Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation since 03/08/20 in all areas

  1. Note: It is recommended to make a backup of all important files before using the decrypter. Link to decrypter download page. <- The decrypter will tell you if your files are decryptable, whether you're dealing with an "old" or "new" variant of STOP/Djvu, and whether your ID is online or offline. Link to instructions for using the decrypter (PDF). Link to "file pair" submission form. Link to more information about the decrypter. <- Article at BleepingComputer.com Link to more detailed information about STOP ransomware (covers more than just STOP/Djvu). <
    6 points
  2. Everything is clear, except the parts that are in Russian. I'm going to send you a private message with some instructions.
    3 points
  3. Hello, The posts you found are more than 5 years old. In terms of security software that means the information there is severely outdated. In the past years considerable changes have been made to our products and currently Emsisoft Anti-Malware protects against fileless malware. Fileless malware detection has nothing to do with the reputation settings you asked about; our behavior blocker routines were adapted to adequately detect and block fileless malware a few years ago.
    2 points
  4. The issue appears to be due to non-Latin characters in workspace names. We're implemented a workaround for this, so hopefully that resolves the update issues.
    2 points
  5. We've found a minor difference in the ransomware from what we've seen previously that effected brute forcing the key, however we were able to do it manually. Use this key file along with the decrypter (put them in the same folder and run the decrypter): https://gt500.org/emsisoft/forum_files/2020-09-18/radansya/decryption.key
    2 points
  6. The guy in the video is basically just saying that if you pay the ransom you'll get your files back. The video, and any information in it, are utterly useless.
    2 points
  7. EAM's debug logging (which is completely different from the Forensic log) creates a lot of extra log data. It's a continual trace of what EAM is doing internally. It has to be on before the problem happens so that those logs show the logic of what EAM was doing when it hit the problem, and what it did next. Some people (me, for example) almost always have debug logging on... but I stop and start it every three or four days and throw away the accumulated log files. However whenever I have a problem I already have the logs to send to Emsisoft. Debug logging will slow your machine down
    2 points
  8. I can't make any guarantees that we'll leave a message here if someone does make a decrypter. It's probably best to follow BleepingComputer's ransomware news, as they are a reasonably reliable source for such news.
    2 points
  9. Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/ There is no way to know for certain, however it is theoretically possible that someone may be a
    2 points
  10. In theory it's possible. If private keys are released that be can use to decrypt files, or if someone finds a vulnerability in the way the ransomware encrypts files.
    2 points
  11. This information may help specialists. I have added even more samples on my article. We will try to analyze all incoming samples in the hope that something will change. You need to collect all encrypted files. If decryption becomes possible, information will be published and you will receive a message from support specialists. A rare specialist works on weekends. I work daily, but unfortunately my strength and desire to help you is not enough to decrypt.
    2 points
  12. In the sample, that encrypts files with the .avdn extension, there is no code from the real MedusaLocker Ransomware. There is a small piece of code in the another sample that adds a 'random' extension to encrypted files, but this piece is not base. He is well defined by antivirus engines as Avaddon Ransomware.
    2 points
  13. DrWeb support usually do not use international names of ransomware.
    2 points
  14. Results of checking your files: https://id-ransomware.malwarehunterteam.com/identify.php?case=9da99e33569fe0af64a43b520f35bababd09ad3c https://id-ransomware.malwarehunterteam.com/identify.php?case=2e2e29f85fe2918c33683e2faeade22e51cf81ec https://id-ransomware.malwarehunterteam.com/identify.php?case=2f1a3356c8705f995285ab41e9456bc61f11d20e
    2 points
  15. Hello. Information was sent to virus monitoring team, please, wait for reply. I received such a message from Dr.Web specialists. They are working on decryption.
    2 points
  16. This is the general all decryptors page from Emsisoft. There is no decryptor for files encrypted by this ransomware yet. https://www.emsisoft.com/ransomware-decryption-tools/free-download
    2 points
  17. I must say more precisely -> You trust Emsisoft Personally, I only help a little to unmask the ransomware.
    2 points
  18. The ransomware doesn't need to put important information on the same hard drive/partition as the files it encrypted. This is why I recommend waiting to reinstall Windows.
    2 points
  19. Don't reinstall Windows until we know for certain what is needed to decrypt files. If there is something other than what's contained in the encrypted files and the ransom notes that's necessary for decryption, then you could wipe that out by reinstalling Windows, thus making it impossible to decrypt your files. For now just rely on Anti-Virus software to clean up the system. If you're not certain if it's clean, then let us know, and we can assist you.
    2 points
  20. Specialists of several companies (Emsisoft, DrWeb) are working on decryption of files that are encrypted by Avaddon. There are currently no decryptors and successful decryption methods without paying a pay for ransom.
    2 points
  21. I am waiting for the verification results. I have provided samples of files and malware, it remains to wait and hope. It is worse when they immediately say that "decoding by our forces is impossible."
    2 points
  22. My WSC does not recognise EAM either. Recommending that we should "uninstall EAM, restart the PC twice, and then reinstall EAM", on top of having to constantly disable and re-enable EAM components to deal with the still unfixed issue of excessive CPU usage, is uncceptable for a piece of software that is not exactly cheap.
    2 points
  23. I'd say turning it either on or off is optional, however Microsoft does seem to think that computers would be more secure with this option turned on.
    2 points
  24. That means you have files encrypted by an offline key. They can be decrypted WHEN/IF Emsisoft recovers the offline/ private key. Suggest you run the decrypter on a test bed of some of these files every week or so to check. Emsisoft doesn't announce key recoveries. Suggest you run the decrypter NOW.
    2 points
  25. We can take a look at it if you find it again, however it's more than likely that each computer will require a different private key to decrypt files, and thus the decrypter will only work on a specific computer.
    2 points
  26. Password protected archives work, as long as the password isn't posted with the link. Personally I prefer malicious files to be uploaded to VirusTotal and the link to the analysis posted, as we can download from VirusTotal but the average person who comes across our forums can't. Just keep in mind that all it takes to be allowed to download from VirusTotal is a premium account there, so technically anyone can get access to download files and thus you don't want to upload anything confidential there. We've started an analysis on it as well, however I don't think our malware
    2 points
  27. I have provided links to the analyzes above. Specialists Emsisoft will receive these files.
    2 points
  28. The Emsisoft Browser Security extension is now available on the Microsoft Addons store for Chromium Edge: https://microsoftedge.microsoft.com/addons/detail/jlpdpddffjddlfdbllimedpemaodbjgn Hopefully we'll be able to update EAM soon to check whether or not it's installed when you launch Chromium Edge.
    2 points
  29. OK. I am very glad that you were able to decrypt the files. Now you need to better protect your computer in order to prevent a new attack.
    2 points
  30. Hello. This link can help! https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/ Bitdefender Labs has made a decryption tool.
    2 points
  31. Such tests aren't reliable. They aren't actually malicious, and may not be blocked by our Behavior Blocker like real ransomware would.
    2 points
  32. @adityagede99, @Chinnhoo Computer, and @Kotari koteswararao this is a newer variant of STOP/Djvu, and your ID's are online ID's, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ @Surasri this is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more
    2 points
  33. This is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
    2 points
  34. I am glad you got it sorted andrewek Enjoy the rest of your weekend !!
    1 point
  35. You need to post here: https://support.emsisoft.com/forum/6-help-my-pc-is-infected/ There's instructions at the top of that forum about the information you need to provide. Good luck!
    1 point
  36. Can you copy the output from the decrypter and paste it into a reply?
    1 point
  37. Hello! I want to say that today the problem with the integration of the EAM into the Windows Security Center has been completely resolved! Thanks a lot to the developers!
    1 point
  38. There is a small possibility, however since they were encrypted by two different ransomwares the odds are not very good. You can not infect another computer with the encrypted files.
    1 point
  39. 'Roger' is a variant of Dharma Ransomware. LockBit and Dharma can appear together because they are distributed with the same ways. The other day we saw their joint distribution with the same set of exploits. They use a secure file encryption method. It is impossible to calculate the decryption key with modern computing means.
    1 point
  40. It's possible your files were encrypted by one ransomware, and then encrypted by another as well. We wouldn't be able to tell for certain without seeing an encrypted file and a copy of the ransom note.
    1 point
  41. Necessary requirements are indicated on the page https://legal.drweb.com/encoder/?lng=en and in the form of sending files, they can be attached to the message. For different decryption, different elements may be needed. File pairs may not be needed if there is an encoder file that was found. But what will happen in each case, I do not know. You can try to send only encrypted files and a note with ID. The encoder name in the DrWeb database is Trojan.DownLoader33.50335, Trojan.DownLoader33.59028 SHA-256: 05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2 SHA-256: fa4
    1 point
  42. ok have just tried that (I also toggled the EAM yesterday as it happens, and Fast Startup is disabled on my machine) and while it worked following a restart, I;ve just turned the machine on again (hard boot) and it's happened again - wsc showed 'getting protection info' and the revolving circle of dots for about 2 minutes then it gave up and now shows the yellow exclamation mark icon again I have debug logs for this if they're of interest
    1 point
  43. "Cloud scanning" is not effective for detecting all types of threats, and at least for now traditional Anti-Virus signatures are still required for proper protection.
    1 point
  44. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
    1 point
  45. I had exactly the same problem on my working computer..all my files got corona-lock I could not decrypt it with free decryptors. i paid to get decryptor to my id. But decryptor autodeleted. after decrypting my files. If i will find it i will post it here , maybe if it can help to you
    1 point
  46. According to their manual you can uninstall it from Apps & Features: http://h10032.www1.hp.com/ctg/Manual/c06379792
    1 point
  47. Emsisoft Anti-Malware earns VB100 certification in April 2020 tests by independent security experts Virus Bulletin. The post Emsisoft earns VB100 in April 2020 tests appeared first on Emsisoft | Security Blog. View the full article
    1 point
  48. It released at the same time as Emsisoft Anti-Malware 2020.4, and I don't think a separate changelog was posted for it. The only real change I am aware of was a fix for the issue with the EPP driver not unloading and preventing the EEK folder from being deleted. Note that the computer still needs to be restarted after installing this update before the changes to the EPP driver will take effect.
    1 point
  49. But, @GT500 doesn't that exclude from scanning everything inside the selected folder? The OP does not want that.
    1 point
  50. Newer variants of STOP/Djvu (like the one your files were encrypted by) use RSA keys. We know how the encryption and decryption processes work, and it's not possible to decrypt without the private key. Keep in mind that we have the capability of running the ransomware in safe environments for analysis, and we've analyzed it fairly thoroughly over the year or so that it's been in distribution.
    1 point
  • Who's Online   0 Members, 0 Anonymous, 53 Guests (See full list)

    There are no registered users currently online

  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...