Popular Content

Showing content with the highest reputation since 06/17/19 in all areas

  1. 1 point
    I'll pass this on to the maker of STOPDecrypter, but note that we need to have the MAC addresses of every network adapter on the computer (even if it isn't a normal ethernet adapter). Hopefully the information you provided will be enough to be able to find your decryption key quickly, however please note that we can't make any promises. That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to: https://id-ransomware.malwarehunterteam.com/ While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  2. 1 point
    It's not abnormal for different companies to give different names to the same malware.
  3. 1 point
    This is GlobeImposter. Simply, analysts form KasperskyLab, who research of the samples, like to joke and give the unformal names.
  4. 1 point
    .id-C8DAE7D0.[[email protected]].html - this is the format of Dharma Ransomware (detailed description + link to English translation in the title of the article). These extortionists have been robbing users for 2.5 years with impunity and law enforcement agencies are shamefully inactive.
  5. 1 point
    What are the following files? C:\Windows\System32\antimalware.exe C:\Windows\system32\silcollector.cmd C:\Windows\system32\TSMSISrv.dll That last file (TSMSISrv.dll) may be the stage 2 payload from the malicious version of CCleaner (5.33) that was released after Piriform's systems were compromised. Keep in mind that there is also a legitimate Windows file with this same name, however I don't think it's normally in this location. Your files are not infected. They're encrypted. Most ransomware will delete itself after all of the files on the computer are encrypted. In this case, since the compromise was more than likely via RDP, an attacker simply logged in to the server after brute forcing credentials to an account (more than likely one with admin rights) and manually copied the ransomware to the server and executed it, and they don't like to leave traces of their compromise behind (beyond the encrypted files and ransom notes) so they generally delete everything they copied to the system themselves. Since this is almost certainly RDP compromise, I'll paste some basic steps to getting started securing RDP below: First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.
  6. 1 point
    Thanks a lot!! I dont have access to any executable .. I suspect that it was a remote access and no trace of commands in NAS filesystem or attacheds local network computers 😞 Really, i dont had certainty about the correction of the filepair i submitted. But your discovery of the base64 encoding of the filenames (really great!!) give a clue in order to attempt looking for a good filepair. If i obtain a good filepair i will submite here Thanks, you make a great job!! Francisco Sancho
  7. 1 point
    @fajar313 Good news for you. This ID was added to the STOPDecrypter and now you can decrypt the files with the new version of the STOPDecrypter. https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
  8. 1 point
    If you want notifications about changes in regards to ransomware, then the two best options are either to subscribe to e-mail notifications from ID Ransomware or subscribe to BleepingComputer's RSS feed: https://id-ransomware.malwarehunterteam.com/notify.php https://www.bleepingcomputer.com/feed/
  9. 1 point
    @MohammadALotfy In addition, you can attach the same files to your message. We will check by service and independently. Sometimes checking by ID Ransomware leads to several results, because the criminals are trying to deceive him, or points to a completely different version of the same extortionist, which is not decrypted. In this case, most likely, there will be such a result, which will point to NonRansomware, which decryptable. But the first and second variant with the .bkc extension are not decrypted with this same decrypter. In fact: The .bkc extension adds to the files Blitzkrieg Ransomware. This is the first and correct name, which he received when publishing information in the Digest "Crypto-Ransomware" and twittted in the Twitter. After the variant appeared with the .non extension. In really NonRansomware does not exist, this name was coined to the decoder, attracted from the bottom to the head. --- I checked the NonDecrypter again. Decrypter for .non extension cannot decrypt encrypted files which have an .bkc extension
  10. 1 point
    It is recommended to upload a copy of the ransom note along with an encrypted file to ID Ransomware so that it can be verified which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply.
  11. 1 point
    All Emsisoft decrypters https://www.emsisoft.com/decrypter/ There will be a message in my article, if I lucky to live to such a significant event.
  12. 1 point
    The FRST fix appears to have ran correctly. That should take care of everything that I saw in your logs. How are things running?
  13. 1 point
    Hi Damaxx, can you share the decryptor. Wanted try it will work for my files or not.....
  14. 1 point
    Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. 2019-06-25 15:25 - 2019-06-25 15:25 - 000000000 _D C:\Users\klime\Desktop\umowy 2019-06-24 19:00 - 2019-06-24 19:27 - 000000000 __D C:\Users\klime\AppData\Roaming\vrguqgoqzs 2019-06-24 15:59 - 2019-06-24 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\tmumh 2019-06-24 15:59 - 2019-06-24 15:59 - 000000000 ____D C:\WINDOWS\system32\tmumh 2019-06-20 22:15 - 2019-06-20 22:15 - 000000048 ____H C:\Program Files (x86)\k5wlusm0mk.dat 2019-06-18 11:55 - 2019-06-18 11:55 - 000001024 C:\WINDOWS\SysWOW64\%TMP% ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> Brak pliku ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> Brak pliku ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> Brak pliku ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> Brak pliku ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> Brak plikuClose Notepad.NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemRun FRST64 and press the Fix button just once and wait.If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.NOTE: If the tool warns you about an outdated version please download and run the updated version.
  15. 1 point
    The .pumax variant is 100% decryptable if you follow the instructions in the README.txt and provide it an encrypted file and its original. Don't bother with the ID and MAC, I don't need to archive those for that variant.
  16. 1 point
  17. 1 point
    There is no free way and no free file decryption tool. Alas.
  18. 1 point
    This is almost certainly GlobeImposter 2.0, however you can verify that using ID Ransomware: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  19. 1 point
    One more case here. Files encrypted over last weekend - .COPAN extension added and as far as I can see no single trace of ransomware software left except ransom notes. Attached ransom notes and two encrypted files. Best regards and thank you. TEHNIČKA PODRŠKA.xlsx.COPAN Tehnički zadatak.docx.COPAN HOW TO DECRYPT FILES.hta HOW TO DECRYPT FILES.txt
  20. 1 point
    Possibly in the future, just give us some time. 😉
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up