Leaderboard


Popular Content

Showing content with the highest reputation since 01/28/20 in all areas

  1. 2 points
    @Kevin Zoll @GT500 Just tried using STOP djvu decryptor a while ago and my files were successfully decrypted. Thank you so much Emsisoft Team. 😭
  2. 2 points
    @m2413 and @Juroan24 private keys for offline ID's are added to our database once we are able to find them. Just run the decrypter once every week or two in order to see when we've added the private key for your variant.
  3. 2 points
    We just added the private key for .reha offline ID's on Thursday, which is why it suddenly was able to decrypt your files. Thanks for letting us know that it worked. 👍
  4. 2 points
    As the FAQ clearly states, you have an online ID, and it is not decryptable. Only the criminals have your key.
  5. 2 points
    Hello @SalasKafa, Thank you for contacting Emsisoft Support. TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.
  6. 1 point
    Just to thank you and all good people in Emsisoft,I have finally decrypt all of my nbes. files with STOP DJVU. Patient paid off. I had to admit that decryption was going very quickly. Thank you and keep up with good work!
  7. 1 point
    Thanks @GT500 and @Demonslay335 . My .mkv files are decrypted now....
  8. 1 point
    The only thing that we (everyone infected with an offline ID) can do is wait. Your information is clear: You have been infected. The good news is that it's an Offline ID witch might me possible to decrypt some day in the future. This depends on the team getting that ID decrypted. That day (if it comes) it will be uploaded to their servers so the only thing you will need to do is to run the software again. It's recommended to run it once per week to see if your ID was decrypted. (Of course, I'm running it 2 times per day, xD) Patience is the key. Be sure to save your encrypted files for now.
  9. 1 point
  10. 1 point
    We don't think it's a good idea to add detection for this. The amount of false positives would be staggering, and the number of in-the-wild threats that use it are zero, so there's currently no justification for detecting it at all. We'd be forced to remove detection almost as soon as it was added.
  11. 1 point
    I'm trying to login to my Emsisoft account but no verification code has been sent to my email. More than 30 minutes have passed and still nothing. Tried multiple times but no email yet. This happened one more time a month ago and I received the code more than 3 hours after that time. This is very frustrating. What's going on!
  12. 1 point
    That looks to be a good file pair. It may take a few days to a week to crack the password. I'll let you know.
  13. 1 point
    Thank you Amigo-A, here is the ransom note as well Decrypt Instructions.txt
  14. 1 point
    Keystream added to server. Should work for most of your other .mkv files. [+] ID: SinSPnFW89EGyfgIuac5Ym6CxpIkZ5ZjdYvgPcoV [+] Created keystream for files starting with: 1A45DFA3A3
  15. 1 point
    I've passed the link on to the developer who made the decrypter. We'll let you know once he's had a chance to look at them.
  16. 1 point
    Hi, all my important files have suddenly changed extension to *.redl. All the support forums lead me here however the free decryption application does not work on my files. Is there a way I can get assistance?
  17. 1 point
    Hello @Xinfected, Welcome to the Emsisoft Support Forums. Do not start multiple threads for the same issue. Keep all replies in the same thread. I have merged your support threads. I see no malware in your logs.
  18. 1 point
    Follow the steps here and ATTACH the requested logs so that one of our security experts can help you. https://support.emsisoft.com/topic/31345-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/
  19. 1 point
    Definitely this is the case. Just wanted to drop some info about it in case I can help someone. Thanks for clarifying.
  20. 1 point
    You are welcome. Happy to be of assistance.
  21. 1 point
    what's the meaning of this result? Starting... File: D:\proje uni\1-s2.0-S0001868615000767-gr1.jpg.kodc Error: The remote name could not be resolved: 'decrypter.emsisoft.com' File: D:\proje uni\1.png.kodc Error: The remote name could not be resolved: 'decrypter.emsisoft.com' File: D:\proje uni\1200px-B-spline_curve.svg.png.kodc Error: The remote name could not be resolved: 'decrypter.emsisoft.com' File: D:\proje uni\220px-NURBS_surface.png Error: The remote name could not be resolved: 'decrypter.emsisoft.com' File: D:\proje uni\220px-NURBS_surface.png.kodc Error: The remote name could not be resolved: 'decrypter.emsisoft.com' File: D:\proje uni\278295-59948e5334477ed2964afdd4-05.jpg.kodc Error: The remote name could not be resolved: 'decrypter.emsisoft.com' File: D:\proje uni\34.png.kodc Error: The remote name could not be resolved: 'decrypter.emsisoft.com' File: D:\proje uni\4-6.png.kodc Error: The remote name could not be resolved: 'decrypter.emsisoft.com' File: D:\proje uni\9.JPG.kodc Error: The remote name could not be resolved: 'decrypter.emsisoft.com' File: D:\proje uni\9464_html_m718ac829.png.kodc Error: The remote name could not be resolved: 'decrypter.emsisoft.com' Finished!
  22. 1 point
    Your files aren't infected. They're encrypted. The STOP/Djvu ransomware would have been installed in your user profile folder, which is usually on the C:\ drive. There is no harm in keeping your encrypted files, and I recommend making a backup of them to keep in case decryption is possible in the future.
  23. 1 point
    If you want to make sure the Behavior Blocker is working, there's a batch file in the ZIP archive at the following link that should trigger a detection when you run it: https://www.gt500.org/emsisoft/bb_test.zip Just extract it somewhere, double-click on the batch file, and let Emsisoft Anti-Malware quarantine it. If you don't allow it to be quarantined, then it won't work as an effective test anymore.
  24. 1 point
    @kehinde @Jaykishan If our database has a decryption key matching the ID of the file, then that key can be used to decrypt your files. If the decryption tools states that the files cannot be decrypted, that is because we do not have the decryption key for those files. General Notes With Regards to STOP/DJVU If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key. New Variant STOP/DJVU utilizes the RSA encryption algorithm. RSA is considered a secure encryption method and is unbreakable using current technologies. It is not reversible, cannot be cracked, and we are not able to generate a decryption key. So do not send us encrypted files thinking we can recover your decryption key, we can't. Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  25. 1 point
    Hallo Oli, Ich benutze Google Translate und meine Muttersprache ist Englisch. Möglicherweise wurde der vorläufige Termin für das Ende des Windows 7-Supports für 2021 verpasst. Wir werden es dann neu bewerten und wenn es möglich ist, die Unterstützung für Windows 7 zu erweitern, werden wir es tun. Andere Antiviren-Unternehmen verwenden ein Datum von 2022, enthalten jedoch Formulierungen, mit denen sie den Support vorzeitig beenden können. Wir haben diesen Wortlaut nicht aufgenommen und sie zu gleichwertigen Aussagen gemacht. Stapp, Claude, bitte kläre, ob mein Wortlaut verwirrend ist. Google.
  26. 1 point
    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  27. 1 point
    From About the STOP/Djvu Decrypter:
  28. 1 point
    Hello @Mike77, Thank you for contacting Emsisoft Support. TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU. NOTES: If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  29. 1 point
    @minhas The decrypter is a standalone .NET executable file, it is not installed. If the tool will not run, make sure that the latest .NET Framework is installed for your version of Windows. All our decryption tool require that .NET Framework version 4.5.2 be installed at a minimum.
  30. 1 point
    The taskmanager IO write bytes, does not necessarily mean HD writes. network writes etc are logged too. You can check real HD writes in the Windows resource monitor, a2service selected, Disk tab, see example below. This shows disk IO during an update. simple check to proof this is: Disable EAM selfprotection and kill process a2start and a2guard, you will notice that the IOwrites counters nearly stops. The continuous IO writes mainly is internal EAM network communication and no disk writes.
  31. 1 point
    @jrozasv The Emsisoft Decryptor has been updated to your version with .alka extension. Try the Decryptor again https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu If you still have an early version in your downloads, then delete it so as not to confuse the files. Report the results.
  32. 1 point
    @guri @jrozasv We recently added offline keys for ALKA and REPP. Run the STOPdjvu decrypter again.
  33. 1 point
    I've been told that we don't currently offer longer than 3 year license keys.
  34. 1 point
    I'll pass your request on to our sales team.
  35. 1 point
    The encrypted files themselves are not malicious and cannot infect another system. However, STOP Djvu comes with several other malware that could have dropped themselves to the flash drive theoretically. They would still have to be some sort of executables that you actually run on another computer in order to infect them.
  36. 1 point
    Thanks Emsisoft!!! topi decrypted !!
  37. 1 point
    Hello All! I return to the topic) Obviously, the problem was in the AdGuard WFP-driver. EAM has nothing to do with this situation! After changing the network settings in AdGuard, the problems with the tcpip.sys have not yet recurred! At least - a little over 10 days already😉
  38. 1 point
    @Demonslay335 Guys I cant tell you how happy I am and how grateful I am. 🤪 THANK YOU SO MUCH @Demonslay335 and Emsisoft @GT500 @Kevin Zoll You guys r awesome
  39. 1 point
    Just be sure to make a backup of your encrypted files before you do anything, that way you'll have them in a safe place in case anything happens to them before you can decrypt them.
  40. 1 point
    Hi @Kevin Zoll, Thanks for your comprehensive answer. Also I just read that informative post written by @GT500 I'm sure you'll find how to fix this issue someday As far as I can see for now, unfortunately, I think I should clean my driver from [useless] exe.topi files and go on... Thank you again.
  41. 1 point
    Idm had been removed already, even before I made the last report, I don't know if there's something I'm not doing right.
  42. 1 point
    Uninstall Internet Download Manager. You are using a cracked version anyway and some of its files have been encrypted.
  43. 1 point
    We may have to deal with that issue separately. Yes, you can reconnect to the Internet and try the decrypter. Which, likely will not be able to decrypt the files. I do not see a reason why you couldn't That is entirely up to you, but wouldn't hurt to do so.
  44. 1 point
    @MrSalazar Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Run: [] => [X] HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Run: [] => [X] HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\system: [shell] explorer.exe <==== ATENÇÃO HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1 HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181acd-894f-11e9-b1d4-20e216001ecf} - "F:\AutoRun.exe" HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181d76-894f-11e9-b1d4-7085c2aa6cc5} - "D:\AutoRun.exe" HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {cfb6d8ee-8986-11e9-b1d7-20e216001ecf} - "F:\AutoRun.exe" GroupPolicy: Restrição ? <==== ATENÇÃO GroupPolicy\User: Restrição ? <==== ATENÇÃO "{45487F67-EC9F-4449-A6F2-2D0970F9B80B}" => serviço não pode ser desbloqueado. <==== ATENÇÃO HKLM\SYSTEM\ControlSet001\Services\{45487F67-EC9F-4449-A6F2-2D0970F9B80B} => C:\Windows\System32\drivers\Wdf31419.sys [6504336 2020-01-22] (Acesso Negado) [Arquivo não assinado] <==== ATENÇÃO (Rootkit!/Serviço Bloqueado) 2020-01-22 21:59 - 2020-01-22 21:59 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\jbaiauzd.sys 2020-01-22 21:57 - 2020-01-22 21:57 - 000000000 ____D C:\Users\Pichau\AppData\Local\a7a7b24c-53b1-45a4-9de3-3496627ae5b5 2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\Users\Todos os Usuários\DJIVBC20R7P925SAWG1XFZRR5 2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\ProgramData\DJIVBC20R7P925SAWG1XFZRR5 2020-01-22 17:37 - 2020-01-22 21:52 - 006504336 ____N C:\Windows\system32\Drivers\Wdf31419.sys 2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\ProgramData\lock.dat 2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\ProgramData\rc.dat 2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\ProgramData\ts.dat 2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\Users\Todos os Usuários\lock.dat 2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\Users\Todos os Usuários\rc.dat 2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\Users\Todos os Usuários\ts.dat 2020-01-21 01:09 - 2020-01-22 01:38 - 000000070 _____ () C:\Users\Pichau\AppData\Local\update_progress.txt 2019-10-02 07:39 - 2019-10-02 07:39 - 000000000 _____ () C:\Users\Pichau\AppData\Local\{A3B36C9E-4F22-40E4-B5B9-9ACD996B2450} 2020-01-22 21:52 C:\Windows\system32\Drivers\Wdf31419.sys Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  45. 1 point
    File pairs will not work with any 'new djvu' variant (of which .topi is one). The key received with the decrypter will only benefit you and the few others who have files encrypted with the offline key. Those whose files are encrypted by an online key are out of luck (and money). It will decypt all of the encrypted files of the person whose ransom note and ID were used to get the decrypter and key.
  46. 1 point
    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  47. 1 point
    I've fixed the decryptor to no longer give the false-positive when it is really a New Variant (which .topi is). @akin Please read the FAQ. Everything there still applies to you since .topi is New Djvu. We can only get offline keys after a victim has paid and provided it to us. There's no "work" to really be done on our part. I'd recommend running the decryptor on some of your files maybe once every week or so; unfortunately we cannot announce to everyone as soon as we receive new offline keys.
  48. 1 point
    Well, we can't have you feeling like that! Let us know if you have any other problems we can help with.
  49. 1 point
    Thanks for updating rustyDusty, and for helping, JeremyNicoll.For anyone else reviewing this, the exclusion is made like this: Open Emsisoft Anti-Malware, click "Settings" then the "Exclusions" tab. Click 'add folder' in the exclude from monitoring section, navigate to the target folder "C:\Program Files\MPC-HC\" (or other location if you did not install it there), and click OK. Note: Exclusions only apply to programs started after the exclusion is made. To be effective, you may need to restart the process or program, or restart the computer, depending on the program being excluded. In this case, a reboot is recommended.
  50. 1 point
    Link to decrypter download page. Link to instructions for using the decrypter (PDF). Link to "file pair" submission form. Link to more information about the decrypter. <- Article at BleepingComputer.com Link to more detailed information about STOP ransomware (covers more than just STOP/Djvu). <- Forum post at BleepingComputer.com How do I remove the ransomware? The STOP/Djvu decrypter will stop the ransomware from running so that it can't continue encrypting your files, however it doesn't completely remove the ransomware. Most Anti-Virus software will detect STOP/Djvu if you run a scan for it, however if you don't have Anti-Virus software installed then you can run a Malware Scan with Emsisoft Emergency Kit (free for home/non-commercial use). Note that formatting the hard drive and reinstalling Windows will also remove the infection, however this ransomware is particularly easy to remove, so if a computer is only infected with STOP/Djvu then formatting the drive would be unnecessary. Will removing the infection unlock my files? No. Your files are encrypted. This encryption needs to be reversed (via a process called "decryption") before your files will be usable again. This encryption cannot be removed or undone simply by removing the STOP/Djvu ransomware infection. The decrypter can't decrypt my files? In most cases this means you have an online ID. It could also mean your files were encrypted by a newer variant of STOP/Djvu. See below for explanations. Why won't the decrypter run? The decrypter requires version 4.5.2 or newer of the Microsoft .NET Framework, so this could mean your version of the .NET Framework is out of date. We recommend installing the latest version of the .NET Framework (4.8 at the time of writing this), and then trying the decrypter again. Why is the decrypter stuck on "Starting"? When you run the decrypter, it looks for encrypted files. It will say "Starting" until it is able to find some. If the decrypter remains stuck on "Starting" for a long period of time, then this means it is unable to find any encrypted files. Offline ID. When the ransomware can't connect to its command and control servers while encrypting your files, it uses a built-in encryption key and a built-in ID. Offline ID's generally end in t1 and are usually easy to identify. Since the offline key and ID only change with each variant/extension, everyone who has had their files encrypted by the same variant will have the same ID and the files will be decryptable by the same key (or "private key" in the case of RSA encryption). Online ID. In most cases the ransomware is able to connect to its command and control servers when it encrypts files, and when this happens the servers respond by generating random keys for each infected computer. Since each computer has its own key, you can't use a key from another computer to decrypt your files. The decrypter is capable of working around this with older variants as long as it has some help, however for newer variants there is nothing that can be done to recover files. Old Variants. Old variants were those in distribution until near the end of August, 2019. Our decrypter supports offline ID's for almost all older variants, and can decrypt files for those with offline ID's without needing any help. For online ID's, it's necessary to supply file pairs to our online submission form so that the decrypter can be "trained" how to decrypt your files. A list of extensions from older variants can be found at the bottom of this post. New Variants. These use a more secure form of RSA encryption. Support for some offline ID's has been added to the decrypter for newer variants, and support for new offline ID's will be added as we are able to figure out decryption keys for them. As for online ID's, due to the new form of encryption, there's currently nothing the decrypter can do to help recover files. Will it ever be possible to decrypt new variants with online ID's? That depends on whether or not law enforcement is able to catch the criminals who are behind this ransomware. If law enforcement is able to catch them and release their database of keys, then we can add those to our database for decryption. If you would like to report this ransomware incident to law enforcement, then please click here for more information. The more reports law enforcement agencies receive, the more motivation they have to track down the criminals. What is a file pair? This refers to a pair of files that are identical (as in they are the exact same file), except one copy is encrypted and the other is not. Our decryption service can analyze the differences between an encrypted file and an original unencrypted copy of the same file, allowing it to determine how to decrypt that type of file. For most victims with an older variant of STOP/Djvu, submitting file pairs will be the only way they will get their files back. File pairs only work for one type of file. Due to the way encryption works in STOP/Djvu, file pairs can only help the decryption service figure out how to decrypt one type of file. For instance, if you submit a file pair for an MP3 file, then the decrypter will be able to decrypt all of your other MP3 files, however it won't be able to decrypt any other type of file. There are some exceptions to this, such as certain newer Microsoft Office documents (such as DOCX and XLSX) since those files are technically ZIP archives. The decrypter can't decrypt all of my pictures even though I submitted file pairs for them? JPEG/JPG images have a format oddity that causes file pairs to be specific to each source of pictures, rather than the file format in general. As an example, if you have pictures from two different cameras, and submit a file pair from the group of pictures from one of the cameras, then the decrypter will only be able to decrypt files from the camera that the file pair came from. In order to decrypt all JPEG/JPG images, you will need to submit file pairs from every source you've obtained those pictures from. What does "Remote name could not be resolved" mean? It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default Is there anything I can do to help catch these criminals? The best thing you can do right now is file a report with your country's national law enforcement. There is more information available at the following link: https://www.nomoreransom.org/en/report-a-crime.html Extensions from older variants that the decrypter supports:
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up