Jump to content

Recommended Posts

I got infected by something that has changed the extensions of my files on my D:\ drive to .koom, a search shows it to be some kind of ransomware of the STOP/DJVU type, I don't know what that means. Anyway, I downloaded and installed Malwarebytes and I've run it at least 4 times and I still see the hijacked files. What must I do to fix this?

Link to post
Share on other sites

Hello Chipw.    :welcome:

Regret very much to read of another encrypting ransomware.  Files encrypted by ransomware cannot be "read" or used normally once they are encrypted.  Encryption means that the rransomware has physically changed the file so you cannot access it.  If only the D drive was affected, it means that your main C drive was spared.

Malwarebytes has no decrypter. We cannot recover any of your encrypted files.  We have no magical tool.
User files or documents or images damaged by the encrypting ransomware cannot be cured ( or fixed) by malwarebytes.

You could recover your damaged files from a offline backup ( that you had made from before this ransomware incident). Offline backup is your friend.
Do you have a old offline backup of your machine?

I take it that this pc did not have installed , prior to the ransomware incident, the Premium Malwarebytes. Had the case been that the pc did have the Premium Malwarebytes beforehand, the malicious ransomware would have been stopped.

Look on your Desktop and or your Documents folder or any other folder where there are encrypted files.  You most likely will see a text-type file named 

_readme.txt

or

_openme.txt

pr

_open_.txt


That would be a file containing a ransom note made by this ransomware.  We here on the forum and also at Malwarebytes have no decryption tool,

Just so you are aware of that.  It seems your machine was / is a victim of a variant of the STOP (djvu) ransomware.

See these articles

"Meet Stop Ransomware: The Most Active Ransomware Nobody Talks About"
https://www.bleepingcomputer.com/news/security/meet-stop-ransomware-the-most-active-ransomware-nobody-talks-about/

 

Also See https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

 

If you have saved offline backups of the system from before this infection, that is the best means of recovering damaged user files.

Edited by Maurice Naggar
Link to post
Share on other sites

Thanks for the reply, I was afraid that was the response. There are many websites purporting to have a tool that can fix the situation but from what I've seen many, if not most, appear so similar they are probably all the same source with many different url's. And so far the one tool I've tried has been nothing but bs.

I do have most, but not all, backed up as there was just too many to reasonably back up offline, at least the important stuff is still available from the backups.

Link to post
Share on other sites

Bookmark the 2 links I listed before for Bleepingcomputer forum.  Bleepingcomputer is the central resource for matters relating to all ransomwares.

Now then, as to 

Quote

many websites purporting to have a tool

Be very extremely careful !   It matters if you did a general "web engine search" because you will get a whole raft of bottom-feeders that would lure you in to try one of their "scanners".  Those scanners will NOT fix / NOT recover your user files.  There are 2 or 3 "bottom feeders" that will & have generated dozens of website pages about every ransomware with a intent to lure you to buying their "thing".

Stay away from any site that you are not familiar with or one that has not been recommended or cited by sources you can rely on and trust.

On the other side, for some older variants of STOP  ( we are talking those several years old) there are some selected legitimate security sites that do have decrypters.

HOWEVER, if this machine has the  "KOOM" variuant, I am thinking this is a relatively new variant of Stop/Djvu  & so there will not be any decrypter.

I would suggest you upload 1 or 2 of the ransom-note files up for a feedback analysis so you can possibly see more info about the variant.

Read over the write-up  here https://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/

Do the Upload to this site link   https://id-ransomware.malwarehunterteam.com/

And also, you can just for good meaure, upload 1 of the .koom files to that site.   Get a screen-grab image of what the result is at ID-ransomware

.

The STOP/Djvu family of ransomwares is several years old, with newer variants with newer 4-character .dot name extensions come out all the time.  They are not all the same.  There is not a one-shot unviersal fix-tool. Newly made variants just do not have decrypters.  Yours here is a new one.  As I noted, not every "specific ransomware" is the same as all others when it comes to encryption keys and (possible) decryption tool.

Link to post
Share on other sites

One more added note.  For the STOP/Djvu series of ransomware, the date August 2019 is a key demarcation point, because after that date the bad-guys changed their choise of encryption.  That is significant because for example, a tool by EMSISOFT can decrypt files encrypted from before August 2019.  But not ones encrypted after that date.

Ransomwares constantly evolve & change.  It seems there is always a new variant of Stop/Djvu with some other different 4-character extension.

On a different aspect altogether, be sure that you are aware that ransomwares Delete all restore points on Windows as soon as they start their damage to your user files.

Secondly, know that ransomwares delete themselves once after they have done their deed.

Turn back ON the Windows System Restore function.

I imagine the last scan run with Malwarebytes for Windows reported no active infection  ( which would be the standard expectation since Stop/Djvu self-deletes).

What is the installed antivirus here ?  Do a scan with your antivirus.

Link to post
Share on other sites

The id-ransomware site recommended downloading/installing the Emsisoft decriptor which I had alrady done. That app is just about as bad as any ransomware - they scan your computer, give you a report, then tell you to buy the software before it will do anything worthwhile. I hate that *****.

Link to post
Share on other sites

I am very surprised to read that there is any charge for the tool at Emsisoft.

Nomoreransomware has good general information about ransomware  https://www.nomoreransom.org/en/index.html
That site also has a CryptoSherrif section where you can upload one of your files for analysis to ID the ransomware family
https://www.nomoreransom.org/crypto-sheriff.php
 

Link to post
Share on other sites

Well, since there is no reversing the .koom encryption I have deleted everything with that extension, cleaned the registry, emptied the recycle bin, ran Malwarebytes repeatable until it comes up clean, and then did it all again in safe mode, then reformatted the D: drive. The most important files were backed up on my website domain web server, the other stuff that wasn't backed up simply because of the amount of files was a huge collection of music files. Oh well, so it goes.

Link to post
Share on other sites

Malwarebytes Premium has multiple real-time protections, including against ransomware. I would recommend that you have the Premium license for Malwarebytes so that all pc's & devices are covered.

As to making your system more secure, there is a bunch of suggestions at this post 
https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/?tab=comments#comment-1372004

Use PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.