Waspada Virus Ransomware .adobe [UPDATE]

yang terinfeksi dang ingin mengembalikan file langsung ke postCara Mengenkripsi File yang Terinfeksi Ransomware ADOBE dengan STOP Decryptor. (link download STOPDecrypter sudah diupdate ke versi 2 ) penjelasan tentang update ada di posting Cara Mengembalikan File yang Terinfeksi Virus Ransomware .ADOBE dengan STOPDecrypter versi 2. Mohon maaf link STOPDecrypter sebelumnya ke versi 1.

Sepertinya sedang banyak serangan ransomware .adobe . ini ransomware baru karena sampai tulisan ini dibuat saya belum menemukan decryptornya (bagi yg sudah ada mohon dibagi). Sudah beberapa kawan di facebook menghubungi terinfeksi dengan ransomware ini. Semoga cepat dirilis decryptor nya. Saya belum mencoba apakah decryptor ransomware .globe bisa untuk ransomware .adobe . Kalau ada waktu akan saya coba sambil menunggu decryptornya. Untuk sekedar informasi berikut data ransomware .adobe

What is Adobe?

  • Also Known As:Adobe virus
  • Type:Ransomware
  • Distribution:High
  • Damage level:Severe

Adobe is a high-risk virus that is categorized as ransomware. This virus belongs to theDharmaransomware family and it was first discovered byS!Ri. Adobe's developers (cyber criminals) use it to corrupt systems by encrypting files (making them unusable). Another ransomware that adds.adobe(or.adobee) extension to encrypted files originates fromSTOP ransomwarefamily. Once the system is infiltrated, Adobe ransomware displays a ransom demand message (pop-up window), creates a "FILES ENCRYPTED.txt" text file, and renames each encrypted file by adding the ".adobe" extension plus a unique ID and an email address. For example, "1.jpg" file is renamed to "1.jpg.id-1E857D00.[stopencrypt@qq.com].adobe", and so on. Adobe can be found and identified in Task Manager as "BulkFileChanger (32bit)". Other variants of this ransomware use ".[abibo@protonmail.com].adobe", ".[mercarinotitia@qq.com].adobe",".[manpecamet1974@aol.com].adobe", ".[kush888@cock.li].adobe", ".[ovro@tuta.io].adobe", ".[parambingobam@cock.li].adobe" and ".[avflantuheems1984@aol.com].adobe" extensions for encrypted files.

Adobe decrypt instructions

Data ransomware adobe

  • Ransomware family: Crysis/Dharma Ransomware
  • Ransomware Extensions: [stopencrypt@qq.com].adobe
  • Ransomware note: FILES ENCRYPTED.txt
  • Ransom: From 0.5 Bitcoins to 1 Bitcoin

Screenshot of Adobe ransomware process ("BulkFileChanger (32bit)") in Windows Task Manager:

Adobe ransomware bulkfilechanger process in task manager

File yang di enkripsi:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Files encrypted by Adobe

Pesan Ransomware

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail

Write this ID in the title of your message

In case of no answer in 24 hours write us to these e-mails: stopencrypt@qq.comYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.

hxxps://localbitcoins.com/buy_bitcoins

Also you can find other places to buy Bitcoins and beginners guide here:

hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Adobe text file

Rekomendasi anti Malware/Ransomware

malwarebytes - https://www.malwarebytes.com/

Update January 24, 2019- Recently a new variant of Djvu ransomware has started using ".adobe" or ".adobee" file extensions as well. Therefore, if your computer has been infected with that virus (you can distinguish by ransomware's behavior - Djvu doesn't open any pop-up window and it's created text file is named "_openme.txt"), you might want to take a closer look atDjvu's article, since viruses from this ransomware family are completely identical.

sumber

***

Dulu saya pernah coba membantu mengembalikan file yang terinfeksi ransomware .globe . secara umum cara kerjanya:

  • decryptor membaca 2 file yang terenkripsi virus dan file yang tidak terinfeksi. misal pernah copy file ke flashdisk/laptop/pc lain, kirim email dll.
  • dengan membandingkan 2 file tersebut decryptor akan membaca jenis enkripsi yang digunakan.
  • setelah itu decryptor bisa digunakan untuk mengembalikan semua file yang di enkripsi

selengkapnya: CARA MEMULIHKAN DATA/FILE YANG DIENKRIPSI VIRUS RANSOMWARE GLOBE (.globe)

dalam beberapa hari ini mungkin produsen antivirus akan merilis decryptornya.(semoga). tapi bagi yang terinfeksi, ada 1 cara jika system restore di pc/laptopnya ada. bisa di restore. tapi jangan membayar, karena tak ada jaminan file akan diselamatkan. jangan juga di install ulang karena ini sama artinya kita kehilangan semua file kita. silahkan copy dan backup semua file penting yang terinfeksi(setelah ada decryptor nanti bisa di perbaiki). jika ada informasi baru tulisan ini akan di update.

note: biasakan membackup file penting ke media lain baik flashdisk, hdd eksternal, pc/laptop lain, cloud storage, dll. hati-hati klik link tidak jelas. file tidak jelas. file bajakan, crack dll.

Cara kerja ransomwarewannacry

[UPDATE]

Setelah mengetahui kalau ransomware .adobe ini adalah keluarga virusCrysis/Dharma Ransomware. Saya coba mencari decryptor ransomware crysis dan ransomware dharma. tapi dari 4 decryptor yang saya coba semua gagal mengenali algoritma ransomware adobe. Berikut decryptor yang saya gunakan

  1. ESET Crysis Decryptor
  2. AVAST Decryption Tool for CrySiS
  3. KASPERSKY RakhiDecryptor
  4. TrenMicro Ransomware File Decryptor

Untuk contoh sampel file ransomware adobe, terima kasih untuk mas Andrean Firnanto.

Saya akan terus mencoba berusaha menyelamatkan file-file yang di enkripsi ransomware adobe. perkembangan akan terus saya udate disini. terima kasih

[UPDATE 3-2-2019]

Setelah saya baca cara kerja virus ransomware keluarga adobe ini (dharma dan crysis) kemungkinan besar dia membuat salinan file yang ditemukan mengenkripsinya dan menghapus file asli. nah karena ada proses MENGHAPUS, maka ada solusi pertama bagi yang terinfeksi ransomware adobe yaitu dengan aplikasi recovery(mengembalikan data yang dihapus) banyak sekali software recovery seperti:

  • MiniTool Power Data Recovery Free.
  • Disk Drill
  • EaseUS Data Recovery Wizard Free.
  • Recuva.
  • UnDeleteMyFiles Pro.
  • GetDataBack

Silahkan pakai yang mana yang anda suka atau rekomendasi kawan mana yang bagus. tapi yang pertama anda lakukan adalah menghapus virus terlebih dahulu. agar setelah data berhasil di recovery tidak kena lagi.

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Adobe encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on "Organize" button
  • Choose "Folder and Search Options"
  • Select the "View" tab
  • Select "Show hidden files and folders" option
  • Uncheck "Hide protected operating system files"
  • Click "Apply" and "OK" button

STEP 3: Locate Adobe encryption Virus startup location

  • Once the operating system loads press simultaneously theWindows Logo Buttonand theRkey.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] or

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] or

[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your%appdata%folder and delete the executable.

You can alternatively use yourmsconfigwindows program to double check the execution point of the virus. Please, have in mind that the names in your machine might bedifferent as they might be generated randomly, that's why you should run any professional scanner to identify malicious files.

Kalau sudah aman sialhkan jalankan tool recovery anda dan semoga semua file penting anda kembali. tapi tetap dengan menyimpan file yang terinfeksi agar nanti setelah keluar decryptor nya file bisa dikembalikan lagi yang tak bisa di kembalikan tool recovery.

yang terinfeksi dang ingin mengembalikan file langsung ke postCara Mengenkripsi File yang Terinfeksi Ransomware ADOBE dengan STOP Decryptor