HDD GURU FORUMS :: View topic - Media repair tool for MP3 and WAV affected by STOP/DJVU

HDD GURU FORUMS http://forum.hddguru.com/

Media repair tool for MP3 and WAV affected by STOP/DJVU http://forum.hddguru.com/viewtopic.php?f=7&t=40027	Page 1 of 1

Author:	Arch Stanton [ June 13th, 2020, 21:25 ]
Post subject:	Media repair tool for MP3 and WAV affected by STOP/DJVU
I am working on a small repair tool that allows you to repair MP3 and WAV files that are affected by STOP/DJVU ransomware. To test it I need files encrypted by this ransomware. To repair WAV files the tool requires a reference file: A file recorded with the same device or same software as the victim files. So, if you have any of those and would like me to repair them, please share them with me. I’ll then try to adjust the tool to repair them and send it to you so you can repair the rest of the files. So, I do not need tons of them, send me, say 10 + reference file if possible Drop me a PM and the URL where you’ve uploaded them (Google Drive or similar). "Stop is believed to be the most active ransomware in the world, accounting for more than half of all ransomware infections, according to figures from ID-Ransomware, a free site that helps identify infections. But Emsisoft said that figure is likely to be far higher." - source, https://techcrunch.com/2019/10/18/stop- ... ion-tools/ If time permits I'll keep adding more file types.

Author:	Amarbir[CDR-Labs] [ June 14th, 2020, 0:56 ]
Post subject:	Re: Media repair tool for MP3 and WAV affected by STOP/DJVU
Joep Sir , I get daily cases of this ransomeware ,So you have been researching and i believe you know there are some tools that repair files of a particular type ,Can you share that too ,Drop me a pm with your email id and i will keep sending you references of few file formats ,Today itself i have three active cases with me

Author:

Arch Stanton [ June 16th, 2020, 7:43 ]

Post subject:

Re: Media repair tool for MP3 and WAV affected by STOP/DJVU

Well, 'researching' ...

I discovered by accident that a few JPEGs I had been repairing for a client were actually JPEGs affected by a STOP/DJVU variant (checked and confirmed with https://id-ransomware.malwarehunterteam.com/).

So then the only logical conclusion was that the file was not entirely encrypted, else I would not have been able to make the JPEG data visible. Only a portion of the files is encrypted by variants of STOP/DJVU. It can clearly be seen in attached picture, where JPEG-Repair strips any file from any data that prevents a JPEG decoder from decoding data.

So idea is, in general, that for specific file types it may be possible to strip it from corrupt/encrypted data + glue in a valid header + maybe restore some pointers within header to point to the data that survived encryption.

The larger the file, the smaller the effect of the encryption. Based on what I have seen STOP/DJVU variants encrypt 150 KB or so in digital photos (JPEG, CR2, NEF).

I am by no means a ransomware specialist, and the idea of repair is only even possible on data that wasn't actually encrypted.

Attachments:

2020-01-03 (1).jpg [ 78.89 KiB | Viewed 14681 times ]

Author:	Arch Stanton [ June 21st, 2020, 11:16 ]
Post subject:	Re: Media repair tool for MP3 and WAV affected by STOP/DJVU
working on adding video https://youtu.be/_2ZMRvbnOk4

Author:	Amarbir[CDR-Labs] [ June 21st, 2020, 15:40 ]
Post subject:	Re: Media repair tool for MP3 and WAV affected by STOP/DJVU
Wow , Keep The Development Alive

Author:	Arch Stanton [ June 23rd, 2020, 16:11 ]
Post subject:	Re: Media repair tool for MP3 and WAV affected by STOP/DJVU
K. Got something. https://youtu.be/3AKJ27sZ9_E

Page 1 of 1	All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/