Warning, aggressive malware on Windows 11 active!

UPDATE! Click HERE for the most appre ... sorry, comprehensive and accurate info on the ransomware I could find!

other related updates are at bottom of this article.

This is not a drill!

I've just barely, and not entirely successfully, been able to prevent my windows 11 box from being encrypted and ransomed! I was lucky I was paying attention and saw a window pop up and vanish within a tenth of a second which made me suspicious.

Wait for a second, what's going on?

Next, I noticed my Defender icon came up with an exclamation mark. In my notifications (which didn't pop up as they should have) the customary notice that windows defender was disabled was noted. I immediately went into my task hacker (task manager on steroids, but task manager would've done nicely as well.) and started end tasking active tasks which I didn't recognize. Most were named with numbers only.

Had to be quick though!

As soon as I ended one task another activated, but the task manager I used automatically shows the task chain, which task started which task so to speak, so I could identify the task that started it all, which was an inactive background task and end that. This gave me the chance to catch up and eventually end all the tasks going that were suspect. The next thing I did was shut down the system. Of course, windows update couldn't care less about what was going on and happily started to update! (of course, telling me not to turn off the power).

Nailbiting!

The wait for the update to finish and the machine to shut down was agonizing. I was pretty confident I'd shut down all the processes and running tasks that were related to (what I later identified to be) the ransomware encryption process. But I wasn't completely sure, which meant that if I goofed up the malware was now encrypting my drives without interference instead of windows updating some stupid stuff.

My fortune fell to my side for once, though I didn't know that at the time.

Next course of action.

Next, I did was dig up the USB stick with the Windows 11 install image on it and booted from that. Then I went into repair and so on to try a restore point. I knew I had one barely a week old (can't remember why I made it but I'm glad I did) and I set the setup application to restore the computer to that point in time.

(CLICK HERE FOR INSTRUCTIONS ON HOW TO RESTORE IN W11)

Before doing the actual restore I ran the check to see which apps were affected and decided I could live with that. Only 4 apps I had uninstalled would return and only 2 apps I had installed would disappear. Not too big of a problem. So I went on with the restoration, waited, and nervously anticipated the reboot.

After the reboot, I immediately installed the Malwarebytes premium 14 day trial and had it scan my computer thoroughly. Unfortunately, whatever file the malware was in was removed by the restore operation so I cannot say which it was. I know that windows defender was up and running when it happened and obviously failed to protect me.

Looking deeper into my drives and apps though I noticed i wasn't completely fast enough and some damage had been done. Steam's main folder was devoid of executables and anything possibly resembling configuration files or other files with possibly interesting information was gone. In the folder, I found a txt file called _readme.txt and the content confirmed what I'd suspected from the start: Ransomware!

The _readme.txt content:

ATTENTION!

Don't worry, you can return all your files!

All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.

The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

What guarantees you have?

You can send one of your encrypted file from your PC and we decrypt it for free.

But we can decrypt only 1 file for free. File must not contain valuable information.

You can get and look video overview decrypt tool:

https://we.tl/t-qqj8MrDVtG

Price of private key and decrypt software is $980.

Discount 50% available if you contact us first 72 hours, that's price for you is $490.

Please note that you'll never restore your data without payment.

Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:

support@sysmail.ch

Reserve e-mail address to contact us:

helprestoremanager@airmail.cc

Your personal ID:

[ON THIS LOCATION WAS A LONG STRING OF NUMBERS AND LETTERS IN CAPS AMD SMALLCAPS THAT IS IDENTIFIABLE FOR THEM PESKY LAMERS, oops i meant HACKERS SO I REPLACED IT WITH THIS TEXT}

Only 4 folders were affected.

I was damned lucky I could act as quickly as I did, limiting the damage to only 4 folders. Steam (reinstall, copy the exes to the old location, and steam was back with the library intact), write monkey, and some other apps seem to have been affected.

Still investigating! But here's the summary so far:

I found out that this ransomware has been identified. It is called STOP Djvu! It's a new variation on an older one but it's got some nasty mutations. Like when the encrypting occurs with an online connection the encryption key is unique and, currently, undecipherable in any way. It also manages to fool Windows Defender.

Anyway, I just wanted you all to have this warning, so you can take your own measures to prevent all your files from becoming encrypted and you basically getting f%#$d by this new variant (2 days old).

UPDATE 2: I was less fortunate than I thought. It seems many files were encrypted and are unrecoverable. So, excuse me while I go cry and feel sorry for myself a couple of hours.

Stay safe and stay happy!

@AnonSunamun