Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

STOP Ransomware (.STOP .Djvu, .Puma, .Promo) Support Topic


  • Please log in to reply
12129 replies to this topic

#31 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  •  Avatar image
  • Members
  • 549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:06:57 AM

Posted 22 November 2018 - 04:44 PM

 

We can decrypt any .DATAWAIT and .INFOWAIT variants even without the ransom note : we absolutly need a pair of crypted/original file bigger than 150 Ko to brute force the key.

For the other variants we have to check each request to confirm.

 

You can contact me directly at emte@adc-soft.com

Hi, thank you for your efforts.

I wanted to check, is decryption still not free for users who doesn't have Dr.Web licence during the ransomware accident ... as you said in the previous posts? (Especially .DATAWAIT)

 

 

Yes, Dr.Web decryptors are never free, except for computers with Dr.Web antivirus in use when the files have been encrypted. The charges are reasonable, 150 EUR.

If and when a free decryptor will be available, you will be informed immediatly by the Bleeping Computer Forum.

 

Kind regards,

Emmanuel - emte@adc-soft.com

--

Emmanuel Teillard d'Eyry – Support Service Manager

ADC-Soft | 18bis, rue de l'Est - 92100 Boulogne-Billancourt (France)
emte@adc-soft.com - Phone: +33 (0) 967 37 28 90
Partner of Dr.Web for ransomware decryption : https://partners.drweb.com/find_partner?mode=search&country=64&city=1161&searchByName=&lng=en



BC AdBot (Login to Remove)

 


#32 shubhamsharma2020

shubhamsharma2020

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 24 November 2018 - 06:10 AM

hello Emmanuel - any update on the <<.PUMAX>> decryption?.....

 

Anxiously waiting

 

Shubham sharma



#33 shubhamsharma2020

shubhamsharma2020

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 24 November 2018 - 06:11 AM

Hello Emmanuel - any update on the <<PUMAX>> decryption?.... I have sent 2 cryptic files for your testing

 

anxiously waiting

 

Regards - Shubham sharma



#34 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  •  Avatar image
  • Members
  • 549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:06:57 AM

Posted 24 November 2018 - 07:05 AM

Hello Emmanuel - any update on the <<PUMAX>> decryption?.... I have sent 2 cryptic files for your testing

 

anxiously waiting

 

Regards - Shubham sharma

Hello,

I am asking our ransomware lab if we can decrypt this new variant of the Stop ransomware : https://twitter.com/MarceloRivero/status/1065694365056679936

 

I will come back to you with the answer on Monday.



#35 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:09:57 AM

Posted 24 November 2018 - 01:18 PM

Extensions .puma and .pumax relate to new variants STOP Ransomware.


My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#36 mimoosa

mimoosa

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 25 November 2018 - 06:23 PM

Is STOP ransomware written in aes 128 bit encryption?



#37 quietman7

quietman7

    Bleepin' Gumshoe

  • Topic Starter

  •  Avatar image
  • Global Moderator
  • 62,051 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:57 AM

Posted 25 November 2018 - 06:34 PM

According to Amigo-A (Andrew Ivanov)

This crypto ransomware encrypts user data using AES (CFB mode)...

STOP ransomware Overview

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#38 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:09:57 AM

Posted 26 November 2018 - 02:23 AM

Is STOP ransomware written in aes 128 bit encryption?

 

 

In this case, I can not clarify. Since December last year, much could change. 
For clarification, we attach references to test results, if there are samples.
Everyone can access them through the service on which they are located. 
Registration on the service is made regardless of us. We do not provide direct access to harmful samples.
 
Test results: VT + HA + VB + IA + AR
VT - virustotal.com
HA - hybrid-analysis.com
VB - beta.virusbay.io
IA - analyze.intezer.com
AR - app.any.run
VMRay - vmray.com

Edited by Amigo-A, 26 November 2018 - 02:30 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#39 h29551442

h29551442

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 26 November 2018 - 09:01 PM

Hi everyone, the PUMAX ransomware have been decrypted.

 

I just recovered some files for my friend. If anyone need help with that, contact me with email: xinyu.feng1995@gmail.com I'd like to help.

 

P.S. It requires you have an original healthy file and the encrypted version for this file(large than 150KB would be best) to generate the key, then I can use this key to recover your other files. Otherwise I can't help =( 


Edited by h29551442, 27 November 2018 - 12:25 AM.


#40 ruthay

ruthay

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 27 November 2018 - 09:59 AM

Just an update for those impacted by .WAITING. ADC-Soft in above thread tried to decrypt but was unable. So we are still waiting for a solution in the future. Many thanks to Emmanuel @ ADC-SOFT for trying!! thanks again.



#41 Demonslay335

Demonslay335

    Ransomware Hunter


  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:57 PM

Posted 28 November 2018 - 03:30 PM

For anyone with .puma, .pumas, or .pumax extensions: just hang on a bit. :wink:


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#42 Maxwell_Asin

Maxwell_Asin

  •  Avatar image
  • Members
  • 37 posts
  • OFFLINE
  •  

Posted 29 November 2018 - 02:39 AM

Pumas Ransomware sample: https://www.sendspace.com/file/yryv2w

 

Any good news?



#43 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  •  Avatar image
  • Members
  • 549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:06:57 AM

Posted 29 November 2018 - 05:57 AM

Pumas Ransomware sample: https://www.sendspace.com/file/yryv2w

 

Any good news?

Be patient... @demonslay335 Michael Gillespie is working hard for a soon coming solution for your .pumas request.
When it will be ready you will be informed in this topic and also by the https://www.bleepingcomputer.com



#44 Demonslay335

Demonslay335

    Ransomware Hunter


  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:57 PM

Posted 30 November 2018 - 09:52 AM

Per this 18 October 2019 Announcement and the first page of this topic, STOPDecrypter no longer is supported...it was discontinued AND replaced with the Emsisoft STOP Djvu Decryptor developed by Emsisoft and Demonslay335 (Michael Gillespie). However, the same STOPDecrypter support was incorporated into the new Emsisoft decryptor/submission method for most old Djvu variants.
 
 
 

Free decrypter for .puma, .pumas and .pumax variants.

 

https://twitter.com/demonslay335/status/1068517307650064384


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#45 abu5515

abu5515

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 02 December 2018 - 01:57 PM

fhanks for efforts hope you can find decrypter for .DATAWAIT






8 user(s) are reading this topic

0 members, 8 guests, 0 anonymous users