GT500

Emsisoft Employee
  • Content Count

    11432
  • Joined

  • Days Won

    330

Posts posted by GT500


  1. 1 hour ago, Sachin said:

    No key for New Variant offline ID: zmgd82h65FItjbl56ff6P5GS3sZpZ1qEEGUOW6t1
    Notice: this ID appears be an offline ID, decryption MAY be possible in the future

    This is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant.

    There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  2. 4 hours ago, rjrage said:

    Hi! My files are encrypted with .opqz. Here is my personal ID: bWfZNVj3frlFlxu2UmbR0fIpuFnKhRIelpgqy5rp. Please help me. Thank you

    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

     

    4 hours ago, No name said:

    Your personal ID:
    0216OIWojlj482sfhvaHZRQBH60tTs45GjjQvqbUlsZsuQQBzdMkT

    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  3. 9 hours ago, DDE_Server said:

    Does it have some sort of key-logger protection.

    Yes, the Behavior Blocker will be triggered by any unknown applications that exhibit keylogger activity, and it will automatically quarantine them.

     

    9 hours ago, DDE_Server said:

    unfortunately unlike other other vendors internet security suites it has not a dedicated banking protection browser or module such as secure input in kaspersky or safe pay in Bitdefender or protected hardened browser such as in ESET.

    We used to make a firewall software called "Online Armor", and it had a "Banking Protection" feature. Such things are generally just marketing gimmicks relying on existing protection mechanisms, with one or two unnecessary extras thrown in to make the protection sound like it's better than it really is.


  4. 3 hours ago, grayskull said:

    Arthur, to prevent this from happening again, the installer should check what processor the device has.

    The issue was already reported to QA before this topic was posted, and I'm sure that it will be resolved as soon possible.

    Of course we also need to give those who have already run into this issue a way to repair their computers without needing to reinstall Windows or hire a tech to do it for them. ;)


  5. 3 hours ago, grayskull said:

    What @Elise could do for this is to not add detection for the whole folder and only detect the known malicious files dropped by the PUP inside it

    The problem is that those malicious executables can change (there are often multiple versions of the same PUP, just like there is with any software) and detection rules have to be updated for every version of the files. Since they tend to use the same folder, and no other legitimate software does, the folder name is traditionally considered the proper way to detect it (not only by us but by other companies as well).


  6. Windows has a fairly decent firewall these days, but if you really want something else than you can look into pfSense. If you have an old computer with a 64-bit processor and at least two network ports, you can download their Community Edition and use it to turn that old computer into an enterprise class firewall.


  7. 2 hours ago, opqzhelpmeplease said:

    i need help to decrypt .opqz files too please!

     

    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  8. 12 hours ago, Sameet Patil said:

    No key for New Variant online ID: 1d8aXwoL13uOjbQmTNgTp7FRccPEuiNb9WjBbvlE
    Notice: this ID appears to be an online ID, decryption is impossible

    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  9. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  10. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  11. 5 hours ago, Audrish said:

    Should I wait for the decryptor to release?

    No new decrypter will be released. If law enforcement is some day able to catch the criminals or at least gain access to their database server and release their private keys, they we will be able to add them to our database used by our decrypter.

     

    4 hours ago, Audrish said:

    Thanks a lot, I'm re-installing windows asap

    Normally I would say that's not necessary with this particular ransomware, however your computer was very infected (with a lot more than just ransomware) so I think that's probably a good idea here. Just be sure that you don't use pirated copies of Windows, and definitely don't use KMS/KMSPico since it is known to install the STOP/Djvu ransomware at least occasionally.


  12. @Van it's definitely Megalocker. ID Ransomware can't identify it because the encrypted files have no file marker, so it requires a ransom note for identification.

    The ID in your ransom note doesn't match any we have keys for, so we won't be able to decrypt your files. We were never able to obtain any more keys for Megalocker, so anything newer than our original decrypter release we can't decrypt.

    Be sure to reset your NAS back to its default configuration (you may also want to flash the firmware to be on the safe side and then reset it again), and then reconfigure it. Make sure that no ports are forwarded to the NAS from your router, make sure that UPnP is disabled in your router (it is not safe), and make sure that there is no guest account configured on your NAS (if one exists then it should be possible to disable it).


  13. The only one I was able to add was the Word document, so you should be able to decrypt those now at least. Most of the rest of the files were too small for me to add, and the JPG image wasn't a valid file pair (the file sizes didn't match).

    I'll ask the developer who made the decrypter if he can do anything with the files that are too small, but it would still be best if you could find other file pairs with a larger file size.


  14. 18 hours ago, Van said:

    I Emsisoft, attached file you will find a crypted an the uncrypted version of a picture, from my WD NAS which has been infected by MegaLocker.

    I'm on a Mac computer, so I believe that it was done through Samba, the 13th of March 2019.

    I don't know if it will help but, I really want to get my family pictures back, and maybe I should send the same content to Western Digital to see if they can help?

    Maybe I should also share to BleepingComputer ? I don't care spending 250$ to get those pictures back, but as you recommend, I won't till I think there is kind of hope…

    If it's Megalocker then our decrypter only works on older versions of this ransomware, as we only have keys for earlier variants of it. I've asked our malware analysts for confirmation that it's Megalocker, since ID Ransomware isn't able to identify it.


  15. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  16. 23 hours ago, Blessing said:

    No key for New Variant offline ID: PUYef3QgyNaY7l8zzvWo4yIuFfw9blf3NZjYd3t1
    Notice: this ID appears be an offline ID, decryption MAY be possible in the future

    This is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant.

    There is more information at the following link:
    https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

     

    21 hours ago, Audrish said:

    I removed the virus using spy hunter 5.Thank you. But is there any way i can get my files back?  

    Your ID is an online ID, so currently there is no way to decrypt your files.


  17. 22 hours ago, Blessing said:

    But i discovered that I can still open the encrypted files.

    That will work with some files. The ransomware only encrypted a small portion of the beginning of each file, and some file formats are tolerant of corruption of parts of the file, and thus you can still open them with only a portion of the data being missing or corrupt.

    It's important to note that a lot of common file formats will complete break when the beginning of the file is corrupted, damaged, or encrypted. This is why this only works with some types of files.