GT500

Emsisoft Employee
  • Content Count

    12835
  • Joined

  • Days Won

    386

Everything posted by GT500

  1. Hold down the Windows logo key on your keyboard (usually between the Ctrl and Alt keys) and tap the R key to open the Run dialog. Copy and paste %ProgramData%\Emsisoft\Logs into the Run dialog, and then click OK. The debug logs are in the folder that will open. Just ZIP them (you can use RAR or 7z/LZMA if you prefer) and attach them to a private message to me.
  2. I think it can run alongside EAM, however not many people attempt to use both. I usually tell people to add exclusions if there are compatibility issues.
  3. The quality of those feature updates tends to vary. For instance, 1803 was fairly stable, while 1809 was quite possibly Microsoft's buggiest update for Windows 10.
  4. I'll ask QA if they are aware of any reasons why this may be happening.
  5. This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  6. The ransomware probably started encrypting with offline credentials due to an error connecting to its command and control servers, and then later started using online credentials once it was able to connect and retrieve them. Files with the offline ID (the one that ends in t1) should be decryptable once someone donates the private key to us. I recommend running the decrypter once every week or two so that you can see once we've added the private key for this offline ID. Files with online ID's are not decryptable. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  7. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  8. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  9. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  10. Ransomware attacks that succeed against companies rely on means that security software usually can not protect against, such as Remote Desktop (RDP) compromise and (as you correctly stated) social engineering. We've added some RDP attack warnings to our "Cloud Console" accessible via MyEmsisoft and a function to disable RDP on effected workstations on-demand as well, which will help corporate clients using Emsisoft Business Security who connect it to a workspace in MyEmsisoft. Social engineering is another matter entirely, since if you can convince a victim to disable their security software then your malware can do whatever it wants. As for the effectiveness or compatibility of Checkpoint's Anti-Ransomware, I really don't know much about it.
  11. That also negates my theory, which was the files being moved/deleted before the Behavior Blocker could read their digital signatures. We're going to need debug logs for this so that we can hopefully see what's going on. Here's how to get them: Open Emsisoft Anti-Malware. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle). Click Advanced in the menu at the top. Scroll to the bottom of the Advanced section, and change the option for Debug logging to Enabled for 1 day. After that, close the Emsisoft Anti-Malware window. Reproduce the issue you are having (wait for the Behavior Blocker notification about setup.exe in the TEMP folder). Once you have reproduced the issue, open Emsisoft Anti-Malware again. Click on the little icon in the lower-left (right above the question mark) that looks like little chat bubbles. Click on the button that says Send an email. Select the logs on the right that show today's dates (if you try to send too many logs, then we may not receive them). Fill in the e-mail contact form with your name, your e-mail address, and a description of what the logs are for (if possible please leave a link to the topic on the forums that the logs are related to in your message). If you have any screenshots or another file that you need to send with the logs, then you can click the Attach file button at the bottom (only one file can be attached at a time). Click on Send now at the bottom once you are ready to send the logs. Important: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.
  12. If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back. Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/
  13. Unfortunately that's not going to be possible. There are just too many victims, and it wouldn't be physically possible to notify even 10% of them reliably. I recommend filing a report with the national law enforcement for the country you reside in. If you reside in the United States of America, then use the FBI's Internet Crime Complaint Center to file your report. If you reside in a country where the national law enforcement isn't listed on NoMoreRansom.org or where they don't investigate ransomware incidents, then feel free to report this crime to your local law enforcement.
  14. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  15. There's been no new news in regards to decryption.
  16. This is a newer variant of STOP/Djvu. If your ID really is an offline ID, then note that we don't yet have the private key for this variant's offline ID. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  17. FYI: You can find the version number by opening Emsisoft Business Security and clicking About in the lower-right.
  18. Do you know what version of Emsisoft Business Security is installed on the system? Also, from the screenshot it appears to be Windows 10. Is that correct? Is it 32-bit or 64-bit?
  19. My apologies. It was just me making a bad assumption. From your screenshot it looks like the folders aren't being deleted from the TEMP folder. Are the files EAM keeps flagging still in them as well?
  20. We believe this issue is fixed in the latest beta: https://blog.emsisoft.com/en/36723/emsisoft-anti-malware-2020-8-beta/ Here's how to install it: Open Emsisoft Anti-Malware. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle). Click on Updates in the menu at the top. On the left, in the Updates section, look for Update feed. Click on the box to the right of where it says Update feed, and select Beta from the list. Right-click on the little Emsisoft icon in the lower-right corner of the screen (to the left of the clock). Select Update now from the list.
  21. Newer variants of the STOP/Djvu ransomware use RSA keys, which are impervious to most forms of attack. Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/
  22. If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back.
  23. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  24. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/