Ránomware crypt data *.lqqw, key decrypt online ID. Help

[Hien Nguyen]

Currently, I have a case where my computer is encrypted by ransomware with the .lqqw format. after I try Decrypt with some tools like Emsisoft it fails and gives error : Error: No key for New Variant online ID: NFOGuL7WY22ZArC3FwkP1vH9YnZHGXlhoOm7Iwp5 Notice: this ID appears to be an online ID, decryption is impossible. I learned the decrypt key is not located on the computer but is stored in the cloud online only. Any solution to decrypt the data, please help and guide me. I sincerely thank

[jpv...@gmail.com]

It's a STOP DJVU variant. It is safe to assume that anyone who can decrypt is either a scam or simply acts as middle man between you and the people who created the ransomware.

Now, that's an option of course, pay. I have witnessed chats between victim and 'hackers' or middleman that did not end well. Price kept being raised or in the end no solution was offered to decrypt the data. Or was offered but failed.

With regards to the Emsisoft tool: There's no guarantee but it is possible decryption will be available some time in future. Emsisoft does not announce these updates.

Recovery options (without decryption/payment)

1. 

I have seen cases where in deeper nested folders files were not actually encrypted, so check that.

2. 

The ransomware m.o.: open file > read data > encrypt data > save encrypted data to NEW file > delete original file. That means depending on circumstances there's a chance deleted data, at least partially survives the onslaught. Circumstances you can consider is HDD or SSD (if the latter chances probably close to zero) and free space vs. used space. Using JpegDigger some people have reported they were able to recover some times upto 30% of their original JPEGs but that's IMO a very optimistic figure (I didn't check their math). This purely to illustrate original files potentially survive. You can use a RAW scanner that supports more file types to see if other file types survived too.

3.

The ransomware encrypts only 153600 bytes. That means if you have a large video or JPEG for example, most data 'survives'. File repair aims to make the remaining non encrypted data viewable/usable/playable. Files tend to start with some kind of 'header'. This header can be stolen from a similar file, for example a video that was shot with the same camera. We then adapt the header for the partially encrypted file, update pointers etc.. Examples https://youtu.be/3AKJ27sZ9_E and https://youtu.be/bBqo8ePpQ5M.

--
Data Recovery Certification Group / for issue with google group please email sc...@myharddrivedied.com
---
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertif...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/ff619c09-ffa6-4930-bcbc-09134cb0767an%40googlegroups.com.