All Activity

This stream auto-updates     

  1. Today
  2. i hereby attached a copy of FRST save file after scan and i have also added the save information after running STOPDecryptor Addition.txt FRST.txt STOPDecrptor information.txt
  3. The result of the verification in the IDR will be as follows: Phobos Ransomware I have not added this variant to the update section yet, but previous variants ones with this extension are already known.
  4. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  5. That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to: https://id-ransomware.malwarehunterteam.com/ While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  6. Soon may not be possible (some people have been waiting for 6-7 months). If you need immediate file recovery, then you may want to consider contacting Coveware, as they can help you by contacting the criminal behind the ransomware and negotiate a lower price for you.
  7. I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you. Yes, that's the best thing for you to do for now.
  8. That just means we don't have the key for your files in our database. In theory it might be possible for more to be added in the future, however there's no way to know if or when that will happen. In this case I think backups would be the best course of action. Outside of paying the ransom (which we prefer not to encourage) there's more than likely no way to recover the virtual drives. While it might sound reasonable to copy the data from the running VM's, keep in mind that your virtualization software can no longer read from the virtual disks, and thus it would fail to copy any data that was not already loaded into memory in the VM's.
  9. Funny, considering that the e-mail failed validation, I'm surprised your mail server didn't block it. Authentication-Results: spf=none (sender IP is 173.201.192.186) smtp.mailfrom=thealtar.info; rslcomputers.com; dkim=none (message not signed) header.d=none;rslcomputers.com; dmarc=fail action=quarantine header.from=emsisoft.com;compauth=fail reason=000 Received-SPF: None (protection.outlook.com: thealtar.info does not designate permitted sender hosts) The last time I checked, both DKIM and DMARC are configured for our domain, so both should validate if it's a legitimate e-mail from us.
  10. Yesterday
  11. @broniusr I've fixed that now. Please try re-downloading for v1.0.0.1.
  12. also, some files were written to french in microsoft
  13. I received ransomware requiring me to write [email protected] with in 24 hours using he code 720AF1D2-2289 after 24 hours i was to email to [email protected] i was to send 5 files for free decryption, which i did not do. i was advised on how to buy bitcoins at https://localbitcoins.com/buy_bitcoins and for beginners the provided me with this webside http://www.coindesk.com/information/how-can-i-buy-bitcoins/ which i did not do the virus infected my back-up and my server. the files were converted to banjo. files written in javascript i believe my computer was taken off the network and a new ip address was given, at the moment it is off the network so iam unable to use it, to send any files to you. i have the computer in safe mode now. can you please help me
  14. Hello This variant .nacro has not yet been added to the STOP Decrypter. Attach your file _readme.txt to message to see how the type of ID is.
  15. A few minutes ago I received the following email pretending to be from Emsisoft: Title: Invoice(s) due Email address used to send from in my case is: Emsisoft <[email protected]>; (Emsisoft via thealtar.info) Header info: Received: from CY4PR10MB1989.namprd10.prod.outlook.com (2a01:111:e400:7a4d::51) by BN6PR10MB1986.namprd10.prod.outlook.com with HTTPS via BN3PR03CA0091.NAMPRD03.PROD.OUTLOOK.COM; Mon, 19 Aug 2019 09:39:22 +0000 Received: from MWHPR10CA0050.namprd10.prod.outlook.com (2603:10b6:300:2c::12) by CY4PR10MB1989.namprd10.prod.outlook.com (2603:10b6:903:11a::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.18; Mon, 19 Aug 2019 09:39:21 +0000 Received: from SN1NAM01FT044.eop-nam01.prod.protection.outlook.com (2a01:111:f400:7e40::200) by MWHPR10CA0050.outlook.office365.com (2603:10b6:300:2c::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2178.16 via Frontend Transport; Mon, 19 Aug 2019 09:39:21 +0000 Authentication-Results: spf=none (sender IP is 173.201.192.186) smtp.mailfrom=thealtar.info; rslcomputers.com; dkim=none (message not signed) header.d=none;rslcomputers.com; dmarc=fail action=quarantine header.from=emsisoft.com;compauth=fail reason=000 Received-SPF: None (protection.outlook.com: thealtar.info does not designate permitted sender hosts) Received: from p3plwbeout14-03.prod.phx3.secureserver.net (173.201.192.186) by SN1NAM01FT044.mail.protection.outlook.com (10.152.65.225) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2178.16 via Frontend Transport; Mon, 19 Aug 2019 09:39:20 +0000 Received: from p3plgemwbe14-06.prod.phx3.secureserver.net ([173.201.192.155]) by :WBEOUT: with SMTP id ze7lhNK5aCOgBze7lhwknU; Mon, 19 Aug 2019 02:38:49 -0700 X-SID: ze7lhNK5aCOgB Received: (qmail 27063 invoked by uid 99); 19 Aug 2019 09:38:49 -0000 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8" X-Originating-IP: 185.232.22.204 User-Agent: Workspace Webmail 6.9.59 Message-Id: <[email protected]mail14.godaddy.com> From: "Emsisoft" <[email protected]> X-Sender: [email protected] Reply-To: "Emsisoft" <[email protected]> To: Subject: Invoice(s) Due Date: Mon, 19 Aug 2019 02:38:45 -0700 Mime-Version: 1.0 X-CMAE-Envelope: MS4wfNBVZhrgbzXKdfKr1g3R1v01SOMJCYE71uYLEPOCW6VDE41cWKCv7iHHNTdC6CSMpKrRBN9gzyc6R+x1ZE9gEE58qyHEvRbUeO3sWK/Ri6lGI+ly5Vu5 2vf/q1wNG30vIoGlPuQpfq/tBA6juYsp/5fyBnkXgt9EfEXcSAhUtSyb2dhk8XxuyKhq0EaMYn1kljHRTU14NKeJP5MjPspAqxw= Return-Path: [email protected] X-MS-Exchange-Organization-ExpirationStartTime: 19 Aug 2019 09:39:20.6845 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 76c22b4c-30f7-46be-477e-08d724891cb3 X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: dff0cfe4-0774-41ed-a299-d72b333064a1:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-Matching-Connectors: 132106811607365733;();(30aae98b-e46d-47eb-c8af-08d3b25b0f82,ff47d72d-0fa9-4508-46b6-08d429cf5cf9,4aa9d499-1c82-4814-693f-08d51fe40331) X-Forefront-Antispam-Report: CIP:173.201.192.186;IPV:NLI;CTRY:US;EFV:NLI;SFV:SPM;SFS:(10001);DIR:INB;SFP:;SCL:5;SRVR:CY4PR10MB1989;H:p3plwbeout14-03.prod.phx3.secureserver.net;FPR:;SPF:None;LANG:en;CAT:SPM; X-MS-Exchange-Organization-AuthSource: SN1NAM01FT044.eop-nam01.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 76c22b4c-30f7-46be-477e-08d724891cb3 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(5600148)(711020)(4605104)(4710121)(4712094)(1403117)(71702078)(7193020);SRVR:CY4PR10MB1989; X-MS-TrafficTypeDiagnostic: CY4PR10MB1989: X-MS-Exchange-PUrlCount: 1 X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-Organization-SCL: 5 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2019 09:39:20.5254 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 76c22b4c-30f7-46be-477e-08d724891cb3 X-MS-Exchange-CrossTenant-Id: dff0cfe4-0774-41ed-a299-d72b333064a1 X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR10MB1989 X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.8374783 X-MS-Exchange-Processed-By-BccFoldering: 15.20.2178.000 X-Microsoft-Antispam-Mailbox-Delivery: dwl:1;ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160513016)(750119)(520011016)(520008050)(702028)(944506383)(944626516); X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?zxTIkmxboA8V3HWwi2SWFCPnZs4f45S1m/nHTLKnr4HKWtXjcqLKzGpHYrQ1?= =?us-ascii?Q?Fp8H5p7fUFZBfDvqnygf5XZoWluTqwKJqHLQLR/+MQXILfUnAQdTrkoVUNuS?= =?us-ascii?Q?HEUsBMrSz8tS3yAGVGgje8/7AM140W24Tqlzc++N/6OGsfiYpjkuyrZgwDsr?= =?us-ascii?Q?splE9rOc88b1ccUQGqKieYy/udeq/Pmd6YpqRnXPW2sLYNJ2UeTYNCUtsYYi?= =?us-ascii?Q?Fc3dsbZUTr6oCRDZrMmPPyZEkZpNuxq0wua0XNRvDamdyOWjgbB8J0II2tY2?= =?us-ascii?Q?2y/WtZ8yoN/XwcqKDl33xjPDIGTBq8t2Y7RtwdcmxMVgvswB7AwQFrN+IIY/?= =?us-ascii?Q?TWiBmw5qJYb0vIxUfTFI+f9ON/8fRSiIrlvvURhLKkwiY12Izm2SC0b3EuSP?= =?us-ascii?Q?7dQDLhf78CyJO42XKDrtYpd40bLe+GC9Li4yuEeBy8bgru5W5YFxf+diJnpK?= =?us-ascii?Q?l/aRWFCpjfrmcldpUcQZW1/O1Py+5HeQ5YyQ1U3wTjY92br4PEgV2gra4EyB?= =?us-ascii?Q?5UTXbAf2vRwcweFkGuL89QwDG928QQeH94EO8GLOSjZW7mbPMzVHbLjLM8iV?= =?us-ascii?Q?ZOKIL/iyLUQnNGrXnFsBOvVmUFq+ZTSksEWBpaayeQrax/qOHljRBm5bQQuc?= =?us-ascii?Q?5dmgS5Z545wFUA95NEkiUN8TY9OeFdoeVQ28hhUghHCFeTnesL4mlhQw3HI8?= =?us-ascii?Q?axTIa7EblveXKYroxaeat/X+CTIw3jSneJhpyyko4pSDBiMiY9Q9kSqkA3We?= =?us-ascii?Q?e3ai+8n0PxjZEb2KPL9Knj6zyOjam+zns388wov0zWqkH5zhK0+h9gqVh6hA?= =?us-ascii?Q?t5UHRe0HZGwx/jowtsGey+/EKv5Ga+eesQjUCsffLtIsYtX2J4e76F3cOzy1?= =?us-ascii?Q?Z1R4vZwHqPqe5fL5r5UnIYu51RpOmcr0DvlKvgfQ8bIbUpRQKbJ9sgIsgwPc?= =?us-ascii?Q?HZMsJjj7NEfes5AgNd3Eu3unEsNZp7cJyK7Pl0Sg+cVqV7pW5d+9fcH0LHuL?= =?us-ascii?Q?ikxyu4Gkb9tWeydxi7u8nuLTsfCqjVpQ1yO+PuXpNxHF8YfvmRVbWBVVc849?= =?us-ascii?Q?dJp4b6/3/I+1xj319lehdBYAl2eN7a7Or5Anj3RWKVGwhy7YU4yeGL6rakBA?= =?us-ascii?Q?V++x0Ejjqwvm+2F1LTlP7whfLWkMySMQoLx2srdtT2fSsJzlrVTt4aHv9yvZ?= =?us-ascii?Q?aY/jfIdBmRBH+YtaTf/OslPVPQCQvtBgnnTou+u+jSTxXt3EcIDELEC1UZa7?= =?us-ascii?Q?bXSIz2JWe1frgmWUO0v5mYgX4vUYEC7IcEWh97ef6VUG6NsITAubTWyaVIDu?= =?us-ascii?Q?E4Q4Y++2D+mAmG3kfRwgJQKEdKJHeyd880RxkKfPgjq5exDs4dnnplvMAc9H?= =?us-ascii?Q?FtxVXPZfyU3AHn9v7UmLdvKpgh7Hqt3GSohCe1gEDDGPAS9BiQ4YVtnLI4dc?= =?us-ascii?Q?ROAZVYlsHGDCNT1LWmC7i87zWkVEqllLDwzwZwTQlIME8klgfrKUOWs26Bx1?= =?us-ascii?Q?xZ9tlkl0o713MvU=3D?= Here is the email message I received Hello Mr/Mrs, acknowledge this message is for our record purposes. Kindly re-confirm to us with the status of our Due invoices, as we currently have to give you a new updated Bank information. I will like to draw your attention to the fact that due to high taxes imposed by the government, we no longer receive payments in our local account. Hence the reason for our earliest mail to you. Subsequently to your acknowledgement of this mail, please let me know when you will be making payment to enable me send you our updated account information. We apologies for any inconvenience this may bring to you. Your immediate response will be highly appreciated, and if you do have any Question, do let us know. Regards, Mrs Joy Accounting Team
  16. please help me guys, my dad need his data soon.
  17. Hi guys, my files infected by ransomware with extension .nacro file named STOP DJVU. Pls. help me I can't access my files.it's been 4 days now I have been trying one decryptor tool to.another but all never worked. . Need help...
  18. Last week
  19. Hello, please support [*] ID: s9KkuHGOgdCYV8Rim63CFMrxZFXlO0mp7S0wmKbd (.mtogas ) [*] MACs: 64:80:99:7D:56:9D, 64:80:99:7D:56:9C, F0:1F:AF:66:3B:0C Is there a solution to this problem? Even after a while!!!!!! Do I wait and leave the encrypted files as they are? _readme.txt Model(1).png.mtogas
  20. No, I didn't checked the Cloud Console. Having everything local is an important factor for my clients and myself. With the new pricing scheme, EMSI business licences are in the pricerange of Endsecurity solutions. So I would expect to see EMSI moving the Client into that direction too. The "competition" is coming from Windows 10 too. I see people asking to ditch third party antimaleware at all. I'm currently opposing that, but once Win7 is EOL it will become harder to convince customers to see the benefits of EMSI in comparison to EndSecurity solutions (bundled with SPAM filter etc) or the plain Win10 defender tools. But back to the main topic of Enterprise Console: Currently the Enterprise Console seems to not offer all settings of the EMSI client (e.g. Appearance: Dark / Bright is not found in the policy/settings)?
  21. One of our servers had a SAMBA share left open for reasons we are unclear of. Currently the VMs running on the machine are fine (seems to be in memory) but if they reboot the .vdi files are unusable. We do have backups but this would ofcourse result in alot of work reinstalling these servers. I have tried the decrypt tool on some offline .vdi files but it will not work. What happened to your files ? All of your files were protected by a strong encryption with AES cbc-128 using NamPoHyu Virus. What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files. Your unique id: 6C95029F8EFD463899B724524B86F659 This is the ID on our files.
  22. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  23. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  24. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  1. Load more activity
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up