is it impossible to decrypt online ID with Maas extension?


All files that are encrypted with a newer version STOP (DJVU) Ransomware variants after August 2019 will have the .coharos, .shariz, .gero, .those, .xoza, .seto, .peta, .Mocha, .Medications, .kvag, .domn, .karl, .nesa, .startup, .noos, .kuub, .reco, .bora, .leto, .nols, .werd, .coot, .derp, .nakw, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .rote, .msop, .hets, .right, .gesd, .merl, .mkos, .nbes, .piny, .redl, .nosu, .kodc, .reha, .topi, .npsg, .btos, .repp, .alka, .bboo, .rooe, .mmnn, .ooss, .mool, .nppp, .rezm, .lokd, .foop, .remk, .npsk, .opqz, .mado, .jope, .mpaj, .lalo, .lezp, .qewe, .mpal, .sqpc, .mzlq, .koti, .covm, .pezi, .zip, .nlah, .kkll, .zwer .nypd, .usam, .tabe, .vawe, .moba, .pykw,r .zida, .maas Where .repl extension added to end of encrypted data file name as explained here by Amigo-A (Andre Ivanov). Since the switch to newer STOP Djvu variants (and the release of .gero), malware developers have been consistent in using 4 letter extensions.

STOP ransomware will leave files (ransom notes) named !!!YourDataRestore!!!.txt, !!!RestoreProcess!!!.txt, !!!INFO_RESTORE!!!.txt, !!RESTORE!!!.txt, !! ! !RESTORE_FILES!!!.txt, !!!DATA_RESTORE!!!.txt, !!!RESTORE_DATA!!!.txt, !!!KEYPASS_DECRYPTION_INFO!!!.txt, !!!WHY_MY_FILES_NOT_OPEN!!!.txt, !! !SAVE_FILES_INFO!!!.txt and !readme.txt. the .djvu* and newer variants will leave ransom notes named _openme.txt, _open_.txt Where _readme.txt

Please read the first page (Post #1) of the STOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) Support Topic And these FAQs for a summary of this infectionthese are variants, updates and possible decryption solutions using the Emsisoft decryptor.

There is no longer an easy way to get offline keys for many of these newer variants and no way to decrypt files if infected with ONLINE KEY without paying ransom and getting private keys from criminals who created ransomware. Emsisoft can only get OFFLINE KEYS AFTER a victim has PAID the ransom, received a key and provided it to them. This means in case of infection with ONLINE KEY, we cannot help you to decrypt the files because there is no way to access the criminal’s command server and retrieve this KEY.

Emsisoft has obtained and uploaded to its server OFFLINE KEYS for the following new STOP (Djvu) variants.gero, .hese, .seto, .peta, .mocha, .meds, .kvag, .domn, .karl, .nesa, .noos, .kuub, .reco, .bora, .nols, .werd, .coot , .derp, .meka, .toec, .mosk, .lokf, .peet, .grod, .mbed, .kodg, .zobm, .msop, .hets, .righ, .mkos, .nbes, .reha, . topi, .repp, .alka, .nppp, .remk, .npsk, .opqz, .mado, .covm, .usam, .vawe as shown in Extension #9297 and elsewhere in the support section.

** If there is no OFFLINE KEY for the variant you are dealing with WHERE if it is one of the newer STOP (Djvu) variants that used a ONLINE KEY, we cannot help you unless an OFFLINE KEY is retrieved and added to the Emsisoft server/decryptor. For now, the only other alternative to paying the ransom is to back up/save your encrypted data as is and wait for possible future solution.

** If an OFFLINE KEY is available for the variant you are dealing with and your files have not been decrypted by Emsisoft Decryptor, then you have most likely been encrypted by a ONLINE KEY and these files are not recoverable as they are not decryptable unless you pay the ransom. ONLINE ID for the new STOP variants (Djvu) are not supported by Emsisoft Decryptor. If infected with ONLINE ID, Emsisoft decryptor will indicate this under the Results tab and note that the variant is impossible to decrypt.

You should post questions in the support topic above. If you have followed these instructions and need further assistance, you should always ask for help in this support topic.

Rather than having everyone with individual topics and to avoid unnecessary confusion, this topic is closed.

Thank you
British Columbia staff


Comments are closed.