Home Forums Ransomware attack!!!

This topic contains 1 reply, has 2 voices, and was last updated by  agski 1 month ago.

  • Author
  • #399956


    This morning, I received a call from my sister, who informed me that her computer had been attacked by ransomware, and that a payment of $700/$490 (within 72 hours) was needed for the key. I was able to trace down the .exe malware that was used to spread the virus, through analysis I was able to remove it all, but the files were still encrypted with the extension IQLL. I’ve tried a few things (Safe mode, Photorec, Reset PC, Emsisoft, and so on), but none of them have worked so far. Is there anyone who knows how to decrypt these files legitimately?

  • #399957


    If you send me the file I can try and see if theres a free decryptor, or you can look and see if she has shadow copies enabled. I can also check if there are flaws in their encryption implementations, but chances are its gonna be a lesson learned.

  • #399958


    Try to identify the ransomware group, and see if any of these can help you out good luck. [nomoreransom](https://www.nomoreransom.org/en/index.html)

  • #399959


    The data is gone. Restore from backup or recreate. If neither of these is an option, the data is truly gone.

    It is mathematically infeasible to defeat modern encryption without there being some flaw in the attackers methods. With ransomware as a service, flawed attacks are quickly weeded out.

    I apologize if this is disheartening. But it is the truth in the overwhelming majority of cases.

    Your only hope is that legitimate law enforcement seizes the bad actors assets and releases the private keys. Again this is mathematically unlikely. Like winning the lottery unlikely.


  • #399960


    I did some Google research based on the extension you mentioned. The ransomware appears to be called STOP (Djvu) and its a new variant from 2019 onward. From the article mentioned [here](https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/?fromsearch=1) you will need the offline keys to try and decrypt but ita not guaranteed.

  • #399961


    I feel compelled to ask, and please don’t share more info than you’re comfortable with but: is there a reason she was targeted? High profile or totally random?

  • #399962


    If you removed the actual ransomware, I doubt the files will be decrypted, as you won’t break the secret key. Of course, I am no expert and I can be definitely wrong

  • #399963


    Edit: before you do anything at all, image that drive, make a copy so you’re working off a copy of the image.

    I’ve often wondered if it’s possible to do an end run around encryption by using file recovery software like GetDataBack.

    First time I had a crash on Win XP years ago I used it and it turned out there’s multiple copies of everything , I guess because de-fragmentation moves files around to try to make everything contiguous . If you have an SSD you might not be able to use it that way because files don;t need to be contiguous for speed., thus you don’t defrag those.

    I don’t do Windows anymore but I’m tempted to test that. That would seem to be possible and laughable if it works, being so easy.

    Also if that’;s the case… and I did have multiple copies of everything, even files I had deleted intentionally which caused me to start using eraser to overwrite.. HDDs should be able to hold 5 or 10 times as much data…. at least with a simple software rewrite, maybe just the firmware. I thought of this years ago when I saw that and never mentioned it and it;s beyond my pay grade. So if anyone does this (assuming it hasn’t been done already) give me a mention and I hope you open source it.


    Someone sends me a ransom demand with that amount whether or not I recover the data they’re getting a smart-ass note from me **”Thanks for the vote of confidence guys, it’s never going to happen but I admire your enthusiasm”.**

  • #399964



  • #399965


    Always remember to backup ur files on google drive so they are easy to recover. 🙂

You must be logged in to reply to this topic.