GT500

Emsisoft Employee
  • Content Count

    12848
  • Joined

  • Days Won

    387

Everything posted by GT500

  1. It looks like AMD processors based on Zen 2 also have this feature, however I have read accounts of measurable performance reductions with Hyper-V turned on (not HVCI since Win 10 2004 wasn't out yet), however that could be due to differences in AMD's implementation or perhaps even just issues with the version of AGESA that came with the BIOS on the motherboards of those reporting the performance issues (AMD CPU performance can vary from one version of AGESA to the next). Anyway, I'll see if I can reproduce this CPU usage issue on Win 10 1909 using iperf to simulate a gigabit download from my router. I'll be testing it on an AMD Ryzen 7 3800X rather than an Intel though.
  2. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  3. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  4. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  5. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  6. I'm not aware of any cases of files being stolen with the STOP/Djvu ransomware, however it's still entirely possible for them to alter tactics and do something like that. Several ransomwares that have been targeting businesses have already started stealing data for use as blackmail/extortion. Of course, there's always the possibility that the computer was infected by other things as well, increasing the likelihood of data theft. Absolutely. The STOP/Djvu ransomware uses the Azorult trojan to steal passwords, so change any passwords you use.
  7. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  8. This is a newer variant of STOP/Djvu. Since your ID is an online ID there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  9. Unfortunately that's the case with the majority of ransomware infections these days. Just in case this infection was due to RDP (Remote Desktop) compromise, I'll paste some steps below for getting started trying to prevent future intrusions. First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.
  10. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  11. OK, we do not have the private key for .rote's offline ID. I assume this is the key you're talking about? https://pastebin.com/eF3vEZLc
  12. That usually means it can't find any encrypted files. Try checking a single file, and see if it starts faster.
  13. It's normal for this ransomware to come from piracy websites. Pirated downloads are actually the only known distribution method for the STOP/Djvu ransomware.
  14. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  15. You need to upload file pairs via our online submission form so that the decrypter can be "trained" how to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ @Amigo-A has a list of places you can find file pairs in his second post if you need some suggestion of where to look for original unencrypted copies of files.
  16. Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/
  17. This is a rare bug that we're currently looking into.
  18. I haven't been given any more information, so if it does contain a fix for this BSoD then that information wasn't forwarded to me.
  19. When you enable Hyper-V on Windows 10, it virtualizes the host OS, essentially turning it into a VM running in Hyper-V. This has the effect of hurting performance in many applications. I'm fairly certain that having HVCI enabled also virtualizes the OS, or at least part of it in an attempt to add extra security. I've received your logs, and will forward them to QA.
  20. When another victim who also has this same offline ID pays the ransom and sends us the decrypter they receive from the criminals so that we can extract the private key from it.
  21. We already have a decrypter for the STOP/Djvu ransomware. What it needs to decrypt your files is the private key for your ID, which only the criminals have. Yes, we highly recommend making a backup of your encrypted files and keeping it in a safe place. We make an Anti-Virus called Emsisoft Anti-Malware that has good ransomware protection: https://www.emsisoft.com/en/software/antimalware/
  22. We can add private keys to our database. Newer variants of STOP/Djvu use RSA keys. Isn't that the offline ID for .zobm? We already have the private key for that offline ID. Is our decrypter not able to decrypt your files? If not, then what does it say when it fails to decrypt?
  23. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  24. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/