All Activity

This stream auto-updates     

  1. Today
  2. Why has it worked all of these years and then stopped when the update was applied on the date I posted the original message? I'm not having any problems with anything else. It's just this program after it updated. I guess I'm stuck with it until my subscription expires unless I uninstall it and use another program. This program has never given me any problems until this started which was April 8th. Would I loose to much security if I went back to the version I was using before April 8 and disable application updates?
  3. My pc is infected by .moresa extension. I think it is due to STOP encrypter. Are there any ways I can decrypt my files?
  4. @GT500 Would using Scheduled Tasks to run something to REG ADD the relevant flags as soon as the system is booted, or maybe as the user logs on work? I suppose it depends when the EAM GUI code actually starts to execute?
  5. Hi GT500 This has been identified as WDM (DCRTR-WDM) Ransomware on a diff forum bleepingcomputer Below is post I posted there about my situation as stated in the post I have both suspicious files from 1 of my infected computer password zipped if needed to analyse this affected 3 of my PCs , my CCTV computer , My Main PC and my handheld GPD , sort of sums up my year lost my mum / my dog / partner in car crash which wrote of the car and now this and we are only 4 months in I already scan cleaned and removed this from 1 computer and my handheld before reading to leave in quarantine so managed to save the files in quarantine on last computer One of these seem to be the culprit file c:\users\user\appdata\local\temp\plugins\setup.exe c:\users\user\appdata\roaming\host process for windows services\svchost.exe I have both password zipped incase needed all my encrypted files have had the extension .colorit added the following link has several encrypted files and the ransom note and hta file all these are from the computer I still have the virus file from www.sendspace.com/file/d11739 password is - screwthehackers thanks in advance for any help / support
  6. hope their will keys available for .norvas extension
  7. How do I decrypt my files with .moresa extension? I did some research and found out that .moresa is due to STOP encrypter but I am not sure.
  8. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  9. If you ever find out what actually encrypted the files, then that's what we need to figure out if there's a way to recover files. Once we have that, our malware analysts can pick it apart to figure out how it encrypts files, and try to see if there is anything that would allow for easy decryption. It's possible they were left there in the hopes that a user might accidentally infect their Windows system as well. It's also possible that the attacker wasn't actually aware of what kind of system they had gained access to and simply copied a number of things that they may need while decrypting files, or that they just have a standard toolkit that they copy to compromised systems/devices and just copy everything instead of only what they need.
  10. There is currently no known way to decrypt files that have been encrypted by the Dharma/Cezar ransomware without first obtaining the private key from the criminals who created/distributed the ransomware.
  11. This is GlobeImposter 2.0: https://id-ransomware.malwarehunterteam.com/identify.php?case=75b7f1dad42e21336ac7a051236ae6d39d47ba63 Unfortunately there is no known way to decrypt files that have been encrypted by GlobeImposter 2.0 without first obtaining the private key from the criminals who made/distributed the ransomware. Also, note that the server was more than likely infected when an attacker brute forced an RDP (Remote Desktop) password. I'll leave a few steps below for getting started dealing with RDP compromise. First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.
  12. I just heard from one of our malware analysts that this is a new ransomware, and that we're actively looking for a copy of it so that we can analyze it. If you happen to know how your computer became infected, then let us know.
  13. I ran it through ID Ransomware, and I suspect it misidentified it. I've asked our malware analysts for more information.
  14. You're welcome. If you need any help with the instructions, then let me know. If you'd prefer to post your ID and MAC address on BleepingComputer as mentioned in the instructions, then feel free to do so.
  15. I just did some testing, and I wasn't able to get this option to work. I even tried manually adding the compatibility flag to the registry, and that didn't work either. When adding it to the user registry hive Windows would automatically delete it when restarting the computer, and while it wouldn't be deleted when adding it to the system registry hive it also didn't have any effect on Emsisoft Anti-Malware. Unfortunately it doesn't look like there's any way to scale the window down unless you reduce DPI globally. Windows isn't designed to allow DPI scaling on a per-application basis.
  16. Yesterday
  17. Any possibility of debug logs? The option is in advanced settings now, in case you aren't already aware that it's been moved.
  18. Please, do you have any tool for decryption of. Promok infected files?
  19. Thanks for all the answers. It did help me forward, though I did not worked on the linux programs yet. I however succeeded to restore some files by screening other backup’s on the post-content after the first 64kB of a file and comparing it with the .nampohyu files. I also succeeded to ‘repair’ a database by exchanging the first 64kB with an older version uncorrupted access-file. Note that this is a dirty way to repair, but after that I was able to copy the table content to other clean database, so I was lucky that it works. Anyway, as others I will look forward to a decryption-tool (the real solution) in future. If there is any information required for that, I believe we all are happy to give input. What I noticed is that only (the first part of) files with an specific extension had been encrypted. These extensions include: ‘pdf’, ‘jpg’, ‘doc/docx’, ‘xls/xlsx’ etc, it however does not include the extension: ‘exe’, ‘gif’, ‘html’, ‘png’, etc. Also files smaller than 16 bytes/128 bit (thus extremely small) are not encrypted. This logic is consistent to all what I have observed. Regarding the executable I was thinking that the exe-files have been infected by the attacker (using Samba by copying files) and inside this files, which could be triggered by the user itself there could be a code which created and started a separate process in the linux environment of the NAS itself (DSM). This could make sense if the attacker is not able to create or start directly a process which can be executed in the DSM.
  20. All my windows server 2012 is encrypted,, I need help for decrypt it Thank You
  21. Thanks Frank, your reply was very helpful. Cheers! Raynor
  22. I spoke too soon. I thought that I would just drag the screen around until I could see what I needed to see but now, this screen is so big, there isn't room to drag it around enough. It had been working before now. Would it be too much to take you up on your offer to write instructions to use the Compatibility Administrator tool? I looked it over and some of it sounds so complicated. If you don't mind, I would really appreciate it and this way, I can print out your instructions and then follow them. If it's too much trouble, please don't do it. I hate to be so much trouble to people.
  23. Michael (dev of ID Ransomware) has already received a message from me and a link to this topic and has already tweeted.
  24. yes, then I will send them there then and thank you very much.
  25. yes the anti-virus i have been using was advance system care but my validity had ended two weeks ago i will be sure to change it, and do please look up a solution about it thank you very much
  26. My server files are encrypted with ransomware and file extension has been renamed to .eztop how_to_back_files.html po611000PODetailsByVendorWithCost.rpx.eztop
  27. Your use case is rare. Most enterprises have multiple groups. To avoid users to not make changes on Workspace level by error, we decided to jump to the 'new computers' group by default, like in Emsisoft Enterprise Console. Sure. Please note that Emsisoft Cloud Console is a first beta, bugs and missing features exist. We are working hard to improve step by step. With this setting you can instruct Emsisoft Anti-Malware to not scan certain registry settings, as they are commonly used by system administrators: example: "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system", "DisableTaskMgr" This is by design. A License can be linked to a users OR Workspace. Users cannot delete Workspaces yet. We understand that you now mis certain info related to seat usage, for example,. In a near future ECC release we will improve this,l ike showing the devices that use the same license but have not been connected (yet). I hope this helps.
  1. Load more activity
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up