GT500

Emsisoft Employee
  • Content Count

    9070
  • Joined

  • Last visited

  • Days Won

    248

Everything posted by GT500

  1. GT500

    Ransomware attack - (.DJVUR)

    Just so that everyone knows, Michael Gillespie is still working on analyzing the encryption method of the ransomware. There appears to be some conditions under which it might be decryptable, and if he can find a way to help with recovery of files then he will more than likely let me know (or BleepingComputer will announce it in their news).
  2. Windows 10 does have more than one method it can use for scaling, so it's possible that one of the alternate methods might work better.
  3. GT500

    [email protected] ransomware attack

    There are tons of VPN solutions available. OpenVPN tends to be the most popular. Windows has a built-in VPN protocol called point-to-point tunneling protocol (PPTP) which can be used when configuring VPN options in Windows without third-party software. Most VPN solutions are intended to use UDP packets, however if you need to use TCP due to connection quality issues then note that SoftEther is designed to be more efficient while using TCP packets for VPN connections. And, of course, many routers these days (especially enterprise class routers) have OpenVPN-compatible VPN servers built right in. If your router doesn't, then you can always check and see if there's a version of the DD-WRT, Tomato by Shibby, or FreshTomato (still in beta) firmwares available for your router. Also, here's some advise to help get you started on dealing with RDP compromise: First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.
  4. GT500

    Ransomware attack - (.DJVUR)

    We discourage sharing of potentially malicious files with others on these forums. It's best to upload things to VirusTotal, and send a link to the analysis to us. Or to send them to us privately.
  5. GT500

    Ransomware .no_more_ransom

    I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that we can see if it still flags it as a variant of Rapid: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  6. GT500

    Ransomware attack - (.DJVUR)

    It's been identified as a variant of the STOP ransomware. Michael Gillespie is still analyzing the encryption method, however there is someone who has offered to assist people with possibly decrypting their files. There is more information at the following links: https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-15#entry4663667 https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-suspended-yourdatarestore-txt-support-topic/page-16#entry4663935
  7. If this is indeed a variant of the Scarab ransomware, then Dr.Web may be able to decrypt the files. In order to request decryption service from them, they require you to have a license for their business Anti-Virus software. There's a reseller of their products (Emmanuel) who offers assistance on the BleepingComputer forums with contacting Dr.Web to see if decryption is possible. You can find more information at the following link: https://www.bleepingcomputer.com/forums/t/651855/scarab-mich78-ransomware-scarab-scorpio-mich78usacom-support-topic/page-22#entry4516375 Note that since Emmanuel is a reseller for Dr.Web, he will make at least some money from helping you if Dr.Web can decrypt your files and you decide to purchase a license key for their software. As far as I know, you won't be charged anything just for finding out whether or not your files can be decrypted, so feel free to contact him if you would at least like to know if it's possible for Dr.Web to help you.
  8. Unfortunately I can't increase or decrease the priority of bug reports. Have you tried changing the DPI to see if things work better at other settings? It may not be ideal, but it might at least make things usable.
  9. I would believe that exceptions have to be added from the notices that a page has been blocked. I logged in to SoundCloud using a shared account on BugMeNot, and tried playing a number of tracks listed on the page. The play/pause button seemed to respond fine in every case. How often does this happen?
  10. GT500

    Unable to re-Install Emisoft

    If either of you are able to get it to happen again, then let me know, and we can collect some debug info.
  11. GT500

    Random Scan messages

    I'm glad to hear that you were able to find the setting. If you need anything else, then please let us know.
  12. GT500

    .wq2k possible B2DR ransomware

    You're welcome. Hopefully that will at least help prevent it from happening again.
  13. GT500

    Random Scan messages

    @stapp is more than likely correct. This sounds like the Quarantine Re-scan feature. When there's something in the Quarantine, Emsisoft Anti-Malware can re-scan it each time it downloads updates. By default this is done automatically, however there's an option to have it ask you if you'd like for it to re-scan quarantined objects, and an option to turn the Quarantine Re-scan off entirely.
  14. If one was purchased recently, then it may have been after we started some licensing changes. When using a license key purchased after these changes, Emsisoft Anti-Malware will identify itself as "Emsisoft Anti-Malware Home" or "Emsisoft Business Security" based on the type of license purchased. Note: Currently all of the features are the same regardless of license type, however it is always possible for that to change in the future, with the features of Emsisoft Anti-Malware Home being geared more towards the average user, and features of Emsisoft Business Security being geared more towards the needs of businesses.
  15. Do they both use the same license key?
  16. GT500

    Custom scan problems

    I'll ask Frank if this appears to be the same issue.
  17. GT500

    Emsisoft browser security

    You're welcome.
  18. GT500

    Ransomware attack - (.DJVUR)

    Thank you. I have forwarded that to our malware analysts so that they can take a look at it. I'll let you know if they find anything useful.
  19. GT500

    Ransomware attack - (.DJVUR)

    One of our malware analysts already did that, and the downloaded file did not appear to be ransomware.
  20. GT500

    Emsisoft browser security

    To my knowledge it isn't OS dependent, so in theory it should work on any platform and in any browser that supports Firefox or Chromium extensions. Keep in mind though that we don't spend much time searching for threats to Unix based systems, so the main benefit for a non-Windows OS would be the phishing protection.
  21. GT500

    Custom scan problems

    You mean the service crashed, or the thread that was scanning abnormally terminated in a way that wasn't caught? BTW: I wasn't able to reproduce the issue on Win 10 x64.
  22. GT500

    Ransomware attack - (.DJVUR)

    That link is to one of those obnoxious download sites that hides the read download link under a bunch of ads. I was told by one of our malware analysts that you have to click on the close button in one of the ads three times before it would show the real download button. Do you remember if you did that, or if you clicked on the download button in one of the ads?
  23. GT500

    .wq2k possible B2DR ransomware

    It probably just took that long for someone to run a port scan on that IP address, find the open RDP port, and brute force the password. Such things have only become a major issue in the last couple of years, and while it was theoretically possible for it to have happened before that, before that you didn't have a large number of people with malicious intent running port scans on IP ranges looking for open ports in order to gain access to systems and install ransomware. In case it helps, here's some basic advice for getting started dealing with RDP compromise: First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.
  24. There is currently no known way to decrypt files that have been encrypted by GandCrab 5.0.4. You can keep an eye on the Bitdefender download page for their GandCrab decrypter to see if/when they update it for version 5.0.4: https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/