All Activity

This stream auto-updates     

  1. Past hour
  2. My server has been attacked by a new Ransomware last month June 2019. All files have been decrypted with the file extensions,. Io. (. io) I have tried decrypting using all decryption anti Ransomware but unable to. I am uploading the Readme txt file and 3 files inflected/encrypted Kolet Ransomware. The two emails included in the Readme file for ransom are: 1. [email protected] 2. [email protected] Please help me with a encryption tool available that I may not be aware of to decrypt this files. Thank you!! READ ME PLEASE!.TXT Public Folder Database[[email protected]] Mailbox Database.cmp.[[email protected]] pdi.txt.[[email protected]]
  3. Today
  4. Hi, My PC got inefected by ransomware, I had follow the instruction and all file are prepared. However, I dont know how to upload it.
  5. I'll pass this on to the maker of STOPDecrypter, but note that we need to have the MAC addresses of every network adapter on the computer (even if it isn't a normal ethernet adapter). Hopefully the information you provided will be enough to be able to find your decryption key quickly, however please note that we can't make any promises. That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to: While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  6. These are the reports in addition that were listed out in the Guidelines. Addition.txt FRST.txt scan_190716-063524.txt
  7. Hi there, I am still suffering from a data loss and yet, I'm unable to recover the files that are encrypted by someone and the decryption is not available for it too, on the website. Though, I have request that can you please help me out to sought out this problem. If yes then, really, thank you very much. This is the extension of the file, ".-7CE0F832-A90E-C81C-6AB3-1FDFBCB25171" And the .txt log is ""!!! YOUR FILES ARE ENCRYPTED !!!.txt" Patiently waiting for your kind response. Warm Regards.
  8. Yesterday
  9. Unable to provide 100% security. Unanticipated incidents happen to any device and specialist. Encryptors that active for several years are modified many times and made almost invisible for anti-virus protection. I often see many variants of already known ransomware who can be detected by antivirus scanners and recorded in "DETECTION" of VirusTotal under a different name or can be considered non-harmful until they are launched.
  10. @njr2003 Everything I wrote above applies also to your case. Alas. But until now, no one can release a free decryptor for Phobos Ransomware.
  11. Hallo Oli, vielen Dank für Ihre Rückmeldung. Bitte entschuldigen Sie die Umstände. Es ist zwar normal dass die Verhaltensanalyse in diesem Fall anschlägt, allerdings sollte die Meldung automatisch von Emsisoft Anti-Malware abgearbeitet werden. Für die Signatur der gemeldeten Datei wurde zuletzt wenige Stunden bevor Sie das Update mit WSUS Offline Update durchgeführt haben auf der Seite VirusTotal eine Analyse durchgeführt die bestätigt dass Emsisoft Anti-Malware unter normalen Bedingungen mit Standardeinstellungen kein Fund gemeldet werden sollte: Wenn eine Verbindung zu unseren Servern aufgebaut werden kann und in den Einstellungen von Emsisoft Anti-Malware die Optionen "Ruf von Programmen überprüfen" und "Automatisch zulassen bei gutem Ruf" aktiviert sind sollte es zu keinem Zwischenfall kommen. Ich kann Ihnen in dem Fall gerne anbieten dass wir einen genaueren Blick auf die bestehende Installation von Emsisoft Anti-Malware auf Ihrem System werfen. Könnten Sie dazu bitte eine Log Datei mit Hilfe unseres Emsisoft-Diagnose-Tools erstellen und mir diese Datei in einer privaten Nachricht hier im Forum oder auch per E-Mail an [email protected] zukommen lassen? Sie können unser Diagnose-Tool von folgenden Link herunterladen: Eine Anleitung dafür können Sie auf der folgenden Seite finden: Bitte senden Sie zusätzlich auch die Datei "logs.db3" welche Sie im Installationsverzeichnis von Emsisoft Anti-Malware auf Ihrer Festplatte finden können. Zwischenzeitlich stehe ich für Ihre Anliegen gerne weiter zur Verfügung.
  12. Hi Frank, Thx, for all information, have now same Clients updatet to 1903 and I can confirm the a NO Cert Issues till today. Good work 🥰 best regards
  13. Same problem here.... more than 26,000 of my documents and photos were renamed with the following extension file: .id[26059009-2275].[[email protected]].Adame
  14. I will be sending files over to them to check and scan this afternoon when home from work. What I feel could be useful is a concise guide of settings and tips that people can apply to their machines to try and ensure they are as safe as can be. This is the 1st time in over a decade I have had anything happen to the many pc's I have had, never a virus or anything so it is quite shocking for me. Especially being a sysadmin so I felt my machine was pretty well protected, how wrong I was. 😩
  15. Did you collect the log with the help of their collector? If you an official user, your files should be decrypted for free. I know that they deciphered several different Scarab's variants in last year. But then the basic version of the encryptor was updated and the calculation of the key became more complicated. ESET experts will tell you whether it is possible for your files now. Don't forget to tell me when it becomes known. The forums are lined up with a common goal and several common "Visiting Experts". // I have been tracking malicious activities this extortionists from the very beginning, when it was not running yet, that is, with since Globe and Amnesia. It is also use of the ID Ransomware service for identifying and cataloging extortionists, for indicating to users at the possibility of decrypting, obtaining additional information and collecting malicious programs, and exchanging samples for development and updating free decryptors... Well, also my projects in my signature.
  16. bob974

    CLOSED 9533

    Okay @jeremy, I understand this view. It didn't seem logical to me, but your explanation allows me to see things differently. Thank you for your well-founded answers. have a good day bob
  17. Last week
  18. Yes that was my request... I was unaware the two forums were linked in any way. Is there any chance of these files being decrypted? I have also made a post in the ESET forum as that is my current antivirus provider.
  19. Yes, this is Scarab-Bomber Ransomware or one of his almost relatives. I added yesterday this variant as update and sent a message to the researchers. It seems that this is your request, if look at the similarity of the nickname.
  20. @PERZIVAL We do not have a solution to this problem. For Phobos are no free file decryptors. Affected users of this variant of Phobos began to appear only from yesterday (here and at BC-forum). I created a description of this version (updates are at the end of the article) in order to attract the attention of specialists and shared a sample of the harmful file of this version with the .Adame extension with the community of decoding experts. They can access it for research. The malicious activity of Phobos Ransomware has been going on for almost 2 years. But until now, no one can release a free decryptor for Phobos Ransomware.
  21. Your screenshot looks ok to me. The forensic log has one entry when a scan completes. For example, one of your scans terminated at 13/07/2019 16:13:52 It does make sense to show previous messages which said "in progress" because when they were issued, they /were/ in progress. The "in progress" message is shown for/at past dates/times, not for the current time. In computing, all logs show things afterwards that were happening at a prior time. No-one ever writes a program so that it issues messages at the time, then afterwards goes back and changes the language to show that it is now a past event. In your case the details display shows when that scan was started: - at 15:59:16 the scan was in progress doing one thing (la zone amorce) - at 15:59:16 the scan was then doing something else (the CSIDL_DRIVER line) - at 15:59:19 ie 3 seconds later it scanned memory - at 15:59:24 it scanned something? "traces?" I can't quite tell BECAUSE THE DISPLAY NEEDS TO BE SCROLLED - if you scroll it down you will find, at the end of the list of detail messages, the one showing that this scan completed at 16:13:52
  22. Hello, I was the victim of an RDP Scarab trojan early this morning that has encrypted all the files on my hard drives and NAS with the ".sfs" file suffix. I have ran malwarebytes and that has cleared up a few files and a few registry changes also a complete scan of NOD32 has also cleaned a few things up. I 1st noticed the issue when my computer was logged out this morning as it's never logged out, I had to use a usb boot tool to change my password as it had been changed and when doing this I noticed a new user account called "localadmin" I changed the password to that and also disabled the account just in case. When I finally managed to log in I noticed that the following pieces of software had been uninstalled: teamviewer ESET Nod32 Malwarebytes Also my firewall had been disabled and the onedrive client installed, I fixed those issues and then restarted as requested by malwarebytes. Once logged back in my torrent client auto started and advised me that essentially every torrent had missing files, so I checked locations and noticed all my media, movies, anime etc had the ".sfs" added to the file names and that's when I noticed the "HOW TO RECOVER ENCRYPTED FILES.TXT" in 1 of the folders, the following is what's in the document: " HOW TO RECOVER ENCRYPTED FILES Hello, my friend! All your files have been encrypted. >>> Your personal ID: >>> pAQAAAAAAADbUkxqJZSJ70MkDAR=sfPwyazMIn6sCB1ZIj27f1dOspHw8laKO8aZq+EmPio2susIqx5cpt4svG3J59qpWopli7N0 Fm+3r7XbWVLuJaz1lv+G4gihobaJq7eLu3H1+Spfn0UaTXrPfzoqKTTbeerL6NX0KfnT8nypTArenMeopfWNH0xW+TgvBfac1n6C 47h23ft1nSWv+O7PDCUrFo5XIADnyv5hndtNnNVovQbYg43lb3EM4J3ANHpWoZoTbY1E4lCf2uS3hbGcu9MQuCaD06HBsy0BW0RB DFb9cmdiUakKZG5VfmngLBmHoJk3=YYTAW8BtiCWXElItIUmwbct=zB0PlmE6+401ho7xOM507ZOhBIclQvhIbEcMBOPc1Icas7P 7h5ChqaCUaIFfm0=5IGpIdI2RI8uhmiHMYaAziHKAmF5B8CJAPJQqai0FBACcyz4HbKTaRTSj6xmIo8vd957D40Ez136BYcKuIHz mi0KujT4CZnMBr2BTpAPUO4LGAt0PEtcB5q0j+IFQUVGLWmuCSGuEaxow40K425hnM3iERNGcI3b9pXEjN5ye0dup6IC4LCZiCop gA9gPiIUaI8fhW5H6FVPKacQQVIHhq+y7JJPBO4T9u3=EaCC5lCMU1mxY+M+KuFnWDYTa740hAR5sDiJn4UF9k8OI7ErJCEK2ZIw EklKNO8=jEiC7SmYMRqr58cA3Zf7ELG9aSPG2nM0gkNct4shUYFJYhDZG3AzfoVchW5BcIFI=1l75D9Z2PDWssqBQXA7QfkzHirb zDOEo0IkRE3OzCpxn7kBzLoQ6FSw3FE+9OQRoQDMdJFk8fzxAQ If you want to recovery your files, send us e-mail with your personal ID and 1-2 test files (image or text, non archived, total size of files must be less than 10Mb). >>> Contacts: >>> [email protected] [email protected] Use please both e-mail addresses. If your mail server doesn't send e-mail to our contacts, we recommended you to create an e-mail on ( >>> ATTENTION! >>> * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam." I have read a few topics on the forums and lead me to check the ransom id site to confirm I had been infected with Scarab. I have also submitted a ticket with ESET to see if their decryption tool can help out. I also noticed that they created 2 new partitions on my main drive (please see screenshots), with 1 having a winre image contained within. So initially I would like to know if there are tools out there to check I am clean and what changes I can make to firewall/registry/etc to prevent this from happening again and applying it to my other computers.
  23. bob974

    CLOSED 9533

    in french "en cours" means "in progress". I'm sorry, but all the old scans are finished and are displayed in progress. so it doesn't make sense to display "en cours" when it's finished.
  24. July 14 2019, Adame Extension I.D [30D46A02-2275]. [[email protected]].Adame Please help! I really need my file back, its for my school project T-T
  25. I think you've misunderstood. The entry in the forensic log tells you when the scan completed and what it found. When you click on that to get the detailed info you see a series of messages, of which you've highlighted initial ones. That detaied list scrolls. Scroll down to the bottom of it and you'll see all the status messages about that scan, including the final one.
  26. After the encryption is complete, you would receive such a note with ransom requirements. I put your ID 86A229C1-2275 in the right field. Other victims got it with their ID.
  27. As I thought, this is the result of Phobos Ransomware attack. OdTec .exe - this may be the file that encrypted your files. I have already investigated several such cases in the last 24 hours.
  1. Load more activity
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up