All Activity

This stream auto-updates     

  1. Today
  2. JeremyNicoll
    Not a real-life test? We weren't just trying to avoid ransomware, but also what we'd do if fire or whatever wiped out the building. Do you think we should have burned down our primary data-centre first? What more could we do to make it more real? We did these tests to prove that we could: reconfigure the base hardware as needed, IPL a specially-built minimal OS, use it to restore initial ancillary system disk images (onto new disk drives - maybe in trucks in the car-park?) needed for a larger system, and as more and more of a restored system grew, the processes rolled outwards to the teams responsible for application data & backups, database support & eventually programming teams in each business area. Likewise the operational depts needed to restore a schedule and start to run production work. Outside IT, the business as a whole had to have a realistic appreciation of what the delays would be before each part of the business's critical services could be restored. Back-of-an-envelope guesswork wasn't acceptable. They had to know, and for that we had to test and prove how long each stage would take. In occasional tests (when eg there'd been significant service applied to the OS, or a new version of a critical piece of software) and in any case at least twice a year, the initial part of this test was done - which 'only' required exclusive use of one machine room overnight. (That still required migration of normal workload and data away from that room beforehand, and migration back afterwards - itself a process that took a few days to achieve). Migration of whole machine-rooms-worth of data used the exact same processes as data backup & recovery normally did, so we knew that worked. Large parts of the overall process - eg swapping workloads between particular machine rooms - were done anyway every so often so that we didn't always run production from the same hall and dev/test elsewhere. It was also done once per year per machine room so that rooms could be isolated for power-system safety tests (and note also that we occasionally ran the whole building on generators for a few days just to prove that that capability still worked properly.) Hall swaps proved there'd been no oversight and that we no longer had necessary duplication, and the proceses before, during and after each test meant that there were lots of staff in each area who understood their area's role in the whole scheme. Each machine hall had enough kit in it to run the whole business (that is, non-business-critical workload like giving the programmers a machine to develop & test code would be sacrificed in the short-term in a disaster). Big, all-weekend tests involved many staff. We still needed the ops, on-call etc staff to support the live systems throughout that period. You might want to ponder what sort of costs a company incurs when they set out to have not just one machine hall/building to run their business from, but more than twice that. (More because although we 'only' had duplicates of all the business-critical stuff, we also had tertiary copies of some things, eg a third robot tape silo in a vault under another building - that was planned before that building was built.) We also - despite being high-profile business rivals with another local company - had more of our kit in one of their machine rooms and they had some of theirs in a fenced-off section of our biggest one. When tech developed to the point where it was possible to sync disk I/O across sites miles apart, we sometimes ran our production service out of their machine room. Nothing about this was cheap. It was designed, built and regularly tested by people who were not idiots. Your "not real life" comment reminds me of the common view that Y2K was a damp squib because nothing went wrong. For us, Y2K planning took a bit under two years. It was the single biggest project worked on in that period. By the time the actual date change rolled around, we'd run simulations of "the moment" many times and we had test systems running test versions of our whole workload for weeks at a time, pretending to be at other significant date points - eg end of business year sometime in 2000, end of tax year, end of the following year's significant dates (as they'd be running year-end processes that harked back across the date change). We were as sure as we could be that everything would be ok. Even so, many staff (mostly the senior, on-call, most experienced ones - I suppose the same sort of mix of people as for the major disaster recovery tests - maybe a hundred of us in all ?) were at work when the moment happened, just in case. I am certain that companies similar to us adopted similar approaches.
  3. Peter2150
    Again interesting, but didn't sound like a real life test. Best solution for Ransomware is to never let it get near your system. Hard, but not impossible by any means.
  4. gebooy gebooy joined the community
  5. gebooy
    Hi.. my computer server infected by hermes 2.1, all my files on Hard drive already encrypted, what should i do? already trying a few guide from internet but still not solved the problem.
  6. rustyDusty
    The ID has a t1 so why won't the encryptor work?
  7. rustyDusty
    Using Win7 Home Primium. On December 2 2019 5:00PM. Attempted to download ImgBurn, looking for open source software to rip an old DVD home movie into an mp4. Had been using MagicISO to convert audio CD files into mp3's and this seemed a natural progression. As soon as "I decline" on one of the installation options was clicked, the taskbar icon became a weird little 'pixel phone'. No donwload status and all these strange HUD appeared in Italian. Killed those apps in taskbar but that was too late. Almost every file in documents, downloads and desktop has a .hets extention now. Cannot be accessed. I am hit with a HETS ransomware attack. Thankfully, the public and shared folder files remained untouched. Have spent all night and day seeking to use Vipre and Malwarebytes to combat the browser hijack popoups and unauthorized installations. The PC seems stable now. I'm to blame for no backup and malware protection for over 10 days but Shadow Explorer salvaged C: drive files from the 22nd and 30th November. I can take losing a few days work. The biggest loss is the thumbdrive files which were not backed up. Is there anyway to retrive them? Performed a command prompt attrib -s -h /s /d *.* but that changed nothing. I also applied Rescueit to a few HETS txt files but when opened they only displayed oriental characters, not english text. Pictures will not display. What am I doing wrong (other than not backing up and installing dodgy software) and what can I do to retrieve these thumbdrive files? Talked to the folks at Paretologic Data Protection Pro which every ransomware page insist will do the job. But they say : "No, unfortunately reports online we can be of assistance with these troubles are False and Unaffiliated with ParetoLogic. As well, we have seen no indication that Data Recovery programs will be of assistance in these matters unfortunately. These claims are based on the original versions on the Ransomware viruses created a copy of the files, encrypted the copy and deleted the original; deleting the original means it was able to be recovered depending on how the virus was removed. Unfortunately, new iterations of these viruses do not seem to function in these ways. " So is this true? Is this the latest data retrieval Holy Grail? Can ransomed files be rescued? Has anyone ever done it and how? Do you know someone who knows someone or is this just another sad love song? I do seem to have an offline ID that ends in t1. Thanks for any input.
  8. Wagner_tkl Wagner_tkl joined the community
  9. Wagner_tkl
    Fui infectado com o virus Stop Djavu de outubro. Preciso reucuperar meus arquivos urgentemente. O arquivo é .meka. Meu readme é: ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-h159DSA7cz Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0178Asd374y5iuhldINtCaq4YE5F6LInFlMEanpjWnkNumE82ffZAPS8O
  10. spikey
    Thank you.
  11. JeremyNicoll started following company fast data recovery ransomware
  12. JeremyNicoll
    I used to work for a large enterprise. We did test recovery (of the whole system, from a bare machine upwards) in a machine hall that - for the duration of the test - had no production workload in it. These tests usually ran from late Friday thru late-Sunday and started with the assumption that emergency services wouldn't allow any of the professional IT people into the machine room. So instructions were written for, and tested by, non-IT people - so that eg a fireman might be able to do the initial actions which actually had to be done physically rather than electronically/remotely. It was, of course, expensive to plan, build and test these recovery systems. We also hosted disaster recovery tests at our site for subsidiary companies in the group.
  13. stapp
    Please upload the files here and post the result. https://id-ransomware.malwarehunterteam.com
  14. nrhmmlpm nrhmmlpm joined the community
  15. nrhmmlpm
    My files were encrypted please help to recover.
  16. ciprian milu
    I tried to pay the ransom but didn’t make it until the finish, first they answered and give the instructions and after they didn’t answer. About fast data recovery I think if they pay the ransom the key would work from the first time, and don’t last for 6 days. Anyway my only chance to recover the files the files was this company. From my point of view the company did what they said they will do. I think is better to pay to a company that gives a bill and with someone who can answer to the phone.
  17. Amigo-A
    In May of this year there was already a case with the same Rapid variant. --- You can to create a decryption request in DrWeb and provide Rapid-encrypted files and a ransom note file How Recovery Files.txt. http://legal.drweb.com/encoder/?lng=en http://legal.drweb.ru/encoder/?lng=ru For request of test-decryption, you do not need to make an advance payment. It's free. But in practice there is no hope of decrypting files after double encryption and after Phobos in particular.
  18. Amigo-A
    First, your files were encrypted by Phobos Ransomware and received the extension .id[48DD8B75-2415].[[email protected]].Caley Then your files were encrypted by Rapid Ransomware and got the extension .no_more_ransom
  19. Amigo-A
    To create a decryption request in DrWeb and provide encrypted files and a ransom note file is easy for everyone to do. http://legal.drweb.com/encoder/?lng=en http://legal.drweb.ru/encoder/?lng=ru For request of test-decryption, you do not need to make an advance payment. It's free. I am very busy with work, therefore I will not do it in your place. 😃
  20. GT500
    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you will be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  21. GT500
    That company isn't entirely honest with you. What they do is pay the ransom for you, and then lie to you. There's more information here.
  22. GT500
    Yeah, that is rather fun. Especially when the guy who made the image ran off before completing it, and never returned...
  23. GT500
    As far as I know they can't decrypt newer variants of STOP/Djvu when the files have online ID's, however @Amigo-A may know more.
  24. GT500
    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you will be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  25. GT500
    Most ransomware will use methods or erasing or overwriting files that doesn't allow them to be recovered. You can try file recover software (I'd recommend something free such as Recuva or one of the others from this list), however I wouldn't expect the odds of this working to be very high. After all, if this were possible in most cases, the criminals would be pretty upset about people getting their files back and would quickly fix it.
  26. GT500
    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  27. GT500
    I recommend keeping an eye on BleepingComputer's news feed, as if there are any major developments with this ransomware (such as decryption keys being released) they will almost certainly report on it: https://www.bleepingcomputer.com/
  28. GT500
    I took a look at one of the files you uploaded to ID Ransomware: Beznazwy-12.pdf.id[48DD8B75-2415].[[email protected]].Caley.no_more_ransom How Recovery Files.txt The extension .no_more_ransom and the ransom note appear to be from the Rapid ransomware, however the rest of the changes to the file name look like Phobos. It looks like your files were encrypted by more than one ransomware. It's not possible to decrypt files that have been encrypted by this version of Rapid, and as far as I am aware there's still no way to decrypt files that were encrypted by Phobos.
  29. GT500
    The only instance I could think of where Silent Mode might potentially activate for more than one user is on a terminal server. In a situation where every user is on a different physical workstation, the only way for Silent Mode to be toggled on for multiple users would be for someone to manually toggle it on in a policy for those workstations in Emsisoft Cloud Console (via my.emsisoft.com). Manually turning Silent Mode on, and then back off, should clear the issue and allow updates to be installed. If you have the workstations connected to Emsisoft Cloud Console (ECC), then edit the policy for the workstations, scroll down to the Advanced section, and the toggle for Silent Mode should be the first setting in that section. Workstations that are turned on should sync with ECC right away. This usually only takes a few seconds, however that can depend on the Internet connection.
  30. GT500
    OK. I've forwarded your logs to QA. Please note that it could take some time for them to review your logs with our development team.
  1. Load more activity

  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up