1. Amigo-A


    Visiting Expert

    • Points


    • Content Count


  2. GT500


    Emsisoft Employee

    • Points


    • Content Count


  3. Superman ABD

    Superman ABD


    • Points


    • Content Count


  4. stapp


    Global Moderator

    • Points


    • Content Count


Popular Content

Showing content with the highest reputation since 06/07/20 in Posts

  1. 2 points
    This information may help specialists. I have added even more samples on my article. We will try to analyze all incoming samples in the hope that something will change. You need to collect all encrypted files. If decryption becomes possible, information will be published and you will receive a message from support specialists. A rare specialist works on weekends. I work daily, but unfortunately my strength and desire to help you is not enough to decrypt.
  2. 2 points
    In the sample, that encrypts files with the .avdn extension, there is no code from the real MedusaLocker Ransomware. There is a small piece of code in the another sample that adds a 'random' extension to encrypted files, but this piece is not base. He is well defined by antivirus engines as Avaddon Ransomware.
  3. 2 points
    DrWeb support usually do not use international names of ransomware.
  4. 2 points
    Results of checking your files: https://id-ransomware.malwarehunterteam.com/identify.php?case=9da99e33569fe0af64a43b520f35bababd09ad3c https://id-ransomware.malwarehunterteam.com/identify.php?case=2e2e29f85fe2918c33683e2faeade22e51cf81ec https://id-ransomware.malwarehunterteam.com/identify.php?case=2f1a3356c8705f995285ab41e9456bc61f11d20e
  5. 2 points
    Hello. Information was sent to virus monitoring team, please, wait for reply. I received such a message from Dr.Web specialists. They are working on decryption.
  6. 2 points
    This is the general all decryptors page from Emsisoft. There is no decryptor for files encrypted by this ransomware yet. https://www.emsisoft.com/ransomware-decryption-tools/free-download
  7. 2 points
    I must say more precisely -> You trust Emsisoft Personally, I only help a little to unmask the ransomware.
  8. 2 points
    The ransomware doesn't need to put important information on the same hard drive/partition as the files it encrypted. This is why I recommend waiting to reinstall Windows.
  9. 2 points
    Don't reinstall Windows until we know for certain what is needed to decrypt files. If there is something other than what's contained in the encrypted files and the ransom notes that's necessary for decryption, then you could wipe that out by reinstalling Windows, thus making it impossible to decrypt your files. For now just rely on Anti-Virus software to clean up the system. If you're not certain if it's clean, then let us know, and we can assist you.
  10. 2 points
    Specialists of several companies (Emsisoft, DrWeb) are working on decryption of files that are encrypted by Avaddon. There are currently no decryptors and successful decryption methods without paying a pay for ransom.
  11. 2 points
    I am waiting for the verification results. I have provided samples of files and malware, it remains to wait and hope. It is worse when they immediately say that "decoding by our forces is impossible."
  12. 2 points
    My WSC does not recognise EAM either. Recommending that we should "uninstall EAM, restart the PC twice, and then reinstall EAM", on top of having to constantly disable and re-enable EAM components to deal with the still unfixed issue of excessive CPU usage, is uncceptable for a piece of software that is not exactly cheap.
  13. 1 point
    12 days have passed since I sent the files and samples. No news yet. I check e-mail every day.
  14. 1 point
    Is this what you are talking about? If it is then that is because you are using Windows 10 and it doesn't need to say Windows 10. All program installers (not just EEK) look like that.
  15. 1 point
    It's possible your files were encrypted by one ransomware, and then encrypted by another as well. We wouldn't be able to tell for certain without seeing an encrypted file and a copy of the ransom note.
  16. 1 point
    DrWeb has been producing free decoders for many years, and was the first to start doing it. He continues to do free decryption for his licensed users around the world. Test decryption is done for free. It is better, than paying first, and then saying that decryption is impossible. I made a request — separately the decryption service is not provided. Only within the scope of 'Rescue Package'. Now more computing power is required to provide a decryption service, therefore it cannot be absolutely free to all affected users.
  17. 1 point
    Dr. Web does not release free decrypters. Their ransomware decryption service is strictly a paid service, however they will at least let you know if your files can be decrypted before they require you to pay anything. If they do require a file pair, then you'll need to find one. Try to remember if you ever sent any files to others (via e-mail, file sharing services, etc) or if you ever saved them to any kind of external media (CD's, DVD's, USB flash drives, etc).
  18. 1 point
    For files that received the .avdn extension after encryption, I provided 2 different samples of the encryptor in DrWeb. In the newer version, files already receive 'random' extensions. These are other samples of the encryptor. Most likely, newer ones will cardinally differ from earlier ones. I contact Dr.Web specialists as a usual user. But I collect and provide all available information, encryptor samples and everything else that is needed. Main link: https://legal.drweb.com/encoder/?lng=en Support works in 10 languages. Anyone can order a test decryption by providing: - 5 different encrypted files and unencrypted original files; - a original unedited ransom note. No need to change anything in the files. If the victim has not previously used DrWeb products and there was no active DrWeb protection on his PC when the files were encrypted, then after a successful tested decrypt, you will need to purchase the Rescue Package for 150 euros. Support specialists will tell you what needs to be done.
  19. 1 point
    You'll have to wait for @Amigo-A as I have no contacts at Dr. Web.
  20. 1 point
    I had not done this so am doing it right now. Thank you for all your help.
  21. 1 point
    More than likely not. There are too many threads about this ransomware to keep track of, or to be able to reply to all of them. Our recommendation is to keep an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/
  22. 1 point
    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  23. 1 point
    For reference: Previously, this method was still in CryptoMix Ransomware and some other ransomware. In the same way, it was possible to decrypt files encrypted offline with keys if the PC was disconnected from the Internet or the ransomware server was inaccessible.
  24. 1 point
    The Online/offline ID thing only applies to the STOP/Djvu ransomware, as it uses pre-programmed credentials to encrypt files when it can't connect to its command and control servers so that the criminals can try to maximize their illicit income from victims paying the ransom.
  25. 1 point
    The ID is in the ransom note. It is not divided into online and offline, as is done in 'STOP Ransomware'. At this point in time have been no public result of research yet. Or I haven’t seen him yet. Decryption without an original decryptor and private keys is a rather time-consuming process. Here you or we can’t somehow speed up the process or push decryption specialists. They will do everything they can and even more. You and we just need to wait for the results.
  26. 1 point
    Ok thank you sir. I always trust you.and I'm waiting only for your AVADDON decrypter.I never trust them. Please consider my request. Shall I reinstall windows or not? because till AVADDON affect my pc,I used windows 7 professional.now it has expired and no secure.so I'm going to upgrade to 10. Are there any problems to my important ransomware affected files by upgrade my windows?. Please sir ...answer. Should I keep those files in same pc with same windows or can I move them to another disk?
  27. 1 point
    Thanks a lot for your great help sir. You are one of the true AVENGERS who save the real world from ransomware and malware. I use your Antivirus sir. And please I kindly request you to create 100% successful way to decrypt avddon infected files. There are many important files there.i spent a lot of time to create them.but in a few seconds that ransomware has spoiled my works. Please sir please...I'm waiting for your answer.
  28. 1 point
    The information about the encryption used can be found at the following link: https://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fid-ransomware.blogspot.ru%2F2016%2F11%2Fdharma-ransomware.html It's secure encryption, and there's no way to crack it. If you were able to get a memory dump from the ransomware while it was encrypting files, then in more than likely wouldn't help. RSA keys use a public key to encrypt, and a private key to decrypt. The private key is kept safely in a remote server while the ransomware uses the public key to encrypt files, and there's nothing you can learn from the public key that would help with decryption of files. I would believe the keys are generated securely, and if they were generated on a remote server then you could never be entirely certain what time they were generated, and so even if there was the possibility of a time-based RNG exploit then you wouldn't be able to do anything with it. They won't get powerful enough fast enough. The odds are much better of law enforcement catching the criminals and confiscating their database of private keys. We don't normally recommend that, however if you feel that's the only way to get your files back in a reasonable amount of time then we understand that you have to do what you feel is best.
  29. 1 point
    Every software company goes through occasional periods where their software has bugs. We understand it's frustrating, but we had to make a lot of changes to Windows Security Center integration to meet Microsoft requirements going forward, and with changes like that it's not abnormal for there to be at least a few bugs. Keep in mind as well that problems with Anti-Virus registration with the Windows Security Center aren't uncommon regardless of whose Anti-Virus you're talking about. Microsoft API's aren't always bug-free either.
  30. 1 point
    Dear Amigo-A, Thanks for your response Okay then I'll be waiting for the positive result. Hope it'll help to restore my files soon *finger crossed* ☺️ Btw can you tell me how long does it take for the decryption specialist figured out to decrypt avdn files? because i urgently needed my files Thank you so much for your help
  31. 1 point
    Avaddon Ransomware One of the victims, at my request, provided encrypted files and a ransom note. I added to this malware samples, early and newest. This is analyzed by decryption specialists. If there is a positive result, I will let you know. This will apply to all cases that have been until today.
  32. 1 point
    Avaddon Ransomware One of the victims, at my request, provided encrypted files and a ransom note. I added to this malware samples, early and newest. This is analyzed by decryption specialists. If there is a positive result, I will let you know. This will apply to all cases that have been until today.
  33. 1 point
  34. 1 point
    I need at least 3-5 different types of files (png, jpg, rtf, txt, doc) for the test.
  35. 1 point
    @Manoj Kumar The Emsisoft Decryptor was updated with the key for the .usam extension.
  36. 1 point
    Avaddon Ransomware uses the .avdn extension. Are you sure you have an .pvdn-extension? Attach several encrypted files and a note from the ransomware to the message. Most likely the note will be in html-format (for example, 567432-readme.html), so you need to put for it in the archive and only then attach it to the message. Otherwise, forum protection will distort this file and I will not find there what needs to be seen. Or send files to me using the site https://dropmefiles.com/
  37. 1 point
    This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  38. 1 point
    @GT500 is a solution expected soon? also do i get a metal for this one sometimes i feel like people cant be bothered but I make any effort I can to help male products better
  39. 1 point
    Hello Sir, I am from India, here most of the innocent peoples who don't know even about the basics of computers. its my parents laptop they know only copy and past. it got affected by .lokd on behalf of all the innocent peoples, i am putting my humble request to you to sort out this issue as soon. thank you. Your personal ID: 0212Asd4a7d6ZHwhSWv4UBPdta8bPx4MWySjbd1cTioHb6WL3Bt1
  40. 1 point
    @haydn - I've been googling for info about the DebugDiag tool. I found a series of screenshots - at https://www.cantabilesoftware.com/support/DebugDiagTool - which show that setting (v1.2 of the tool) up to collect a series of dumps (albeit for a specific product) requires you to specify where they will be put. Presumably the earlier version of the tool also gave a user a chance to specify where dump etc would be written? Or failing that, used a standard location and told you were it was? I don't understand how anyone could set something like this up and then not keep an eye on what it was collecting. Also... did you ever look at the dumps? Did you run any of the diagnosis scripts? Did the tool ever do anything that you found useful? It seems to me that these tools are only of use to developers (because whatever information is in the dumps etc will only mean something to them, and in any case only they can actually fix the programs that are failing). The only situation where a user might use this tool is (like in the "Cantabile" support link above) when a product's developers need a particular user to use the tool to collect information which will then be sent to the developers. I wouldn't expect any normal user to do this unless explicitly told to by some company's tech support staff.
  41. 1 point
    It's been a while since I've had to answer that question, so let me check with QA to make sure I give you the right answer. If you excluded the application from both scanning and monitoring, and it didn't help, then EAM almost certainly isn't the cause of the issue. When an application is excluded from both scanning and monitoring, EAM won't even open hooks to it when it's running. EAM should also list the status as "Excluded" in the Behavior Blocker processes list. The UI has to load the information from a2service.exe, and it needs to load all of the information that appears in the list, which can take a few seconds to complete. The UI framework we use may also slow it down a little bit, since I would believe it is rendering the list as an HTML table (or something to that effect). Off the top of my head I don't know how frequently the list refreshes, however I don't think it's intended to be a real-time processes list. The amount of time it takes to load the data from a2service is just too long in most cases. Virtualization software (VMware Workstation, Virtual Box, etc) to run Windows in an isolated environment with snapshot support might help with that. Especially since you can still run most flavors of Linux as the host OS, and then just fire up Windows as needed.
  42. 1 point
    If an EAM installation is not already in a workspace, then it can be easily added to one by downloading via the "Add device" button in your workspace's overview in MyEmsisoft. Downloads from MyEmsisoft should also already be linked to your account, and not require activation.
  43. 1 point
    We don't find them. They're donated by victims with offline ID's who have paid the ransom. That's why we can't know when we'll receive a private key for an offline ID.
  44. 1 point
    In 2020.6 we added a new service for handling reporting to the Windows Security Center. As for why exactly WSC isn't reading the status of EAM correctly, we're not certain if that's a bug on our side or Microsoft's (WSC has always been flaky). The only known fix for this issue right now is to uninstall EAM, restart the PC twice, and then reinstall EAM. We recommend downloading from MyEmsisoft if you already have an account, otherwise you can find alternate downloads at the link below: https://help.emsisoft.com/en/1597/download-installation/
  45. 1 point
    @Cineatic Hier gibt es einen laufenden Thread dazu https://support.emsisoft.com/topic/33516-why/
  46. 1 point
    Okay this is getting worse,, apparently my fathers laptop was infected by the StopDjvu, and all the files were locked with a .PEZI extension , BUT here is the think, the ransomware jumped into my computer through the INTERNET!!! I swear i am so lucky , i mean i was literally sitting in front of my computer seeing the process start and do the enryption, i was viewing photos on my disk E and it started the encyrption process from disk E! in front of my eyes as i watched seeing my files get locked , the only possible and smart thing to stop the process i could think of was to removing the LAN connection(internet) to my pc, THANKFULLY the encryption stopped after encrypting all the 16 useless files , those files were of no use . So yeah i got a little too lucky there.So what should i do now? i switched the mode to safe mode and i aint going back to regular windows until and unless i create a backup! , can i create a backup in safe mode?
  47. 1 point
    I think those settings only apply to UWP apps (from the Microsoft Store). They run in an AppContainer, and their access to the system is restricted by more than just whether or not they have admin rights. EAM by contrast is a traditional Windows application, and doesn't run in an AppContainer.
  48. 1 point
    ok have just tried that (I also toggled the EAM yesterday as it happens, and Fast Startup is disabled on my machine) and while it worked following a restart, I;ve just turned the machine on again (hard boot) and it's happened again - wsc showed 'getting protection info' and the revolving circle of dots for about 2 minutes then it gave up and now shows the yellow exclamation mark icon again I have debug logs for this if they're of interest
  49. 1 point
    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ This is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Google tarafından sağlanan çeviri: Bu bir çevrimdışı kimlik, ancak henüz özel bir anahtarımız yok. Varyantınız için özel anahtarı ne zaman ekleyebildiğimizi görebilmeniz için şifre çözücüyü haftada bir veya iki kez çalıştırmanızı öneririz. Aşağıdaki bağlantıda daha fazla bilgi var: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  50. 1 point
    Ransomware infections are unique in many ways. Most importantly, a lot of the natural instincts which are usually correct when dealing with malware infections can make things worse when dealing with ransomware. Please see the following steps as a guideline when dealing with your ransomware infection. Do not delete the ransomware infection The natural instinct of most users is first to remove the infection as quickly as possible. This instinct is, unfortunately, wrong. In most cases, we will require the ransomware executable to figure out what exactly the ransomware did to your files. Finding the right ransomware sample becomes infinitely more challenging when you deleted the infection and can't provide us with the ransomware. It is okay to disable the infection by disabling any autorun entries pointing to it or by quarantining the infection. However, it is important not to delete it from quarantine or to remove the malicious files right away without a backup. Disable any system optimisation and cleanup software immediately A lot of ransomware will store either itself or necessary files in your temporary files folder. If you do use system cleanup or optimisation tools like CCleaner, BleachBit, Glary Utilities, Clean Master, Advanced SystemCare, Wise Disk/Registry Cleaner, Wise Care, Auslogics BoostSpeed, System Mechanic, or anything comparable, disable those tools immediately and make sure there are no automatic runs scheduled. Otherwise, these applications may remove the infection or necessary ransomware files from your system, which may be required to recover your data. Create a backup of your encrypted files Some ransomware has hidden payloads that will delete and overwrite encrypted files after a certain amount of time. Decrypters may also not be one hundred percent accurate, as ransomware is often updated or simply buggy and may damage files in the recovery process. In those cases, an encrypted backup is better than having no backup at all. So we urge you to create a backup of your encrypted files first, before doing anything else. Server victims: Figure out the point of entry and close it Especially recently we have seen a lot of compromises of servers. The usual way in is by brute-forcing user passwords via RDP/Remote Desktop. We firmly suggest you check your event logs for a large number of login attempts. If you find such entries or if you find your event log to be empty, your server was hacked via RDP. It is crucial that you change all user account passwords immediately. We also suggest to disable RDP if at all possible or at least change the port. Also, it is important to check all the user accounts on the server, to make sure the attackers didn't create any backdoor accounts on their own that would allow them to access the system later. Figure out what ransomware infected you Last but not least it is important to determine what ransomware infected you. Services like VirusTotal, which allows you to scan malicious files, and ID Ransomware, which lets you upload your ransom note and encrypted files to identify the ransomware family, are incredibly useful and we will probably end up asking you for the results of either of these services. So by providing them right away, you can speed up the process of getting back your files. If you struggle with any of these points, please feel free to ask for help. Our ransomware first aid service comes with no-strings-attached and is free for both customers and non-customers.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up