLwmLmgvVGWUrb336u3jYwOthqtuie5t1 – .todarius
- SFOGVV9L1s8tgZVtOy4lff6n3MEgUwud5fQUdHt1 – .roldat
- zC2lfjIocaJoC8hWBB1yhTK2ecfIMchQ47Dkylt1 – .dutan
- pQseAIqgTVhPujMMiqH1ILPNUg3soGVim0NAnkt1 – .sarut
- nBxtbGaG4zYZQuwkRqP7d0zTIAyt6ZTtAqWL77t1 – .berost
- jWOnMXbnka33AZT1RlCj0QSRbhhZHNASDvqHrDt1 – .forasom
- 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0 – .shadow
- QP5YonPPBgUP0qNuS7DV82bMzke5YFYqXbRlobt1 – .fordant
- PTWLJBvUTDlF6G52Fs8Fmm7egqpfWrghp1m2Bot1 – .codnat
- BvxonHH8kgX9meHfJweaV5ONlpO6f7IRCff0XXt1 – .dotmap
- mlKnUMskuvLAnwjqZpgNMoxWdYebTiuT9DMf4Vt1 – .ferosas
- t9hLELb8KHIC5gKnzv1k3CPJ5qpiqNZiyV5vhHt1 – .rectot
- JjkJ9drSkbRY2LR4ZeDjOJxCYgt4zs6svaNadvt1 – .skymap
- tgDlcFW2xFWyJx7JxqpZ8dNSOchUAMejoGdvf2t1 – .mogera
- C1WKOJdn7siJOSKrKnoKRy5tH9aSxwMzpaUzgst1 – .rezuc
- ljT0FEceXZLV8Gyhp3cCAcKbq8v85tmqMgqrVCt2 – .stone
- faLqfTl9yJBMMKsPhAv8WKbIdsFgqRtco70kHSt1 – .lanset
- 7wlgj03aBeU43xA1mJMBMvyvGs6wERcrV31xRrt1 – .davda
- 61K3jGfHzi5nWYLCgt3ZT7zGffHm0DNV9TGbdit1 – .poret
- bDDtqPBV1xkOfMNIpmkdcyeVXG71BNezzpQwsKt1 – .pidon
- xUHIDCdB9IpEd1BBxXWhkitDLMP8oSzQeEYlr0t1 – .heroset
- dLoJuwk26P2wogGWZREN7JEyvljcvICqcYfwIft1 – .muslat
- xUHIDCdB9IpEd1BBxXWhkitDLMP8oSzQeEYlr0t1 – .boston
- PpzYa3nBba2MZq4MUGgxoZcZ7cbXBKtzNcipyRt1 – .gerosan
- 3O3Zn4LeBG8kkWwS2nX61CWiHLZ46k1s632Cg9t1 – .vesad
- JtkQUrpVXQB69IB5uUcXQ248Wj0DM9fjtaSThgt1 – .horon
- fl1QN31tuQBZKd6Q43Bemee0EycF0HBYEjwpQTt1 – .neras
- llb5PDChmUj6x2qLPtnlsS01VQMr9BBnhSGvh7t1 – .truke
- PrHLxGQfozsYqIt6y8iByGll1cv9doSVfPSfS2t1 – .dalle
- ppAG2IEqjVWKxLoaeeEd2ondL6Wu9aHAHA2NBrt1 – .lotep
If the decrypter skips your files, then you were encrypted by an ONLINE KEY, not by any of the OFFLINE KEYs listed in the decrypter. We cannot help you with the ONLINE KEY since there is no way to reproduce or retrieve it from the server. Therefore, if your personal ID is different than those noted above, we will not be able to help you at this time. All you can do and should do is archive (save) and wait for a possible future solution.
If the decrypter does not work with the OFFLINE KEY, then it is possible the malware was run multiple times, and was able to contact and get an ONLINE KEY from it’s command server. That means it is possible for a ransom note to have an OFFLINE KEY and a file to be encrypted with an ONLINE KEY. The ID that corresponds to which key a file was encrypted with is embedded in the file itself.
If the decrypter indicates multiple ID’s then it is possible that your files were encrypted by multiple variants. If that is the case, then it is also possible one ID could be associated with an OFFLINE KEY and the other ID associated with an ONLINE KEY. This means files encrypted with an OFFLINE KEY (listed above) may be decrypted while those files encrypted with an ONLINE KEY will not be decrypted.
If STOPDecrypter cannot decrypt your files, indicates “No key for ID“, “No keys were found for the following IDs” or “Unidentified ID“, it will display them, along with your MAC (physical) Address (if it is run on the infected computer) for easy archiving in case a future decryption solution becomes available. For archiving purposes and posting the required information in this topic, the tool’s developer, Demonslay335 (Michael Gillespie), will need you to provide the following three items preferably as given by STOPDecrypter-log.txt:
- Personal ID (preferably from the ransom note, but can also be given by STOPDecrypter if it skipped files).
- Extension of files.
- MAC (physical) Address(es) of network device (network card, Wired, Wireless, Wi-Fi) of the infected computer, again preferably as given by STOPDecrypter.
- Getting Your ID and MAC With STOPDecrypter
- Windows 8 and 10 – Finding the IP Number and MAC Address of a Network Card
OTHER IMPORTANT INFORMATION:
– STOPDecrypter includes a BruteForcer intended ONLY for .puma based variants which use XOR encryption. Djvu* based and other newer variants CANNOT be bruteforced since they use Salsa20. Do NOT attempt to use the BruteForcer on other variants…the files may get corrupted.
– If STOPDecrypter indicates “files was not encrypted, renamed” that means the ransomware was not able to handle large files and just added an extension without actually encrypting the file. Previously, the decrypter gave messages like “[-] No key for ID: ?E??_^%&&&_TAGSDz?engD??D??BPS DUR” or what looked like a bunch of gibberish. Demonslay335 determined that the file was likely not encrypted to begin with due to it’s large size. STOPDecrypter was updated to try to detect this case and it will rename the files for you…see Post #639.
– If STOPDecrypter indicates “Error: System.UnauthorizedAccessException: (5) Access is denied: [filepath]” that means you need to run STOPDecrypter as administrator.
– If STOPDecrypter will not run, crashes or indicates “Fatal Error: The Typeinitializer for Alphaleonis.Win32.Filesystem.NativeMethods caused an exception. Aborting. Decrypted 0 files!” that means you have an outdated or corrupted .NET Framework as explained in the FAQs. You need to be running .NET Framework 4.5.2+ or higher.
– Anyone getting other errors running the decrypter needs to send a PM to Demonslay335 with more information….see Post #569. He needs to know what operating system was infected, and if possible, a dump of the STOPDecrypter-log.txt, or anything in Event Viewer pertaining to the issue.
– STOPDecrypter will work “out-of-the-box” for any extension beginning with the Djvu* variants (including new extensions) but only if you were encrypted by one of the OFFLINE KEYS listed above. Each variant extension only has one OFFLINE ID. No updates are needed since this ransomware uses a specific filemarker to mark files it has encrypted. STOPDecrypter looks for that filemarker in addition to the extension so there is no need to update the decrypter for new extensions unless the criminals change something in the file format. The decrypter will be updated if there are new OFFLINE KEYS that can be added or if the malware developers change the file format.
– Per the FAQs, the malware authors have started changing the OFFLINE KEY without changing the ONLINE KEY ID. This means STOPDecrypter does not have to be updated for each extension since Demonslay335 has to verify what OFFLINE KEY’s they are using so as to not corrupt data (which requires having the malware executable to analyze). If you have a new extension, but your Personal ID matches one of the Offline ones, Demonslay335 will need the malware executable in order to update the decrypter.
– STOPDecrypter does not have to be run on the infected machine unless you want to gather the MAC (physical) Address for possible future decryption.
– STOPDecrypter does not delete any files unless you explicitly check the “Delete Encrypted Files” setting which we do not recommend doing with this ransomware…as apart from matching the ID in the file, it is impossible to guarantee the decryption was successful. It is best to check manually that files are decrypted properly before removing and cleaning up the encrypted files (CryptoSearch can help with that).
– STOPDecrypter was updated to fix another bug with not deleting files created when decryption fails, and to explicitly add more warnings for people who insist on force-feeding passwords. The decrypter will also check for victims who keep trying to run it on Dharma infections.
– If you are asked to provide a malware sample, please DO NOT POST ACTIVE LINKS, including links which may lead to sites where infections have been contracted. If it is malicious, we don’t want other members accidentally clicking on such links and infecting their machines. All such links will be removed to protect other members reading our forum topics. You can upload a sample of the malware to VirusToal and provide a link to the report for Demonslay335 to review. Samples of suspicious executable’s (installer, malicious files, attachments) can also be submitted (uploaded) here with a link to this topic…it’s best to zip (compress) all files before sharing.
–The .kroput variant also modifies the hosts file and includes blocking of BleepinComputer.
– Newer STOP (DJVU) Ransomware variants and other ransomwares have been reported to spread by downloading & using adware bundles, pirated software, activators for Office and Windows and cracks.
- Newer Djvu* variants are spread by downloading software cracks and adware bundles
- New Rumba STOP Ransomware Being Installed by Software Cracks
- 360 Discovered a New Ransomware Disguised as Windows Activator
- Be Careful of the KMSPico Activator It could be a Ransomware!
– Newer STOP (DJVU) Ransomware variants are also installing the Azorult Trojan which steals passwords.
In addition to encrypting a victim’s files, the STOP ransomware family has also started to install the Azorult password-stealing Trojan on victim’s computer to steal account credentials, cryptocurrency wallets, desktop files, and more…Victims who have been infected with a STOP Ransomware variant should immediately change the passwords to any online accounts that are used, especially ones that are saved in the browser. Victims should also change passwords in software such as Skype, Steam, Telegram, and FTP Clients. Finally, victims should check any files stored on the Windows desktop for private information that may now be in the hands of the attackers.