[All the files in HDD extensions changed to .kvag]

thx Maurice and bros,

it seems to be waiting for the offline key.

i ve tried the above method and still cannot recover the files。

[All the files in HDD extensions changed to .kvag]

1 hour ago, Maurice Naggar said:

Thank you for relaying that.

Sorry, there is not a solution.

Can you at least attach the physical note file itself ?   I can then take that and upload myself to ID-Ransomware.

.

Ransomwares delete themselves after doing their deed.   Malwarebytes has no decrypter for any encrypted file.

Ransomwares also disable System Restore and delete all system restore points.

They also delete volume shadow copies typically.

 

You may try what follows on some of your files with the .kvag   extension  to see if Windows "may" have a old copy.

  Pick one file.  you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up

see if yours shows a line entry with some old date prior to date of infection.

the files has no previous versions. Since this method not working for me >.<

[All the files in HDD extensions changed to .kvag]

40 minutes ago, Maurice Naggar said:

Thank you for that file.  From doing prior searches, it did seem that the bandits are using ransom notes previously seen on other variants of STOP family  ransomware.

Hopefully you can see  the ID ransomware direct feedback here  https://id-ransomware.malwarehunterteam.com/identify.php?case=4c582e187a64bec46c3a80df47455de476060f8c

 

 

Do keep in mind that this new variant of STOP ransomware may not be able to be decrypted by the current STOPdecrypter   (more information at Bleepingcomputer )

The criminals have made changes to the malware in newer versions that makes decryption near impossible at this time.

My suggestion is to make a post at Bleepingcomputer forum where they have special experts.

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

 

It is the same case when i upload one file for checking.

[All the files in HDD extensions changed to .kvag]

Hi everyone,

I found that the hdd have been infected by virus or spyware something like that. All the files in storage data disk have been changed by adding the extension to ".kvag". e.g. the original file is "testing.xls", now changed to "testing.xls.kvag". However, the files still cannot be opened by deleting the .kvag extension. The files are important! How can I recover the files?

Thanks brothers !