STOP Ransomware (.STOP .Djvu, .Puma, .Promo) Support Topic

Hello. I am here as a victim of Ransomware seeking whatever possible help decrypting my files that got infected . Here is the read.me message I got:
 

our databases, files, photos, documents and other important files are encrypted and have the extension: .DATAWAIT
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Discount 50% avaliable if you contact us first 72 hours.

===============================================================================================

E-mail address to contact us:
BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch

Reserve e-mail address to contact us:
savefiles@india.com

Your personal id:
003e4GEw1godgubzE3BfjxYrk62pXNpoGOm05m8x3bH

 

If anyone can help me decrypt my files please let me know, thanks

Hello,

Send me with www.wetransfer.com at emte@adc-soft.com :

 

- the ransom note file

- 3-4 crypted files as samples, we today succeed to decypt the .DATAWAIT crypted files of another variant which is also a STOP ransomware.

 

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

• STOP ransomware (.STOP, .SUSPENDED - !!! YourDataRestore !!! txt) Support Topic

   

Decryption is an extra service if you were not using a Dr.Web antivirus license when your files have been crypted.

 

A reasonable charge of EUR 150 exc. vat is required to acquire the decryptor. I we can not decrypt your files there is nothing to pay.

 

Kind regards,

Emmanuel

--

Emmanuel Teillard d'Eyry – Support Service Manager

ADC-Soft | 18bis, rue de l'Est - 92100 Boulogne-Billancourt (France)
emte@adc-soft.com - Phone: +33 (0) 967 37 28 90
https://partners.drweb.com/find_partner?mode=search&country=64&city=1161&searchByName=&lng=en

Edited by Emmanuel_ADC-Soft, 16 November 2018 - 01:00 PM.

Thank you I appreciate it. I have sent you a few of the files. Please let me know of any results

-

Edited by Emmanuel_ADC-Soft, 16 November 2018 - 01:22 PM.

Dr.Web is now able to decrypt some variants of the STOP ransomware (for example .DATAWAIT and .INFOWAIT extension crypted files).

 

Decryption is an extra service if you were not using a Dr.Web antivirus license when your files have been crypted : fees requested to get the decryptor are 150 EUR exc. vat.
If we are not able to decrypt your files you have nothing to pay.

 

If you are interrested send me :

- the ransom note

- 3-4 crypted files as samples

with www.wetransfer.com at emte@adc-soft.com

 

For the other variants we have to check each request to confirm.

 

You can contact me directly at emte@adc-soft.com

 

I will inform you if we are able to decrypt your files. Kind regards,

Emmanuel

--

Emmanuel Teillard d'Eyry – Support Service Manager

ADC-Soft | 18bis, rue de l'Est - 92100 Boulogne-Billancourt (France)
emte@adc-soft.com
https://partners.drweb.com/find_partner?mode=search&country=64&city=1161&searchByName=&lng=en

Emmanuel, I have also been encrypted with INFOWAIT, just sent you the example files by Wetransfer.

Please let me know if there is something to be done about it

Emmanuel, I have also been encrypted with INFOWAIT, just sent you the example files by Wetransfer.

Please let me know if there is something to be done about it

Hello,

Sorry : your files are crypted with 2 different ransomwares extension : .INFOWAIT.PPTX.INFOWAIT
Check here : https://id-ransomware.malwarehunterteam.com/identify.php?case=2c57fb50713f166db636157e03c9434a0905462c

 

We can decrypt .INFOWAIT ransomware under certain circumstances (we need pairs of originals-crypted files) but not the .INFOWAIT.PPTX.INFOWAIT crypted files because they are also crypted by the GlobeImposter 2.0 ransomware.

 

More information about  GlobeImposter 2.0 ransomware ransomware here : https://www.bleepingcomputer.com/forums/t/644166/globeimposter-ransomware-support-crypt-pscrypt-ext-back-fileshtml/page-18

 

Kind regards,

Emmanuel

--

Emmanuel Teillard d'Eyry – Support Service Manager

ADC-Soft | 18bis, rue de l'Est - 92100 Boulogne-Billancourt (France)
emte@adc-soft.com
https://partners.drweb.com/find_partner?mode=search&country=64&city=1161&searchByName=&lng=en

Does it mean you need one original file and encrypted version in order to decrypt all of them? 

Does it mean you need one original file and encrypted version in order to decrypt all of them? 

For any regular STOP ransomware requests (extensions of crypted files can be .STOP | .SUSPENDED | .WAITING | .PAUSA | .CONTACTUS | .DATASTOP | .DATAWAIT | .STOPDATA | .INFOWAIT | .KEYPASS | .WHY | .SAVEfiles etc... etc... check here the Amigo-A digest for new extensions) we need :
 

- pairs of originals and crypted files to start to calculate the decryption key.

- the ransom note file !readme.txt

 

send me requested files and the ransom note with www.wetransfer.com at emte@adc-soft.com

 

I will inform you if we are able to decrypt your files. Kind regards,

Emmanuel

--

Emmanuel Teillard d'Eyry – Support Service Manager

ADC-Soft | 18bis, rue de l'Est - 92100 Boulogne-Billancourt (France)
emte@adc-soft.com
https://partners.drweb.com/find_partner?mode=search&country=64&city=1161&searchByName=&lng=en

Edited by Emmanuel_ADC-Soft, 19 November 2018 - 09:53 AM.

Does it mean you need one original file and encrypted version in order to decrypt all of them?

You have a dual infection...GlobeImposter 2.0 with .INFOWAIT (STOP) Ransomware. Sample pairs of original and encrypted files can be useful in some cases with .INFOWAIT (STOP) Ransomware but not GlobeImposter 2.0.

Only GlobeImposter 1.0 is decryptable. Since the cyber-criminals fixed the flaws, there is no known method to decrypt files encrypted by all the latest versions of GlobeImposter 2.0 without paying the ransom, including the variant with the .PPTX extension.

Hi Emmanuel, I was impacted by the .WAITING version back in April of this year. I just sent over pairs of files (neglected to send the ransom note but just sent it over wetransfer as well), hoping you can help. 

Thanks!

Hi Emmanuel, I was impacted by the .WAITING version back in April of this year. I just sent over pairs of files (neglected to send the ransom note but just sent it over wetransfer as well), hoping you can help. 

Thanks!

Hello,

I received your files and sent you an answer by email. Hope we will be able to decrypt them shortly.

 

Kind regards,

Emmanuel

--

Emmanuel Teillard d'Eyry – Support Service Manager

ADC-Soft | 18bis, rue de l'Est - 92100 Boulogne-Billancourt (France)
emte@adc-soft.com
https://partners.drweb.com/find_partner?mode=search&country=64&city=1161&searchByName=&lng=en

Edited by Amigo-A, 19 November 2018 - 02:17 PM.

We can decrypt any .DATAWAIT and .INFOWAIT variants even without the ransom note : we absolutly need a pair of crypted/original file bigger than 150 Ko to brute force the key.

For the other variants we have to check each request to confirm.

 

You can contact me directly at emte@adc-soft.com

 

Kind regards,

Emmanuel

--

Emmanuel Teillard d'Eyry – Support Service Manager

ADC-Soft | 18bis, rue de l'Est - 92100 Boulogne-Billancourt (France)
emte@adc-soft.com - Phone: +33 (0) 967 37 28 90
Partner of Dr.Web for ransomware decryption : https://partners.drweb.com/find_partner?mode=search&country=64&city=1161&searchByName=&lng=en

We can decrypt any .DATAWAIT and .INFOWAIT variants even without the ransom note : we absolutly need a pair of crypted/original file bigger than 150 Ko to brute force the key.

For the other variants we have to check each request to confirm.

 

You can contact me directly at emte@adc-soft.com

Hi, thank you for your efforts.

I wanted to check, is decryption still not free for users who doesn't have Dr.Web licence during the ransomware accident ... as you said in the previous posts? (Especially .DATAWAIT)

Edited by Sami-30, 22 November 2018 - 04:08 PM.