GT500

Emsisoft Employee
  • Content Count

    9287
  • Joined

  • Last visited

  • Days Won

    258

Everything posted by GT500

  1. Note that if you still have a copy of the malicious file that encrypted your files, then you can upload it to VirusTotal and then post a link to the analysis here for us to review: https://www.virustotal.com/ Note that there are a lot of reports of this ransomware coming from pirated software.
  2. I've been told that this is a brand new variant, and we'll need a copy of the ransomware itself before we can be certain about anything. That being said, our best guess at the moment is that your files were encrypted using an online key generated by the ransomware's command and control servers, and even if we were able to get the offline key for this variant of STOP it more than likely won't help you recover your files. Keep in mind of course that this is merely an assumption, and we can't know for certain until we get a copy of this new variant of the ransomware for analysis.
  3. I'll ask and see if STOPDecrypter supports that variant yet.
  4. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  5. A reinstall of Windows can complicate recovery of files, and may even make it impossible to recover some files. It just depends on what was overwritten when reinstalling Windows. There are a number of free and paid recover softwares listed on Wikipedia at the following link: https://en.wikipedia.org/wiki/Data_recovery#List_of_data_recovery_software I don't have experience with most of them, and have not needed to use software like this in many years, however I am familiar with the following names: BartPE - Discontinued software for building bootable Windows PE disks using files from Windows 2000, Windows XP, and Windows Server 2003 installation disks. BartPE is no longer recommended. KNOPPIX - Classic Linux LiveCD intended for data recovery. I have not used it in over a decade, and there are newer versions I am not familiar with, so I can't say what tools they come with. Windows Preinstallation Environment (WinPE) - A bootable Windows environment intended to be run from a CD or DVD. This doesn't come with data recovery software by default, and I would believe it still boots to a Command Prompt with no other means of interacting with it. Recuva - Freeware file recovery software made by Piriform (the company that makes CCleaner, and was bought out by Avast a few years ago). This is a popular option due to the free price tag, however I am not familiar enough with it to know how effective it is. Note that the ones I mentioned may not necessarily be better or worse than other options listed on Wikipedia. Most appear to be commercial offerings, and some can cost a lot of money, however there may be some other freeware tools buried in Wikipedia's list. [email protected] File Recovery - This doesn't appear to be listed on Wikipedia, but is worth mention anyway. Most of my experience with this company's products revolves around other tools they make, and it's been a long time since I've tried their software, however this should be as good as anything else.
  6. Do the instructions posted by quietman7 at the following link help? https://support.emsisoft.com/topic/30704-kroput-new-ransomware-attack/?do=findComment&comment=191220
  7. Did you run the STOPDecrypter as quietman7 recommended? If so, what did it tell you?
  8. FutureMark probably doesn't consider it a priority, especially when it can be remedied with exclusions.
  9. If he can't reproduce it and provide debug logs, then we'll more than likely not be able to determine why it happened. For now we can only make assumptions.
  10. Firefox can also open PDF files. Then of course there's the popular Foxit PDF Reader, as well as PDF-XChange Editor from Tracker Software. Off the top of my head I know I've heard of security vulnerabilities in Foxit's PDF software, however as far as I know they were fixed long ago. As for the PDF-XChange line of products, I do not recall hearing about security vulnerabilities, however it's important to understand that they can (and probably do) exist in every software.
  11. More than likely 3DMark's software has an issue with the kind of hooks Emsisoft Anti-Malware opens to monitor it. This is something that they will have to fix, as it's a bug in their software.
  12. There are currently no free decryption tools that can decrypt files that have been encrypted by GandCrab version 5.2. BitDefender has a decrypter that works with some older versions, and once they are able to get their hands on the private keys for v5.2 as well then I'm sure they will update their decrypter to support it. You can find more information at the following link: https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/
  13. We don't know for certain yet. It's possible that it may have been done remotely, however if that was the case then undelete software almost certainly would be able to recover some of the files. It's also possible that the ransomware was copied to the effected system, and somehow executed (in theory using PHP vulnerabilities, however that's only an assumption at this point). That's entirely possible. Especially since DMZ exposes all ports on the system to the Internet, rather than just the ones you need remote access to. My recommendation is to open only the ports you need, and only open them for IP addresses that need access. If you open a port globally (for all remote addresses) then automated scripts will find them, log them, and even eventually someone will initiate an attack against them. Based on this, I'd say the attacker probably brute forced the password for your FTP server and then ran a script that downloaded your files, encrypted them, deleted them from the FTP server, and then uploaded the encrypted files in their place. If this is a Windows system with an NTFS filesystem, then file recovery software will almost certainly be able to get your files back. It might be possible on some Linux systems as well, depending on what filesystem was used.
  14. If it was Quarantine corruption, then you may have solved the problem by deleting files in the Quarantine.
  15. The odds of this being related to Nemucod are extremely low. We're fairly certain this MegaLocker ransomware is something new, and it appears to be targeting anything running vulnerable versions of web server software like PHP. Basically, since a NAS like the ones effected usually run old versions of the web server software that handles processing their web interface that you log into in your web browser, if they're exposed to the Internet at all then they'll more than likely be found and compromised eventually. At the moment there's nothing we can do, as we don't have a copy of the ransomware to analyze, so we don't yet know how it's encryption works.
  16. That's almost certainly Dharma. Unfortunately there's no way to decrypt files that have been encrypted by Dharma without first obtaining the private key from the criminals who made the ransomware.
  17. It suppresses all notifications, prevents updates from being installed, and prevents any scheduled scans from running until Silent Mode is turned off. This is done to prevent interruption of a fullscreen game or fullscreen video. The behavior can be changed for each of these in Emsisoft Anti-Malware, such as if you don't want updates to be paused when Silent Mode is on.
  18. In theory it's possible that a2service crashing could have caused this. That being said, more things should have been off than just the logs, and I would have expected the UI to freeze or crash itself without the service running (or at least to display an error message).
  19. I'm really not sure. It's certainly not what the dialog is supposed to say, and the behavior of the dialog in general sounded off from his description. Debug logs might give us an idea what's going on, if it happens again that is.
  20. No, you only run Emsiclean manually after uninstalling. There's no need to fix the issue now, as the EPP driver has been reinstalled.
  21. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  22. Unfortunately there's nothing we can do about GlobeImposter 2.0. The encryption method they use is secure enough that no one has developed a working decrypter for it.