Emsisoft Employee
  • Content Count

  • Joined

  • Days Won


Posts posted by GT500

  1. On 10/29/2020 at 12:03 AM, NiThR0 said:

    Often this problem occurs when PC being offline some days, last time about 7 days. And after PC is on when EAM is loading it might hang with high chances.

    That's almost certainly due to the update running during startup, as it would have to update more of the database after 7 days offline than it would after only one night. You may be able to cancel the update when this is likely to happen, and then run it later after everything has finished loading.

  2. 10 hours ago, Arik said:

    have ever any law enforcement got them?

    Some of the criminals who have made/distributed ransomware have been arrested. To my knowledge, no one associated with the STOP ransomware has ever been arrested though.


    10 hours ago, Arik said:

    this guy is from L.A

    No, he's not located in the United States. If he was and it was that easy to track him down, then he'd have been in jail over a year ago.


    10 hours ago, Arik said:

    he hacked my facebook too.

    Sometime in early 2019 the Azorult password stealer was added to the STOP ransomware, so when the ransomware runs on your computer it will attempt to steal any saved passwords on your computer and send them back to the criminals who made/distributed the ransomware. Be sure to change all of your passwords.

  3. 16 hours ago, Andrej said:

    Is there any risk that virus can come back?

    Only if you run whatever pirated software the ransomware came from to begin with. It's also possible to reinfect the system by downloading/running new pirated software, so we recommend avoiding piracy for the safety of your computer and files.

  4. 7 hours ago, Andrej said:

    I cleaned computer with malware software. It found as much as possible harmfull files and programs. Is it now safe to use computer and share files?

    It should be. Most Anti-Virus software can easily detect and remove the STOP ransomware. If you want a second opinion, then you can try using Emsisoft Emergency Kit to run a scan and quarantine anything it finds:

  5. 7 hours ago, Andrej said:

    When will key be possible to decrypted?

    If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back.


    7 hours ago, Andrej said:

    How will I be informed if there will be any solutions?

    We recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:

    If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:

    You can also follow the STOP ransomware support thread on the BleepingComputer forums:

  6. 23 hours ago, long said:

    ...  meaning that the quarantine area rescan function is used for the quarantine procedure for the traditional Anti-Virus engine to report viruses?

    Actually meaning that the re-scan feature isn't going to show any difference in detection for threats quarantined by the Behavior Blocker.


    23 hours ago, long said:

    The ones isolated by Behavior Blocker only need to be whitelisted by the analyst and then manually restored by the user?

    That's correct.

  7. 53 minutes ago, long said:

    I am a Chinese user, yesterday at 0:17 (Beijing time), behavior monitoring misreported v2rayN.exe of v2rayN agent software, I made a false alarm submission via quarantine false alarm button, and at 0:20 replied me with an email: this file has been whitelisted and will be updated online in the next 15 minutes.
    But until now, after several updates, the quarantine false alarm file is still not detected by the update, and my manual rescan of the quarantine file still says that the quarantine is not a false alarm.

    Emsisoft Anti-Malware contains two separate guards that detect threats running on your computer. One is the File Guard which is a traditional Anti-Virus using two engines and databases (our own and the one from BitDefender), and the other is the Behavior Blocker which detects things based entirely on behavior (if something exhibits any sort of behavior that could potentially be malicious and it isn't a known safe application then it gets quarantined).

    Your screenshot shows that this was quarantined by the Behavior Blocker, and thus the quarantine re-scan will not show any change in its detection (the re-scan only uses the on-demand Anti-Virus scanner and changes to the Behavior Blocker's whitelist won't be reflected in the re-scan). Just restore it from quarantine, and if our malware analysts whitelisted it then it shouldn't be detected again.


    57 minutes ago, long said:

    There is another false alarm: Panda.exe from the Panda Proxy software. I also received a false alarm via the Quarantine False Alarm button and was sent a reply to the email, but after several updates, the quarantine false alarm file is still not detected by the update and my manual rescan of the quarantine file still says that the quarantine is not a false alarm.

    This was also detected by the Behavior Blocker.

  8. 11 hours ago, GOGAEU said:

    The public key used for encryption is this one: 6N5r9nDQfSRh5JQhBBCw1kMaQbcnOKtXUu6LD4Wk

    That's not a public key, it's an ID. It's used as a form of identification, so that when you pay the ransom the criminals know what private key to send you.

    As for the ransomware, it's a newer variant of STOP/Djvu and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:

  9. 12 hours ago, Ujjwal Pratap singh said:

    Sir I am waiting for decrypt my files . Does you get the id if not then how much should I wait please email me  ***********

    Please don't post your e-mail address publicly, or ask other to contact you privately. Scammers and other criminals will take any opportunity they can to try to trick you into sending them money or personal information.

    As for you files, assuming they were encrypted by the STOP/Djvu ransomware, please see the information at the following link:

  10. 23 hours ago, Anku said:

    Those virus have online ID, and that means it's impossible to recovery my files.

    Correct. It means the public key your files were encrypted with was randomly generated, so the private key to decrypt your files will be unique, and since only the criminals who made/distributed the ransomware have the private keys there's no way we'll be able to decrypt your files.

  11. 6 hours ago, victorh said:

    We have been infected with ransomware and would appreciate any help.
    Files are completely renamed, see below for example.
    [[email protected]].1Kjl9LDj-pBtpAC4a.SNTG
    [[email protected]].1jvX1Qaa-zeLcJ0dv.SNTG
    [[email protected]].1AdtWzPV-IivcBY9w.SNTG

    That fits the extension format for the Matrix ransomware, which isn't decryptable without paying the ransom.

  12. 18 hours ago, ASHKAN said:

    Someone suggested this method to me.  what is your opinion?

    Don't trust random videos, instructions, or offers for help that you find online. Most of them aren't real, or will only help in very specific cases. If you're expected to pay for file recovery, then it's a scam (especially if they guarantee recovery), as no one except the criminals has access to the private keys needed to decrypt your files.

    • Thanks 1