All Activity

This stream auto-updates     

  1. Today
  2. hope their will keys available for .norvas extension
  3. How do I decrypt my files with .moresa extension? I did some research and found out that .moresa is due to STOP encrypter but I am not sure.
  4. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  5. If you ever find out what actually encrypted the files, then that's what we need to figure out if there's a way to recover files. Once we have that, our malware analysts can pick it apart to figure out how it encrypts files, and try to see if there is anything that would allow for easy decryption. It's possible they were left there in the hopes that a user might accidentally infect their Windows system as well. It's also possible that the attacker wasn't actually aware of what kind of system they had gained access to and simply copied a number of things that they may need while decrypting files, or that they just have a standard toolkit that they copy to compromised systems/devices and just copy everything instead of only what they need.
  6. There is currently no known way to decrypt files that have been encrypted by the Dharma/Cezar ransomware without first obtaining the private key from the criminals who created/distributed the ransomware.
  7. This is GlobeImposter 2.0: https://id-ransomware.malwarehunterteam.com/identify.php?case=75b7f1dad42e21336ac7a051236ae6d39d47ba63 Unfortunately there is no known way to decrypt files that have been encrypted by GlobeImposter 2.0 without first obtaining the private key from the criminals who made/distributed the ransomware. Also, note that the server was more than likely infected when an attacker brute forced an RDP (Remote Desktop) password. I'll leave a few steps below for getting started dealing with RDP compromise. First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.
  8. I just heard from one of our malware analysts that this is a new ransomware, and that we're actively looking for a copy of it so that we can analyze it. If you happen to know how your computer became infected, then let us know.
  9. I ran it through ID Ransomware, and I suspect it misidentified it. I've asked our malware analysts for more information.
  10. You're welcome. If you need any help with the instructions, then let me know. If you'd prefer to post your ID and MAC address on BleepingComputer as mentioned in the instructions, then feel free to do so.
  11. I just did some testing, and I wasn't able to get this option to work. I even tried manually adding the compatibility flag to the registry, and that didn't work either. When adding it to the user registry hive Windows would automatically delete it when restarting the computer, and while it wouldn't be deleted when adding it to the system registry hive it also didn't have any effect on Emsisoft Anti-Malware. Unfortunately it doesn't look like there's any way to scale the window down unless you reduce DPI globally. Windows isn't designed to allow DPI scaling on a per-application basis.
  12. Yesterday
  13. Any possibility of debug logs? The option is in advanced settings now, in case you aren't already aware that it's been moved.
  14. Please, do you have any tool for decryption of. Promok infected files?
  15. Thanks for all the answers. It did help me forward, though I did not worked on the linux programs yet. I however succeeded to restore some files by screening other backup’s on the post-content after the first 64kB of a file and comparing it with the .nampohyu files. I also succeeded to ‘repair’ a database by exchanging the first 64kB with an older version uncorrupted access-file. Note that this is a dirty way to repair, but after that I was able to copy the table content to other clean database, so I was lucky that it works. Anyway, as others I will look forward to a decryption-tool (the real solution) in future. If there is any information required for that, I believe we all are happy to give input. What I noticed is that only (the first part of) files with an specific extension had been encrypted. These extensions include: ‘pdf’, ‘jpg’, ‘doc/docx’, ‘xls/xlsx’ etc, it however does not include the extension: ‘exe’, ‘gif’, ‘html’, ‘png’, etc. Also files smaller than 16 bytes/128 bit (thus extremely small) are not encrypted. This logic is consistent to all what I have observed. Regarding the executable I was thinking that the exe-files have been infected by the attacker (using Samba by copying files) and inside this files, which could be triggered by the user itself there could be a code which created and started a separate process in the linux environment of the NAS itself (DSM). This could make sense if the attacker is not able to create or start directly a process which can be executed in the DSM.
  16. All my windows server 2012 is encrypted,, I need help for decrypt it Thank You
  17. Thanks Frank, your reply was very helpful. Cheers! Raynor
  18. I spoke too soon. I thought that I would just drag the screen around until I could see what I needed to see but now, this screen is so big, there isn't room to drag it around enough. It had been working before now. Would it be too much to take you up on your offer to write instructions to use the Compatibility Administrator tool? I looked it over and some of it sounds so complicated. If you don't mind, I would really appreciate it and this way, I can print out your instructions and then follow them. If it's too much trouble, please don't do it. I hate to be so much trouble to people.
  19. Michael (dev of ID Ransomware) has already received a message from me and a link to this topic and has already tweeted.
  20. yes, then I will send them there then and thank you very much.
  21. yes the anti-virus i have been using was advance system care but my validity had ended two weeks ago i will be sure to change it, and do please look up a solution about it thank you very much
  22. My server files are encrypted with ransomware and file extension has been renamed to .eztop how_to_back_files.html po611000PODetailsByVendorWithCost.rpx.eztop
  23. Your use case is rare. Most enterprises have multiple groups. To avoid users to not make changes on Workspace level by error, we decided to jump to the 'new computers' group by default, like in Emsisoft Enterprise Console. Sure. Please note that Emsisoft Cloud Console is a first beta, bugs and missing features exist. We are working hard to improve step by step. With this setting you can instruct Emsisoft Anti-Malware to not scan certain registry settings, as they are commonly used by system administrators: example: "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system", "DisableTaskMgr" This is by design. A License can be linked to a users OR Workspace. Users cannot delete Workspaces yet. We understand that you now mis certain info related to seat usage, for example,. In a near future ECC release we will improve this,l ike showing the devices that use the same license but have not been connected (yet). I hope this helps.
  24. If this happened not the same day, then by the date of the files change you can determine the days of the attack. Analysis of the date of the attack can help identify the weak link (who was working at the PC?) and properly configure the PC protection for the future. If at the PC working you only, then you need to install a complex anti-virus product (e.g. Internet security at 1 month trial) in order to remove the remaining virus files and protect the PC from new attacks. If there is unnamed anti-virus on your PC and no one has been disabled it before the attack, then you need to get rid of it, as soon as possible. AV protection that cannot protect user's files from attacks from outside and even from his wrong actions and from illegitimate programs does not have the right to be on this PC.
  25. Hello. It is a pity that such a thing happened. Instructions with your files.txt - is a note from Paradise Ransomware The extension _c3tfsp_{[email protected]}.sambo added by Paradise Ransomware UQSNORZLPD-MANUAL.txt - is a note from GandCrab 5.2 Ransomware The extension with 10 characters - .uqsnorzlpd - added by GandCrab 5.2 Ransomware Looking at the screenshots I can see that first your files were encrypted by Paradise Ransomware, and then the files were encrypted by GandCrab 5.2 Ransomware
  26. Hello. It is a pity that such a thing happened. I can look at these files, but I cannot download attachments from your message. Send to www.sendspace.com two these ransom notes and give us the download link. And please replace the two non-informative encrypted ini-files to with txt, doc, jpg, png files.
  27. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like one of our experts to review them.
  1. Load more activity
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up