Security specialists discovered a new variant of ransomware that called ‘Stoneland@firemail.cc ransomware‘. It appends a new file extension to encrypted file names. Here’s everything you need to know about this ransomware, how to remove ‘Stoneland@firemail.cc ransomware’ and how to restore (decrypt) encrypted files for free.
“Stoneland@firemail.cc ransomware” – ransom note
Once installed, the Stoneland@firemail.cc crypto malware begins looking for attached disks and even networked drives containing web application-related files, images, database, documents, music, archives and videos. It is known to encrypt almost all file types, including files with extensions:
.cer, .xx, .dba, .wbc, .cas, .pkpass, .csv, .hvpl, .rwl, .x3f, .zi, .xyp, .xll, .gho, .erf, .txt, .asset, .xlsm, .wgz, .xls, .hkx, .xlsx, .wdp, .dxg, .dbf, .pak, .wpb, .2bp, .srf, .wpl, .wot, .snx, .zabw, .bkp, .desc, .3fr, .bsa, .wp4, .wsd, .avi, .odp, .mdb, .gdb, .kdb, .wbmp, .wpw, .vdf, .yml, .cdr, .arch00, .das, .qdf, .wp, .rim, .wdb, .vcf, .der, .lvl, .map, .mov, .wav, .xwp, .sr2, .m4a, .wn, .rar, .rgss3a, .css, .mrwref, .sav, .wpg, .xdl, .dcr, .ff, .xlgc, .1st, .dmp, .ncf, .sql, .xbplate, .xpm, .ods, .t12, .lbf, .0, .wps, .syncdb, .py, .wp6, .rofl, .ibank, .xmind, .docm, .zw, .p12, .tor, .wpd, .forge, .srw, .ppt, .z3d, .zif, .qic, .p7c, .eps, .rb, .p7b, .sis, .fsh, .icxs, .m2, .webdoc, .indd, .pfx, .wpt, .iwd, .vfs0, .flv, .vtf, .lrf, wallet, .jpg, .zdc, .wps, .wma, .crw, .litemod, .xls, .webp, .pptx, .xlk, .xy3, .zip, .wmf, .wire, .iwi, .bkf, .wmv, .xxx, .t13, .wotreplay, .ws, .upk, .pem, .pst, .jpeg, .ai, .ztmp, .r3d, .slm, .itdb, .7z, .xml, .mdf, .ltx, .kf, .wsh, .odb, .ybk, .3ds, .rw2, .crt, .wsc, .wm, .bar, .sidn, .raf, .re4, .arw, .bc7, .mef, .wp7, .pdf, .x3f, .jpe, .wbz, .wb2, .d3dbsp, .ntl, .wmo, .zdb, .psd, .zip, .mdbackup, .fos, .cfr, .wma, .dwg, .sie, .wbd, .rtf, .accdb, .bc6, .xmmap, .wmd, .x, .raw, .pptm, .vpp_pc, .xlsb, .xld, .png, .bay, .mcmeta, .odt, .itm, .hkdb, .fpk, .apk, .wri, .hplg, .pdd, .layout, .xf, .docx, .1, .sidd, .wcf, .wp5, .mddata, .yal, .odm, .w3x, .ptx, .wbm, .js, .wpd, .nrw, .xyw
Upon successful encryption, it creates a text file named ‘_readme.txt’ in each folder. This file is a ransom note. The ransomnote asks for money in the form of bitcoins. The content of the ransomnote is below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-4Orti6OnRT Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: stoneland@firemail.cc Reserve e-mail address to contact us: gorentos@bitmessage.ch Our Telegram account: @datarestore Your personal ID:
Threat Summary
| Name | Stoneland@firemail.cc |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Ransom note | _readme.txt |
| Contact | stoneland@firemail.cc, gorentos@bitmessage.ch, @datarestore (telegram) |
| Ransom amount | $490, $980 in Bitcoins |
| Symptoms |
|
| Removal | To remove Stoneland@firemail.cc ransomware use the removal guide |
| Decryption | To decrypt Stoneland@firemail.cc ransomware use the steps |
Use the step-by-step guidance below to remove crypto virus and try to recover (decrypt) encrypted documents, photos and music for free.
Quick links
- How to remove Stoneland@firemail.cc ransomware virus
- How to decrypt encrypted files
- Use STOPDecrypter to decrypt Stoneland@firemail.cc ransomware
- How to restore encrypted files
- How to protect your computer from Stoneland@firemail.cc ransomware?
- Finish words
How to remove Stoneland@firemail.cc ransomware virus
In order to remove Stoneland@firemail.cc ransomware from your computer, you need to stop all crypto virus processes and delete its associated files including Windows registry entries. If any ransomware components are left on the machine, the ransomware can reinstall itself the next time the computer boots up. Usually ransomwares uses random name consist of characters and numbers that makes a manual removal procedure very difficult. We recommend you to run free ransomware removal utilities that will allow remove Stoneland@firemail.cc crypto malware from your system. Below you can found a few popular malware removers that detects various ransomware.
Automatically remove Stoneland@firemail.cc with Zemana Anti-malware
We recommend using the Zemana Anti-malware. You can download and install Zemana Anti-malware to look for and remove Stoneland@firemail.cc ransomware from your computer. When installed and updated, the malicious software remover will automatically scan and detect all threats exist on the computer.
Zemana AntiMalware (ZAM) can be downloaded from the following link. Save it on your MS Windows desktop.
159565 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After downloading is finished, close all apps and windows on your machine. Double-click the install file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as displayed on the image below, click the “Yes” button.
It will open the “Setup wizard” that will help you setup Zemana on your machine. Follow the prompts and do not make any changes to default settings.
Once install is complete successfully, Zemana Free will automatically start and you can see its main screen as on the image below.
Now click the “Scan” button to detect Stoneland@firemail.cc crypto malware related files, folders and registry keys. This process can take quite a while, so please be patient. While the Zemana Anti-Malware (ZAM) utility is checking, you can see count of objects it has identified as being infected by malware.
When the scan is complete, the results are displayed in the scan report. Review the report and then click “Next” button. The Zemana Anti-Malware (ZAM) will remove Stoneland@firemail.cc ransomware virus related files, folders and registry keys and move items to the program’s quarantine. After that process is finished, you may be prompted to reboot the machine.
Remove Stoneland@firemail.cc ransomware with MalwareBytes
We recommend using the MalwareBytes Anti-Malware. You may download and install MalwareBytes to detect and remove Stoneland@firemail.cc virus from your machine. When installed and updated, this free malicious software remover automatically searches for and removes all threats present on the PC system.
- MalwareBytes Anti-Malware (MBAM) can be downloaded from the following link. Save it on your Desktop.
Malwarebytes Anti-malware
317710 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your internet browser will open the “Save as” prompt. Please save it onto your Windows desktop.
- When downloading is complete, please close all apps and open windows on your personal computer. Double-click on the icon that’s named mb3-setup.
- This will start the “Setup wizard” of MalwareBytes onto your computer. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes will launch and display the main window.
- Further, press the “Scan Now” button to start scanning your system for the Stoneland@firemail.cc ransomware, other malware, worms and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your PC. While the MalwareBytes AntiMalware utility is scanning, you can see count of objects it has identified as being infected by malicious software.
- Once that process is finished, MalwareBytes AntiMalware (MBAM) will display a scan report.
- Review the report and then click the “Quarantine Selected” button. After the process is done, you may be prompted to reboot the computer.
- Close the Anti Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Scan and clean your computer of crypto malware with KVRT
If MalwareBytes anti-malware or Zemana anti malware cannot delete this ransomware, then we recommends to use the KVRT. KVRT is a free removal tool for ransomwares, adware, potentially unwanted applications and toolbars.
Download Kaspersky virus removal tool (KVRT) on your PC system from the following link.
123968 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the KVRT screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to begin checking your PC system for the Stoneland@firemail.cc ransomware and other malicious software. A system scan can take anywhere from 5 to 30 minutes, depending on your computer.
Once the scan is complete, Kaspersky virus removal tool will display you the results as shown below.
Next, you need to click on Continue to start a cleaning process.
How to decrypt encrypted files
The Stoneland@firemail.cc crypto malware uses a strong encryption method. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the Stoneland@firemail.cc crypto malware entire amount requested – the only method to try to get the decryption key and decrypt all your files.
If your photos, documents and music have been encrypted by the Stoneland@firemail.cc ransomware, We recommends: do not to pay the ransom. If this malware make money for its developers, then your payment will only increase attacks against you. Of course, decryption without the private key is not feasible, but that does not mean that the Stoneland@firemail.cc ransomware must seriously disrupt your live.
With some variants of the Stoneland@firemail.cc ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt Stoneland@firemail.cc ransomware
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions.
Please check the twitter post for more info.
How to restore encrypted files
In some cases, you can restore files encrypted by Stoneland@firemail.cc ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Recover encrypted files with ShadowExplorer
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
ShadowExplorer can be downloaded from the following link. Save it on your Windows desktop.
419286 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Launch the ShadowExplorer tool and then choose the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the Stoneland@firemail.cc ransomware virus as shown on the image below.
Now navigate to the file or folder that you want to restore. When ready right-click on it and press ‘Export’ button as shown on the image below.
Use PhotoRec to restore encrypted files
Before a file is encrypted, the Stoneland@firemail.cc ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore apps like PhotoRec.
Download PhotoRec on your machine by clicking on the following link.
Once the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as displayed on the image below.
Choose a drive to recover as displayed in the following example.
You will see a list of available partitions. Select a partition that holds encrypted files like below.
Click File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then press Search.
Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as shown in the figure below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Stoneland@firemail.cc ransomware?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your machine from Stoneland@firemail.cc ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from MS Windows XP to Windows 10.
HitmanPro.Alert can be downloaded from the following link. Save it on your Windows desktop or in any other place.
After the downloading process is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the utility is opened, you will be shown a window where you can select a level of protection, like below.
Now click the Install button to activate the protection.
Finish words
Once you have finished the few simple steps shown above, your PC system should be free from Stoneland@firemail.cc ransomware and other malicious software. Your computer will no longer encrypt your documents, photos and music. Unfortunately, if the guidance does not help you, then you have caught a new ransomware virus, and then the best way – ask for help here.
