Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

# International Police Association / Sopa/ PIPA Ransomware easily decrypted

17 replies to this topic

### #1 Grinler

Grinler

Lawrence Abrams

• 43,268 posts
• OFFLINE
•
• Gender:Male
• Location:USA
• Local time:10:17 PM

Posted 05 May 2015 - 03:55 PM

A new ransomware, which is actually a variant of CryptoTorLocker2015, has been reported that claims it's from the International Police Association - IAC and "fines" you \$100 Euros in order to get your files back. When infected, this ransomware will scan your computer, encrypt your data, and appends a 6 digit extension to any encrypted file. It will then display a message box ransom note that states you need to visit a certain site to may a payment. The current known payment sites are str.fulba.com and utrozen.pixub.com, which opens an iframe to fulba.com.

The ransom note states:

Warning! Your have a computer found pirated content! All your files encrypted! To decrypt files you need visit the site http://str.fulba.com and follow the instructions posted on it. If the site is for some reason unavailable refer to the stoppirates@yahoo.com. Your id 123456.

You can enter a password 5 times. Above this limit, all files will be deleted! Independent attempts to decrypt the data can to lead to their loss.

It wil then display a password prompt as shown below.

The ransom payment sites are regionally localized to show you the ransom instructions in your language. It determines this based on the IP address of the visitor. An example of the US ransom payment site is below.

Finally, this ransomware will change your Windows wallpaper to a fake message that states:

CONTENT Blocked by SOPA PIPA under authority granted by H.R. 3261 & S.968

With that said, for those who are infected with this Sopa/Pipa/International Police Association/Crap ransomware, you can easily decrypt your files by downloading and running Nathan Scott's decrypter. It should be noted that some anti-virus programs are detecting this infection based on its file modification abilities used by the decrypter, some AV programs may detect it as malicious. This is a false positive, but if you are concerned about the safety of the decryption tool, you can always copy your encrypted data to a virtual machine and run the decrypter from there.

Once you start the decrypter, you need to enter the 6 digit identifier assigned to your files, select a folder to scan, and then click on Decrypt to decrypt your files. When using the tool, it is suggested that you select the root of the drive such as C:\ and let the decrypter recursively scan your entire drive. If you are finding that some files, most likely shortcuts, are not properly being decrypted, you should run the program with Administrator privileges.

As always, if you have any questions, please feel free to post them here.

Known Related Ransomware Files:

%Temp%\<random>.exe
%Temp%\ag.exe
%Temp%\<random>.bmp
%Temp%\in.js
%Temp%\services.exe


m

### #2 LiquidTension

LiquidTension

• Malware Response Instructor
• 1,217 posts
• ONLINE
•
• Gender:Male
• Local time:03:17 AM

Posted 06 May 2015 - 09:57 AM

What is the infection vector for this ransomware?

### #3 Grinler

Grinler

Lawrence Abrams

• Topic Starter

• 43,268 posts
• OFFLINE
•
• Gender:Male
• Location:USA
• Local time:10:17 PM

Posted 06 May 2015 - 11:29 AM

Unknown.

### #4 RolandJS

RolandJS

• Members
• 4,293 posts
• OFFLINE
•
• Gender:Male
• Location:Austin TX metro area
• Local time:09:17 PM

Posted 06 May 2015 - 11:41 AM

For this situation, what does infection vector mean?

Edited by RolandJS, 06 May 2015 - 12:07 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (sevenforums)

Clone or Image often! Backup, backup, backup, backup... -- RockE (Windows Secrets Lounge)

### #5 SleepyDude

SleepyDude

• Malware Response Team
• 2,681 posts
• OFFLINE
•
• Gender:Male
• Location:Portugal
• Local time:03:17 AM

Posted 07 May 2015 - 05:49 AM

What is the infection vector for this ransomware?

Included with cracked software.

Edited by SleepyDude, 07 May 2015 - 03:46 PM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.

Proud graduate of GeekU and member of UNITE
___
Rui

### #6 DecryptTheFiles

DecryptTheFiles

• Members
• 1 posts
• OFFLINE
•
• Local time:05:17 AM

Posted 11 May 2015 - 08:18 AM

Hey, thanks for your work but your torrentunlocker works much better by this infection like this one, 90%ov mp4 and programms defekt with torrentunlocker 90% of Data are ok. only the .jpj.235485 id must change to .jpg.encrypted :-)

### #7 Grinler

Grinler

Lawrence Abrams

• Topic Starter

• 43,268 posts
• OFFLINE
•
• Gender:Male
• Location:USA
• Local time:10:17 PM

Posted 11 May 2015 - 11:06 AM

Not sure I understand. Your saying this is not working? If so, I will have the dev pop in.

### #8 cosmiclove

cosmiclove

• Members
• 5 posts
• OFFLINE
•
• Local time:10:17 PM

Posted 25 May 2015 - 09:22 PM

Hello Lawrence. I got hit last night by StopPirates. My tech guy is trying (unsuccessfully so far) to restore/retrieve the files. We just tried the stoppirates decrypter program you mentioned in this post but unsuccessful. I had high hopes given the convincing words used "....Sopa/ PIPA Ransomware easily decrypted" ....Do you think you can assist me with this please? I haven't looked at the payment option yet b/c I want to try anything I can before.

Thanks.

H

### #9 Grinler

Grinler

Lawrence Abrams

• Topic Starter

• 43,268 posts
• OFFLINE
•
• Gender:Male
• Location:USA
• Local time:10:17 PM

Posted 25 May 2015 - 10:49 PM

If you can submit samples of the malware to http://www.bleepingcomputer.com/submit-malware.php?channel=3 we can try to update the tool.

### #10 cosmiclove

cosmiclove

• Members
• 5 posts
• OFFLINE
•
• Local time:10:17 PM

Posted 25 May 2015 - 10:55 PM

If you can submit samples of the malware to http://www.bleepingcomputer.com/submit-malware.php?channel=3 we can try to update the tool.

Thank you so much for responding. By "samples of the malware", I assume you mean some infected/encrypted files? Thanks for letting me know and sorry if this question shows my ignorance on the topic. First time I got so seriously infected.

### #11 Grinler

Grinler

Lawrence Abrams

• Topic Starter

• 43,268 posts
• OFFLINE
•
• Gender:Male
• Location:USA
• Local time:10:17 PM

Posted 25 May 2015 - 11:00 PM

No we need the malware files themselves. Most likely located in the %Temp% folder.

%Temp%\<random>.exe
%Temp%\ag.exe
%Temp%\<random>.bmp
%Temp%\in.js
%Temp%\services.exe

### #12 cosmiclove

cosmiclove

• Members
• 5 posts
• OFFLINE
•
• Local time:10:17 PM

Posted 26 May 2015 - 09:38 AM

Good morning Lawrence! My tech guy just informed me that he has uploaded a zip file including the "stoppirates trojan" samples you have indicated. You will find them at this address  http://www.bleepingcomputer.com/submit-malware.php?channel=3 . Thanks so much for trying to help me. I look forward to hearing from you soon.

### #13 cosmiclove

cosmiclove

• Members
• 5 posts
• OFFLINE
•
• Local time:10:17 PM

Posted 26 May 2015 - 10:41 AM

Hi, My tech guy just sent samples of an infected file + the original file via email. Thanks so very much for your assistance, Lawrence!

### #14 Nathan

Nathan

DecrypterFixer

• Security Colleague
• 1,617 posts
• OFFLINE
•
• Gender:Male
• Location:Florida
• Local time:11:17 PM

Posted 26 May 2015 - 04:01 PM

Here you are CosmicLove:

http://ransomwareanalysis.com/StopPirates_Decrypter_v2.exe

(If you browser complains of a malicious site, do not worry. This is the site i use to host decrypters made from infections, so they are false positives.)

Have you performed a routine backup today?

### #15 cosmiclove

cosmiclove

• Members
• 5 posts
• OFFLINE
•
• Local time:10:17 PM

Posted 27 May 2015 - 02:20 AM

Dear Nathan and Lawrence. I don't know how to thank you both!!! You program has worked perfectly. I was able to decrypt entirely my E drive (all my user files) and now the decrypter is doing its thing on the C drive for my programs. Thanks so so much for helping me so diligently.

For all of you guys who got affected/infected by this StopPirates trojan, do NOT pay any ransom just yet. The decrypter works. You will only need to contact Lawrence and Nathan and provide samples of the malware found here on your drive (in addition to the ID stuck at the end of your encrypted files - mine was: filename.ext.335495):

%Temp%\<random>.exe

%Temp%\ag.exe
%Temp%\<random>.bmp
%Temp%\in.js
%Temp%\services.exe

Then make sure to have a pair of encrypted AND clean file (less and 1mb in size) to give to them to test the decrypter. It will expedite the resolution process. It took them just a few hours to do all this and I was able to retrieve all my files.

Lesson I've learned: BACK UP YOUR FILES, folks!!!!! Use one of the many online storage services and do it automatically so you don't have to think about it.

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users