All Activity

This stream auto-updates     

  1. Yesterday
  2. No keys were found for the following IDs: [*] ID: IYowMwYsTvdxAhn3KvnRAbCj7z2jETimRBUTgBpa (.lanset )
  3. GT500: I've attached a couple of infected files. Thanks for your interest and time. 26231.jse 29031.jse 135463.jse 1329467.jse 1835201.jse RFQ2017-1-0001.jse RFQ2017-1-0002.jse RFQ2017-1-0003.jse RFQ2017-1-0004.jse RFQ2017-1-0004-A.jse RFQ2017-1-0005.jse RFQ2017-1-0006.jse RFQ2017-1-0007.jse RFQ2017-1-0008.jse RFQ2017-1-0009.jse RFQ2017-1-0009-A.jse
  4. Thanks for the info guys. Hope a decrypter can be made/found soon for this! I have about 1Ts worth of files to decrypt. Although they are not essential, I still would like them back at some stage. Already beefed up my NAS security. Luckily not all files were infected.
  5. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  6. At first glance I'm not seeing anything that looks malicious in those logs. Most ransomware will delete itself after it finishes encrypting files, and in the case of RDP compromise where an attacker manually copies ransomware to the compromised system and executes it they also normally clean up after themselves to make analysis more difficult. Would it be possible to attach one or two copies of encrypted files to a reply so that I can run them by our malware analysts?
  7. BTW: I see this is a terminal server. I recommend closing the RDP port in your firewall ASAP. Also, below are some steps for getting started dealing with an RDP compromise in case that's what happened here: First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.
  8. Yes, you can upload only an encrypted file. There are a few ransomwares which don't leave a ransom note, or where the ransom demands are made via e-mail at a later point.
  9. Did it leave a ransom note of any kind as well?
  10. @Swarnav please download the following fixlist.txt file and save it to the Desktop: https://www.gt500.org/emsisoft/fixlist/2019-07July-23/Swarnav/fixlist.txt NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop. Run the FRST download from earlier, and press the Fix button just once and wait. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.
  11. Hello, my mother's computer was infected with .vir ransomware. Looks like it uses AES-256 encoding. Text message name is "READ_TO_DECRYPT.html" I looked through all the available databases, but it looks like new (though READ_TO_DECRYPT message was used in few occasions) Sadly, right now i cannot provide file examples (only a few screenshots), but will do tomorrow if it is needed. Hope for your help.
  12. GT500: I only have files that are encrypted with the .JS extension. We have not noticed any other changes in the computers, screen background the same. Can I just copy the affected file to ID Ransomware? If so, how? No other file or message has been found to copy to ID Ransomware.
  13. Amigo-A, thanks for your insight. I have attached the Frst and Addition as indicated. Addition.txt FRST.txt
  14. Did it change your Desktop background, or leave any other sort of ransom message? Cold you upload a copy of the ransomware to ID Ransomware, and post a link to the analysis for us? https://id-ransomware.malwarehunterteam.com/
  15. Also, please note that it is imperative that you run STOPDecrypter ASAP, and send us your ID and MAC addresses. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter
  16. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  17. By "extrasenses" I assume he means "psychic", but regardless the point he's trying to make is valid. There's no way for anyone to know when a free decrypter will be available.
  18. We don't yet have any new information on this one. Hopefully we'll know more soon.
  19. Two detections on November 14th, 2018. If KMS was still installed at the time of the ransomware incident, then it certainly could have been the cause, however it doesn't appear to be there at the moment.
  20. Wo wir gerade dabei sind. 150 %-Anpassung des 4K-Bildschirmes.
  21. My pc got infected with the lapoi ransomware
  22. This ransomware created a task in windows to execute a powershell script. In freezing we were able to recover the files using a kaspersky decryptor Some machines only have the information file for recovery. It's the same as freezedbywizard. The email is the same. The difference is the name for HelloAgain Virus Total: https://www.virustotal.com/gui/file/46c0e2cb833a77695d9ed94c8c09b4be178bc80b2288c48b6d7649e4323e3e04/detection https://www.virustotal.com/gui/file/cfb6205c0165002f9b11bac6853de1793774b7c1315fc5fdef9989b83b7f60a0/detectionl UWT4 Home Page.URL.HelloAgain Read Me First.txt.HelloAgain
  23. I did not get the above files.But I got some other files which might help you. "C:\Users\dasba\AppData\Local\Temp\csrss\smb\e7.exe" This is the link https://www.virustotal.com/gui/file/6300fa9fcef55f5064d158c07ef34a46edf721f32dfe9d8437ab82321613a39b/detection
  24. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  25. Now my time zone went into the night.. Employees will connect to you. Good luck!
  1. Load more activity
  • Who's Online   0 Members, 0 Anonymous, 31 Guests (See full list)

    There are no registered users currently online

  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up