Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware - [stopstorage@qq.com].master


  • This topic is locked This topic is locked
2 replies to this topic

#1 wlategan

wlategan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 29 June 2017 - 06:40 AM

Good day,

 

Can someone please assist. My files are encrypted and it looks like the BTCWare Master ransomware.

 

The people do not respong to the e-mail address provided stopstorage@qq.com

 

Can someone please assist.

 

Below is the ransom note.

 

Regards

Werner

 

 

[WHAT HAPPENED]
Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: stopstorage@qq.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
 
[FREE DECRYPTION AS GUARANTEE]
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
 
[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price
 
[ATTENTION]
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files
 
Your ID: 
 
IpKPXBDCOl9V63K7QG61fgxFOulhanet8/Ke7mO0D6uWHvD2QE5P1ANSXoAtTjAH3DsmNFwRzu+autgk47+Qtpe4n/NoDJFo9YSwdXFcAxCfzs6H1a8vB0mEtQ6D5jY+PZZJpuHVxFFOYVl5BsruHB6CkOfud5JejF0ZTa5Uulk=


BC AdBot (Login to Remove)

 


#2 rcronin

rcronin

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 29 June 2017 - 07:10 AM

Same issue here, files renamed with  stopstorage@qq.com

 

Attempted BTCware without success



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:26 AM

Posted 29 June 2017 - 07:56 AM

As noted by Demonslay335 in Post #258...[<email>].master is 100% NOT decryptable.
 

@all

After further analysis, I'm afraid .[<email>].master is 100% NOT decryptable, even under certain circumstances of the server not being rebooted that I was attempting. I failed to realize they had changed the random number generator they used in this "branch" to a secure one, I thought it was only later versions (.[<email>].blocking and .[<email>].encrypted). I have separated these variants out on ID Ransomware for more clarification. The only chance of decryption for free will be if the RSA-1024 private key is leaked/seized (then I would be able to decrypt everyone's files for this variant).

The decrypter will only attempt deriving a keystream if it thinks you were hit by the rare, old RC4 variant, which would have been a long long time ago. If you were hit anytime recently, then you were most definitely hit by the AES-256 variant with the secure key generator, and I cannot decrypt your files. If the decrypter offers to derive keystream anyways, and it corrupts files that it thinks it decrypts, then you were hit by the AES variant, and I once again, cannot decrypt your files. The current decrypter will check if the files you feed it are the exact same filesize, and if the entire file was encrypted past 10MB. Any further PMs about this information will be ignored; I have repeated it over and over, and am getting flooded by messages still.


There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users